Legal: Privacy, Terms, Responsible Disclosure & VDP

01

Privacy Policy

How Secure Purple handles personal data in the course of operating this website and delivering our services. Written under the UK GDPR and the Data Protection Act 2018.

1.1 Who we are

Secure Purple Ltd. ("we", "us", "our") is a cybersecurity services company registered in England & Wales, with its registered office at 128 City Road, London EC1V 2NX. We act as the data controller for personal data you submit through this website and for prospect and client records we maintain in the course of doing business.

When we are engaged under a signed statement of work to process personal data that belongs to a client (for example, during a penetration test or SOC engagement), we act as a data processor and the terms of that engagement, including the data processing addendum attached to the SOW, govern that processing.

1.2 What we collect

Contact enquiries. When you submit the contact form we collect the fields you provide: name, work email, company, service of interest, and the content of your message. We also record the timestamp, your IP address and a rate-limit counter, strictly for abuse prevention.
Engagement records. If you become a client we retain contracting details (company name, signatory, billing contact, SOW content) as required to perform the engagement and to meet our legal and tax obligations.
Technical logs. The web server logs standard request metadata (IP, user-agent, path, status, timestamp) for a short window for security and availability purposes.
No tracking cookies. This site does not set advertising or cross-site tracking cookies. We do not run third-party analytics that profile visitors.

1.3 Why we process it (lawful basis)

Responding to your enquiry: Art. 6(1)(b) (steps prior to entering a contract) or Art. 6(1)(f) (legitimate interests) as applicable.
Delivering services to clients: Art. 6(1)(b) (performance of a contract).
Security, fraud and abuse prevention (rate limiting, honeypots, access logs): Art. 6(1)(f) (legitimate interests).
Legal, tax and regulatory obligations: Art. 6(1)(c).

1.4 How long we keep it

Contact form enquiries that do not progress: up to 24 months, then deleted or anonymised.
Client engagement records: for the duration of the engagement plus the statutory retention required for the relevant contract, typically 6 years.
Server request logs: rolling 30 days.
Rate-limit store: rolling 10 minutes.

1.5 Who we share it with

We do not sell personal data. We share it only with processors and professionals we use to run the business, under appropriate contracts:

Our email provider (for sending and receiving the messages you write to us).
Our hosting provider (for serving this website).
Our accountants, auditors and legal advisers where necessary.
Law-enforcement or regulators where we are legally required to.

Any transfer of personal data outside the UK/EEA is made under an appropriate safeguard (UK adequacy regulations, the UK Addendum to the EU SCCs, or equivalent).

1.6 Your rights

Under UK GDPR you may request access, rectification, erasure, restriction, portability, and object to certain processing. Write to ask@securepurple.com. We will respond within one month. You may also complain to the UK Information Commissioner's Office (ico.org.uk).

1.7 Security

We are a cybersecurity firm; we hold ourselves to the same standards we advise on. Practical controls include TLS in transit, least-privilege access, SSO and MFA on internal tooling, encrypted backups, endpoint hardening, and periodic review of our own attack surface. We still recommend you do not include secrets, credentials or sensitive personal data in the contact form. Send those over an agreed channel after scoping.

1.8 Changes

If we make material changes to this policy we will update the "Last updated" date above and, where appropriate, notify you directly (for example, through a banner or an email to an active engagement contact).

02

Terms of Service

Terms governing (a) your use of this website and (b) our professional services, as a services provider. Specific engagements are governed by the signed Master Services Agreement and Statement of Work. In the event of a conflict, the signed contract controls.

2.1 About these terms

This page sets the baseline terms. It does not by itself create an engagement. Professional services are only delivered once we have agreed scope, fees and timing in writing via a Statement of Work ("SOW") and, where applicable, an MSA.

2.2 Use of this website

Content on this site (copy, research write-ups, diagrams, logos) is our intellectual property or used under licence. You may read, quote briefly with attribution, and share a link. Do not republish, mirror or train models on the full content without permission.
Do not attempt to attack, overload, scrape aggressively, probe for vulnerabilities, or evade rate limits on this website outside of our Responsible Disclosure / VDP programme (see §3 and §4).
We provide this website on an "as is" basis and make no uptime commitment for the marketing site. Commitments for delivered services are set in the applicable SOW.

2.3 Service delivery

Scope & authorisation. Offensive-security engagements (penetration testing, red team, adversary simulation) are only carried out against in-scope assets that the client has the authority to authorise. A signed Rules of Engagement document is required before testing begins.
Deliverables. Reports, findings, evidence packages and methodology artefacts are delivered as specified in the SOW. Unless stated otherwise, the client receives a licence to use deliverables internally; Secure Purple retains rights in underlying methodology, tooling and generic techniques.
Fees. Fees, milestones and payment terms are set in the SOW. Invoices are payable within the period specified in the MSA.
No warranty of a clean bill of health. A penetration test is a time-boxed assessment. A report of "no critical findings" does not mean the system is free of vulnerabilities. It means none were identified within the agreed scope, time and methodology. Continuous assurance is always recommended.

