Security, privacy & GDPR
How BLACKEYES protects investigation data, complies with UK GDPR, and keeps every report private to the account that ran it.
Six operating principles
These govern how the platform is built and how data flows through it.
Passive collection only
The subject of an investigation is never contacted, notified, or interacted with. All data is drawn from publicly available sources and historical breach records already in public circulation. No subject-facing activity, ever.
Your investigations stay yours
Reports are tied to your authenticated account and are never visible to other customers. BLACKEYES staff do not read customer report contents except when strictly required for support, and only with your explicit request.
Encryption in transit and at rest
Modern transport-layer encryption between your browser and our infrastructure. Report data is stored encrypted. Regular encrypted backups.
Public-domain sourcing
We never access accounts without authorisation, scrape private data, or purchase data from illicit marketplaces. Sources are historical breach aggregators, public social platforms, Companies House, and open web records.
Scoped, least-privilege access
Every request to read your data is scoped to your authenticated account and enforced server-side. Cross-tenant data access is not possible by design, and staff-level access to customer data requires explicit break-glass procedures.
Retention in your control
Individual investigations can be deleted at any time from your dashboard. Account deletion removes associated reports and personal data, subject to any statutory retention obligations. No silent retention of deleted material.
UK GDPR & Data Protection Act 2018
Clear roles and responsibilities between you and BLACKEYES as data handling parties.
Your role: Data Controller
When you run an investigation, your organisation acts as Data Controller — you determine the purpose and means of processing. Your lawful basis (typically legitimate interest for investigative or compliance use, or contract performance for employment screening) should be stated in your own privacy notice.
Our role: Data Processor
BLACKEYES acts as Data Processor on your behalf. Our Data Processing Agreement forms part of the Terms of Service and governs our handling of subject personal data on your instructions.
Subject rights supported
Where a subject exercises rights (access, rectification, erasure) against you as Data Controller, we support you in fulfilling those requests. Contact support with the reference and we will help identify and action the relevant data within our systems.
How data is handled
Authentication
Strong password requirements (minimum 12 characters), disposable-email blocking, and session-based authentication. Standard industry practice for a security-sensitive platform.
Transport and storage
Modern transport-layer encryption for every request. Report data is stored encrypted at rest. No plaintext customer data transits the public internet.
Backups and recovery
Regular encrypted backups with recovery procedures in place. Retention is limited to what is needed for reliable recovery.
Payment data
Payments are processed by a PCI-DSS compliant payment provider. BLACKEYES does not store card numbers, CVV codes, or full banking details on our side. Only a customer reference is retained to manage subscriptions.
Email authentication
Email authentication (SPF, DKIM, DMARC) configured on all outbound sending domains to prevent spoofing. Transactional mail is sent through an authenticated service; we never expose customer data in email bodies beyond what is strictly necessary for the transaction.
Detailed infrastructure information (specific vendors, region, retention windows) is available to enterprise customers under NDA. Please contact us if you require it for a procurement or risk-review process.
Reporting a security issue
If you believe you've found a vulnerability or a data handling issue, let us know directly. We take every report seriously and respond quickly.