Privacy & Data Disclosure Policy

Last updated: March 2026

This Privacy Policy describes how the CVD Portal ("we", "us", or "our") collects, uses, encrypts, and strictly limits the disclosure of sensitive vulnerability and personal data. Because the platform facilitates high-stakes cybersecurity workflows compliant with the EU Cyber Resilience Act, our data-handling procedures adhere to extreme "need-to-know" operational security (OPSEC) parameters.

1. Data We Collect & Process

We process two categories of data on behalf of our Tenants (Manufacturers):

  • Tenant Operations Data: Administrative accounts, SBOMs (Software Bill of Materials), hardware identifiers, configuration metadata, and operational audit logs.
  • Vulnerability Incident Data: Encrypted/unencrypted submission payloads generated by external cybersecurity researchers, including zero-day proofs-of-concept, exploitation steps, impact assessments, and PGP public keys.

2. The "Shared Responsibility" Security Model

We assume the role of the structural Data Processor holding logs and orchestrating workflows. Sensitive payloads (such as reproduction steps) are only decrypted by authorized Tenant staff holding valid RBAC (Role-Based Access Control) clearance. We do not inspect, monetize, or index the internal content of unpatched vulnerabilities for marketing or external distribution.

3. Mandatory Authority Disclosures (CSIRT / ENISA)

Unlike traditional platforms that never disclose private communications, the CVD Portal is specifically engineered to fulfill Cyber Resilience Act regulatory reporting requirements. If a Tenant actively triages an exploit and flags it as having "CRITICAL" or "HIGH" societal risk, the Platform allows the generation of specialized 24-hr Notification Export files. By using the platform to generate these files, the Tenant explicitly authorizes the compilation of PII and security details into National CSIRT and ENISA-compatible formats for escalated transmission.

4. Researcher Anonymity & Protection

Under the Cyber Resilience Act, cybersecurity researchers submitting vulnerabilities in good faith must be protected. The CVD Portal permits anonymous reporting. When contact emails or PGP identifiers are provided by researchers, they are strictly locked to the relevant Tenant’s workspace to coordinate remediation. The Platform does not aggregate researcher profiles across different, competing tenants.

5. Data Retention & Immutable Logging

Because the Cyber Resilience Act requires rigorous proof of response times (e.g., verifying that a submission was acknowledged within exactly 48 hours), the CVD Portal generates *immutable audit logs* tied to the precise millisecond of a transaction. These logs are permanently retained for regulatory defense and cannot be altered or deleted by Tenant administration staff.