2.4 Confidentiality

Each engagement is covered by mutual confidentiality, in the MSA or a standalone NDA. Published research is always drafted from engagements where we have permission to disclose, and is redacted as required.

2.5 Liability

Liability caps, exclusions, indemnities and carve-outs are agreed in the MSA. This website does not itself create a liability relationship.

2.6 Governing law

These terms, and any non-contractual obligations arising out of them, are governed by the laws of England & Wales. The courts of England & Wales have exclusive jurisdiction.

2.7 Contact

Engagement enquiries: ask@securepurple.com. Contracts, legal and DPAs: ask@securepurple.com (marked Legal).

03

Responsible Disclosure

We run penetration tests for a living, so we take reports against our own assets seriously. If you believe you have found a security issue affecting Secure Purple's infrastructure, please report it. The following terms describe how we'd like that to happen.

3.1 Scope

securepurple.com and its subdomains that we operate.
Public Secure Purple code repositories hosted under our organisation.
Secure Purple-operated community platforms that we explicitly list as in-scope on this page.

3.2 Out of scope

Third-party SaaS (email provider, hosting control panel, CRM, etc.). Report those to their own vendors.
Findings that require social engineering of our staff, physical access to our premises, or denial of service.
Best-practice notes that are not demonstrable vulnerabilities (missing hardening headers without impact, self-XSS that requires a victim to paste payloads into devtools, etc.).
Client assets under active engagement. Those have their own Rules of Engagement. Please do not test client systems under this programme.

3.3 How to report

Email ask@securepurple.com with the subject line Security Report: [short title].
Include: affected asset, reproduction steps, impact, and any supporting output or screenshots. PGP is available on request.
We will acknowledge receipt within 3 working days and give an initial triage decision within 10 working days.
We will keep you updated until the issue is remediated, and agree public disclosure timing with you, typically after the fix has shipped.

3.4 Safe harbour

If you make a good-faith effort to comply with this policy (staying within scope, avoiding privacy violations, avoiding degradation of service, and not exfiltrating data beyond what is necessary to prove the issue), we will not pursue legal action against you for your research. We cannot waive the rights of third parties; if your research touches infrastructure we don't operate, the relevant third-party's policy applies to you.

3.5 Rewards

This is a responsible-disclosure programme, not a paid bug bounty. We'll gladly thank you publicly (with your consent) and for material findings we may, at our discretion, offer a token of appreciation. If and when we launch a formal paid programme, it will be documented in §4 below.

04

Vulnerability Disclosure Programme (VDP)

A VDP gives security researchers a clear, legal channel to report vulnerabilities. Secure Purple operates a VDP for its own assets, aligned with ISO/IEC 29147 and ISO/IEC 30111. For our clients, we also design, implement and operate VDPs as a service.

4.1 Our own VDP

The Responsible Disclosure policy in §3 is our VDP. The reporting channel, scope, triage SLAs, safe harbour and disclosure posture all apply. In short:

Report channel: ask@securepurple.com with subject Security Report: [title].
Acknowledgement: within 3 working days.
Triage decision: within 10 working days.
Coordinated disclosure: agreed with the reporter, typically post-fix.
Safe harbour: yes, for good-faith research within scope.
Rewards: discretionary. This is not a paid bounty programme.

4.2 VDP for our clients (as a service)

As a service provider we help clients stand up VDPs they can actually operate:

Policy drafting. Scope boundaries, safe harbour language, triage SLAs, disclosure posture, tuned to the client's regulatory environment.
Intake & triage. Secure report channels, de-duplication, severity rating (CVSS), and recommended remediation.
Engineering liaison. We translate researcher findings into reproducible tickets for the engineering team and verify fixes.
Reporter relations. Timely acknowledgements, status updates, recognition and, where the client runs a bounty, payout coordination.
Metrics & reporting. Mean time to triage / mean time to remediate, severity distribution, researcher participation, reviewed with the client each quarter.
Framework alignment. ISO/IEC 29147 & 30111, NIS 2 incident-handling expectations, and SOC 2 / ISO 27001 control evidence.

4.3 When to talk to us about a VDP

You're preparing for SOC 2 / ISO 27001 certification and need a documented, operational programme.
You're an EU entity within NIS 2 scope and need a coordinated vulnerability disclosure process.
You have inbound researcher reports landing on generic inboxes with no clear workflow behind them.
You want to move from "no programme" to "public VDP" (or from public VDP to paid bounty) without the transition going sideways.

If any of that applies, start a conversation. We'll give you an honest read on whether you need one yet, and what the first 90 days look like.

Plain-English policies, one page.