Glossary
What Is GDPR?
GDPR (General Data Protection Regulation, EU 2016/679) is the EU's data-protection law in force since 25 May 2018. Article 32 requires controllers and processors to implement technical and organisational measures to ensure security — including, where appropriate, regular testing, assessing and evaluating the effectiveness of those measures.
Article 32 and security of processing
Article 32(1)(d) explicitly requires "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures." For systems processing personal data, this is the regulatory hook for pentesting. Article 32(1)(a)-(c) cover pseudonymisation, encryption, confidentiality / integrity / availability, and resilience — SQUR findings often surface gaps in (b) and (c).
Personal data breach obligations
Article 33: notify the supervisory authority within 72 hours of becoming aware. Article 34: notify affected individuals without undue delay if the breach is high-risk. Penalties under Article 83 reach €20M or 4% of global annual turnover, whichever is higher.
SQUR and GDPR
SQUR data residency is GCP europe-west1 (Brussels) and europe-west3 (Frankfurt). Scan reports encrypt at rest in Firestore. Customer scan-target URLs and authentication tokens encrypt in Secret Manager with customer-rotatable keys. Retention defaults to 90 days post-delivery. A data-processing agreement (DPA) is available on request. We do not use customer scan data to train models.
Frequently asked questions
Does GDPR require penetration testing?
Article 32 doesn't mandate pentesting by name. It requires "a process for regularly testing" security measures. In practice, supervisory authorities and codes of conduct treat pentesting as one of the expected ways to satisfy this obligation, particularly for systems with sensitive personal data.
What's a DPA?
Data Processing Agreement — the contractual instrument required by Article 28 when one entity (controller) uses another (processor) to handle personal data. SQUR's DPA covers the standard processor obligations: instructions, confidentiality, security, sub-processor approval, breach notification, deletion, and audit cooperation.