Privacy Policy

Skuntir is an offensive security firm based in Munich, Germany, providing red team operations, penetration testing, cloud security assessments, product security reviews, and human factors testing to enterprises, government bodies, and critical infrastructure operators.

Skuntir is the data controller for personal data collected through this website and in connection with business development activities. Engagement-specific data processed during contracted operations is governed separately by the applicable Master Services Agreement and Non-Disclosure Agreement, not by this policy.

This policy is issued under Regulation (EU) 2016/679 (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). References to "Skuntir", "we", "our", or "us" refer to Skuntir and its authorised personnel. "You" refers to any individual whose personal data we process.

Privacy-related questions, rights requests, and data protection concerns can be directed to us at legal@skuntir.com.

Under §38 BDSG, a formal Data Protection Officer (Datenschutzbeauftragter) must be appointed if 20 or more persons are regularly engaged in automated data processing. If Skuntir meets this threshold, the appointed DPO's contact details will be published here and registered with the BayLDA.

We rely on the following legal bases under Art. 6 GDPR to process your personal data:

• Contract performance (Art. 6(1)(b)) - processing necessary to deliver services you have engaged us to provide
• Legitimate interests (Art. 6(1)(f)) - responding to enquiries, maintaining business records, and securing our own systems, where these interests are not overridden by your fundamental rights and freedoms. Where we rely on this basis, the relevant legitimate interest is identified in Section 3 above
• Legal obligation (Art. 6(1)(c)) - retaining records as required by applicable law, including §§ 238, 257 HGB (German Commercial Code) and § 147 AO (German Fiscal Code)
• Consent (Art. 6(1)(a)) - where we rely on consent, for example for non-essential communications, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal

We process personal data for defined purposes only:

• Responding to and managing incoming enquiries and proposals
• Executing and managing contracted security engagements
• Issuing invoices, processing payments, and maintaining financial records
• Communicating updates, findings, and reports relevant to active engagements
• Complying with applicable legal, regulatory, and law enforcement obligations
• Detecting, investigating, and preventing security incidents affecting our own systems

We will not use your data to build marketing profiles, sell access to third parties, conduct unsolicited outreach unrelated to your enquiry, or for any automated decision-making that produces legal or similarly significant effects on you (Art. 22 GDPR).

Skuntir does not sell, rent, broker, or trade personal data. We may disclose data in the following limited situations:

Skuntir operates globally and may process or store data in jurisdictions outside the European Economic Area (EEA). Where personal data originating from the EEA, the United Kingdom, or Switzerland is transferred internationally, we rely on appropriate safeguards under Chapter V GDPR. These include adequacy decisions adopted by the European Commission where applicable, and Standard Contractual Clauses (SCCs) approved by the Commission where no adequacy decision covers the destination country. Where SCCs are used, we implement supplementary technical and organisational measures where necessary to ensure the transferred data receives protection equivalent to that required within the EEA.

You may request information about the specific safeguards applied to any international transfer of your data by writing to us at the address in Section 2.

We retain personal data only for as long as necessary for the purpose it was collected and for no longer than required by applicable law. Our standard retention periods are:

• Unanswered or declined enquiries - 12 months from last contact, then securely deleted
• Active client contact data - retained for the duration of the relationship plus 6 years, consistent with §257(4) HGB
• Engagement records and reports - retained for 10 years, consistent with the maximum statutory retention period under §§ 238, 257 HGB and § 147 AO, then securely destroyed in accordance with our data destruction policy
• Financial and billing records - retained for the period required by §§ 238, 257 HGB and § 147 AO (up to 10 years)
• Website access logs - rolling 90-day window, then deleted

When data is no longer required, it is securely deleted or anonymised such that it can no longer be attributed to any individual.

We are an offensive security company. How we handle data is a matter of professional credibility, not just legal compliance. We apply the same scrutiny to our own data handling that we apply to our clients' systems. Our technical and organisational security measures include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest
• Strict need-to-know access controls with multi-factor authentication
• Comprehensive audit logging of access to sensitive systems
• Regular internal security reviews and threat modelling of our own infrastructure
• Secure disposal of physical and digital materials containing personal data
• Incident response procedures, including breach notification protocols

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the BayLDA within 72 hours of becoming aware of the breach, as required by Art. 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay under Art. 34 GDPR.

Subject to applicable law and limited exceptions, you have the following rights in relation to your personal data:

• Right of access (Art. 15 GDPR) - to obtain a copy of the personal data we hold about you and information about how we process it
• Right to rectification (Art. 16 GDPR) - to have inaccurate or incomplete data corrected
• Right to erasure (Art. 17 GDPR) - to request deletion of your data where we have no lawful basis to continue processing it
• Right to restriction (Art. 18 GDPR) - to limit processing in certain circumstances while a dispute about the data is resolved
• Right to data portability (Art. 20 GDPR) - to receive data you have provided to us in a structured, machine-readable format, where processing is based on consent or contract
• Right to object (Art. 21 GDPR) - to object at any time to processing based on legitimate interests, including for direct communications. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests
• Right not to be subject to automated decision-making (Art. 22 GDPR) - not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. We do not carry out such processing
• Right to withdraw consent (Art. 7(3) GDPR) - at any time where processing is consent-based, without affecting prior lawful processing

To exercise any of these rights, submit a written request to legal@skuntir.com. We will respond within one month. In cases of complexity or volume, this period may be extended by a further two months under Art. 12(3) GDPR; we will inform you of any extension and the reasons for it within the initial one-month period. We may need to verify your identity before processing your request.

Our website uses only technically essential cookies required for the site to function. We do not deploy advertising cookies, third-party tracking pixels, cross-site analytics, or behavioural profiling technologies of any kind.

Essential cookies may include session identifiers and security tokens necessary to deliver the website securely. These expire at the end of your session or within a short fixed period. Under §25(2) TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz), no consent is required for cookies that are strictly necessary to provide a service explicitly requested by the user.

Our services are directed exclusively at business clients and their representatives. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected such data, it will be deleted promptly.

We may update this Privacy Policy periodically. Where changes are material, we will provide reasonable prior notice, which may include a prominent notice on our website or direct communication to known contacts. The "last updated" date at the top of this page indicates when the policy was most recently revised. Continued use of our website or services following notice of material changes constitutes acceptance of the revised policy.

For privacy-related questions, requests, or concerns, contact us at legal@skuntir.com. We will acknowledge receipt within 2 business days.

If you are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the competent supervisory authority. As a private-sector company established in Bavaria, our lead supervisory authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
www.lda.bayern.de

If you are based in another EU member state, you also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work.