Privacy Policy
Effective Date: April 27, 2026
Introduction At Overwatch ASM, operated by Gibborim Offensive Security, LLC, we value your trust and are committed to safeguarding your information. This Privacy Policy explains how we collect, use, store, and protect data when you interact with our platform, services, and website. We only collect information necessary to operate the Service, provide security insights, and improve user experience.
Personal Information We may collect personal information such as your name, email address, and account details when you register or interact with the Service. This information is used to provide access, support, communication, and service-related functionality. We take reasonable measures to protect your information through secure handling and industry-standard safeguards.
Non-Personal Information We may collect non-personal information such as browser type, device information, IP address, and usage data. This information helps us understand platform usage, improve performance, and enhance the overall user experience. This data is not used to personally identify individual users.
Data Related to Scanning When you submit domains or assets to Overwatch ASM, we may collect and process publicly accessible information related to those assets. This includes data gathered through external reconnaissance, scanning, and analysis such as subdomains, open ports, certificate details, web application metadata, cloud asset exposure, and vulnerability findings. We store scan results and related metadata to provide reporting, historical tracking, and continuous monitoring. We do not access private systems or bypass authentication controls. Scan data is scoped exclusively to assets you submit and authorize — we do not scan assets beyond those you provide.
Access Control and Role-Based Permissions The platform implements role-based access control (RBAC) at multiple levels to ensure your data is accessible only to authorized personnel. Organization Members can view scan results and reports for assets belonging to their organization. Organization Admins can invite members, manage organization settings, configure scan targets, and control access within the organization — including configuring and enforcing Multi-Factor Authentication (MFA) for all members. Platform Admins are Gibborim Offensive Security personnel responsible for platform-wide administration and do not access customer scan data except where required for support, incident response, or legal obligation. You are responsible for ensuring only authorized personnel are granted access to your account.
Multi-Factor Authentication The platform supports multi-factor authentication (MFA) for all accounts. TOTP authenticator apps are the primary supported method, with email OTP available as a backup. MFA can be configured and enforced across an organization by Organization Admins. We strongly recommend enabling MFA on all accounts.
Third-Party Subprocessors We use trusted third-party service providers to operate the platform. We have executed Data Processing Agreements with each of our subprocessors consistent with applicable data protection law. Our current subprocessors are:
DigitalOcean, LLC — Infrastructure and hosting. The platform runs on DigitalOcean App Platform. Scan workloads execute on Droplets provisioned on demand and terminated on scan completion. Customer data is stored in a managed PostgreSQL database accessible only via internal private networking with no public internet exposure. Privacy policy: digitalocean.com/legal/privacy-policy.
Stripe, Inc. — Payment processing. All subscription payments are handled by Stripe under their PCI-DSS compliance program. We do not receive or store full payment card details. Privacy policy: stripe.com/privacy.
Anthropic, PBC — AI inference. We use Claude Sonnet and Claude Opus models for AI-assisted vulnerability analysis, finding triage, risk scoring, and executive report generation. Scan findings and technical metadata are transmitted to Anthropic's API for processing. We do not submit personally identifiable information about your users to Anthropic — only technical scan data is processed. Privacy policy: anthropic.com/privacy.
We do not sell your personal information. We will update this section when subprocessors change.
Data Sharing We do not sell your personal information. Beyond the subprocessors identified above, we may share limited data only when required by applicable law, court order, or valid legal process, or to protect the rights, property, or safety of Gibborim Offensive Security, its customers, or the public.
Data Retention We retain data for as long as your account is active or as necessary to provide the Service. You may request deletion of your data at any time, subject to any legal or operational obligations. Upon account termination, we will delete or anonymize your data within a reasonable period.
Security We implement reasonable administrative, technical, and organizational safeguards to protect your information, including encrypted data transmission (HTTPS/TLS), industry-standard encryption for stored data, role-based access controls, and multi-factor authentication. Customer data is stored on DigitalOcean's managed PostgreSQL infrastructure, which includes automated daily backups and point-in-time recovery. Platform services are hosted on DigitalOcean App Platform with built-in redundancy. In the event of a confirmed security incident involving your organization's data, we will notify affected customers within 72 hours of becoming aware of the incident via the email address associated with your account. No system can be guaranteed to be completely secure.
Your Rights You may request access to, correction of, or deletion of your personal information at any time. If you are located in the European Economic Area or United Kingdom, you have additional rights under the GDPR including the right to restrict processing, data portability, and the right to lodge a complaint with your local supervisory authority. If you are a California resident, you have rights under the CCPA including the right to know, delete, and opt out of the sale of personal information — we do not sell personal information. To exercise any of these rights, contact us at contact@gibborimoffsec.com.
Content Liability We are not responsible for any data, assets, or content submitted by users or obtained from third-party sources. While we strive to provide accurate and useful insights, we cannot guarantee the completeness, accuracy, or reliability of all data processed by the Service. Users are responsible for ensuring they have proper authorization for all assets submitted for scanning.
Cookies and Tracking We use cookies and similar technologies to maintain session functionality, improve user experience, and analyze platform usage. You may manage or disable cookies through your browser settings; however, some features of the Service may not function properly without them. By using the Service, you consent to the use of cookies as described in this policy.
Changes to This Policy We may update this Privacy Policy from time to time. For material changes, we will notify you via the email address associated with your account or via an in-platform notice prior to the changes taking effect. Continued use of the Service after updates constitutes acceptance of the revised policy.
Contact Us If you have any questions or concerns about this Privacy Policy, please contact us at: contact@gibborimoffsec.com gibborimoffsec.com
Security disclosures: security@gibborimoffsec.com