This Privacy Policy describes how Depna collects, uses, and protects your personal data in compliance with the EU General Data Protection Regulation (GDPR) and applicable Turkish data protection legislation.
01 Overview
Depna ("we," "our," or "us") operates a Software-as-a-Service platform that scans dependency files for known security vulnerabilities. We are committed to processing your personal data transparently, lawfully, and securely.
By using the Service at depna.io, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please do not use the Service.
02 Data Controller
The data controller responsible for processing your personal data is:
03 Information We Collect
3.1 Account Information
When you register, we collect:
- First name
- Last name
- Email address
- Company name
- Password — stored as a one-way cryptographic hash; never in plain text
3.2 Dependency Files & Scan Data
When you upload a dependency file (e.g., package.json, requirements.txt, pom.xml), Depna uses it to extract the list of packages and their versions. We retain the extracted dependency data as part of your scan results, including:
- Package names and version numbers
- Number of packages scanned
- Vulnerability counts and severity levels
- CVE identifiers and affected package names
- Scan timestamp and project identifier
This data is associated with your project and is retained as long as the scan record exists. The raw file content is not retained as a standalone file after the scanning process completes.
3.3 Usage and Technical Data
We automatically collect the following when you use the Service:
- IP address and approximate geographic location
- Browser type, version, and operating system
- Pages visited, features used, and time spent
- Service activity records (which page or feature was used, when, and whether the request succeeded — never the contents of your data)
- Error logs for debugging purposes
3.4 Communication Data
If you contact us for support or other purposes, we retain the content of that communication and your contact details.
3.5 Payment Information
For paid subscriptions, payment is processed by a third-party payment processor. We do not store, process, or have access to your full credit card number or financial credentials.
04 How We Use Your Information
We use your information exclusively to:
- Create and manage your account
- Perform dependency security scans and generate vulnerability reports
- Deliver security notifications via email, Slack, Microsoft Teams, or Discord
- Generate AI-powered summaries and audit-ready PDF reports
- Provide customer support
- Monitor and improve the performance and reliability of the Service
- Detect, investigate, and prevent fraudulent or abusive activity
- Comply with applicable legal obligations
We do not use your data for advertising, profiling for third-party marketing, or selling to any third party.
05 Legal Basis for Processing (GDPR)
Under the GDPR, we rely on the following legal bases to process your personal data:
| Processing Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Providing and operating the Service | Contract performance | Art. 6(1)(b) |
| Sending security vulnerability alerts | Contract performance | Art. 6(1)(b) |
| Fraud prevention and security | Legitimate interests | Art. 6(1)(f) |
| Service analytics and improvement | Legitimate interests | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
06 Data Retention
We retain your personal data only for as long as necessary for the purposes described in this Policy:
| Data Type | Retention Period |
|---|---|
| Scan data (packages, CVEs, findings) | Until account deletion |
| Account information (name, email, company) | Until account deletion, then 30 days |
| Company branding assets (white-label logo, Enterprise plan) | Until removed by Owner/Admin or account deletion |
| Scan results and vulnerability reports | Until account deletion |
| Notification history (what was sent, to which channel, whether it succeeded) | 7 years, to support security and compliance audits |
| Audit log entries (account, scan, report, and token actions) | Retained for security and compliance purposes; de-linked from your identity on account deletion |
| Support communications | 2 years |
| Billing and transaction records | 7 years (statutory requirement) |
Upon account deletion, we permanently erase your account profile data within 30 days. Two categories are handled differently: data we are legally required to keep (such as billing and transaction records), and audit log entries, which are retained for security and compliance purposes with direct identifiers such as your email address removed, so they are no longer linked to your identity. Notification history kept for audit purposes does not contain any webhook links or other secret material — those fields are hidden, so the history is safe to review or share internally.
07 Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- Industry-standard encryption for all data in transit between your browser and our servers
- Securely hashed passwords and API tokens — original values are never stored
- Temporary file handling for dependency files — uploaded files are not retained as standalone files after scanning completes
- Access controls limiting employee access to personal data on a need-to-know basis
- Strictly separated scan workflows so each customer's scans run independently and data is never mixed
- Webhook link checks — every Slack, Microsoft Teams, and Discord webhook link you add is verified when you save it and again every time a notification is sent. Only secure links pointing at the expected messaging provider are accepted, so your notifications cannot be redirected somewhere else by mistake
- Hidden secrets — webhook links and similar credentials are never shown in the notification history; they are replaced with a hidden placeholder, so the history is safe to review or share with your team
While we take these measures seriously, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within the timeframes required by applicable law.
08 Third-Party Services
To deliver the Service, we share limited personal data with the following categories of service providers, each bound by data processing agreements:
| Service Category | Purpose | Data Shared |
|---|---|---|
| Slack | Security notifications | Alert message content, project name |
| Microsoft Teams | Security notifications | Alert message content, project name |
| Discord | Security notifications | Alert message content, project name |
| AI processing (Anthropic) | AI-generated report summaries and remediation guidance | Package and project names, vulnerability findings — no personal identifiers |
| Email infrastructure | Reports and alert delivery | Email address, report content |
| Cloud infrastructure | Hosting and compute | Encrypted account and scan data |
| Payment processors | Subscription billing | Billing name, email |
We do not sell, rent, or trade your personal data to any third party. Third-party integrations (e.g., Slack, Teams, Discord) are activated solely at your direction and configuration.
09 International Data Transfers
We host and process your account and scan data within the European Union; our primary infrastructure is located in Frankfurt, Germany. A limited number of sub-processors may process certain data outside the EU/EEA. Where data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Adequacy decisions by the European Commission where applicable
- Binding Corporate Rules for intra-group transfers where relevant
You may request information about the specific safeguards in place for any transfer by contacting [email protected].
10 Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. To exercise any of them, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection supervisory authority. In Turkey, this is the Personal Data Protection Authority (KVKK). In the EU, you may contact the supervisory authority of your EU member state.
12 Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that a person under 18 has provided us with personal data, we will delete it immediately. If you believe a minor has submitted personal data to us, please contact [email protected].
13 Audit Log & Access Transparency
To help you meet your own security and compliance obligations — and to give you full visibility into how your account is used — Depna keeps an append-only audit log of security-relevant actions (sign-ins, password changes, scan uploads, report downloads, API token creation, notification channel changes, and similar events).
13.1 What the Audit Log Captures
Each audit entry may contain:
- Timestamp, actor email, the action that was performed, and the affected resource
- Short human-readable description and additional context
- The IP address from which the request originated
- The browser or integration tool that made the request
IP address and browser/device information are collected strictly for security-monitoring purposes: to help detect account compromise, unusual sign-in locations, and misuse of API tokens. They are not used for marketing or profiling.
13.2 Who Can See What
Audit log access is strictly role-based and enforced by the platform. Different roles see different slices of the same log so we share only the minimum data required for each duty:
- Company Owner and Admin — full visibility including IP address and browser/device information
- Auditor — full list of actions, but IP address and browser/device information are hidden to respect the data-minimisation principle of GDPR Article 5(1)(c)
- Security Analyst — a narrowed list of security-operations actions only (sign-in events, file uploads, scan activity, report generation and download, API token creation and revocation, notification channel created/deleted)
- Developer and Manager — no audit log access
Role-based filtering and field hiding are enforced by the platform. They cannot be bypassed by calling the API directly or by manipulating the interface.
13.3 Retention & Your Rights
Audit entries are retained for security and compliance purposes and to support your GDPR accountability obligations. They are append-only and cannot be edited or deleted from the dashboard or via support.
When you delete your account, the link between audit entries and your user identifier is removed, but the entries themselves are preserved for historical accuracy. If you need to exercise your GDPR right of access for your own entries, contact us at [email protected].
14 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. When we make material changes, we will:
- Notify you by email at least 14 days before the changes take effect
- Display a prominent notice on the Service
- Update the "Last updated" date at the top of this page
Continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the changes.
15 Contact Us
For any privacy-related questions, requests to exercise your rights, or to report a concern:
We take all privacy inquiries seriously and will work promptly to address your concerns.