Last updated: March 23, 2026
Dreadnode, Inc. ("Dreadnode," "we," "our," or "us") is a Delaware corporation that provides the Dreadnode Platform (Strikes), an AI cyber security and red-teaming platform. We are the data controller for the personal data we collect through our platform and services.
If you have questions about how we handle your data, or wish to exercise any of your rights, you can reach us at:
We collect the following categories of personal data in connection with the Dreadnode Platform:
| Category | Examples | Required? |
|---|---|---|
| Identification data | Name, username, user account identifiers | Yes — required for account creation |
| Contact data | Email address | Yes — required for account creation and communications |
| Authentication data | Login credentials, session tokens, access logs | Yes — collected automatically for security |
| Technical and usage data | IP address, browser type and version, pages visited, timestamps, session data, platform interaction data | Yes — collected automatically |
| Profile and preference data | Communication preferences, role information | Optional |
| Communication content | Support tickets, messages sent through the platform | Only when you contact us |
We do not intentionally collect sensitive personal data (such as racial or ethnic origin, health data, or biometric data). If you upload sensitive data to the platform, you are responsible for ensuring you have a lawful basis to do so.
We process your personal data for the following purposes. For each purpose, we identify the lawful basis under the General Data Protection Regulation (GDPR) and the retention period:
| Purpose | What We Do | Lawful Basis | Retention |
|---|---|---|---|
| Account management | Creating and managing your platform account, authentication, and authorization | Contract | Until you request deletion |
| Product analytics | Understanding how users interact with the platform to improve the product experience | Legitimate interests | 24 months rolling |
| Customer support | Resolving technical issues and service requests you submit | Contract | 3 years post-resolution |
| Marketing communications | Product announcements, newsletters, and promotional email campaigns | Legitimate interests (with opt-out) | 30 days post-unsubscribe |
| Sales & CRM | Managing prospect outreach and customer communications | Legitimate interests | 3 years after last activity |
| Security monitoring | Threat detection, access monitoring, compliance evidence collection, incident response | Legitimate interests | 12 months |
Where we rely on legitimate interests, our interest is in operating, improving, and securing the Dreadnode Platform. You have the right to object to processing based on legitimate interests — see "Your Rights" below.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
We share personal data with the following third-party service providers ("subprocessors") who process data on our behalf under written agreements imposing data protection obligations at least as protective as those described in this policy:
| Provider | What They Do For Us | Location | Safeguard |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, storage, security monitoring | USA | DPF / SCCs |
| ClickHouse | Database services for platform data | USA | SCCs |
| Cloudflare | Web security, CDN, threat detection | USA | DPF / SCCs |
| Google Workspace | Authentication, document management, customer support | USA / Ireland | DPF / SCCs |
| HubSpot | CRM, sales, marketing communications | USA | DPF / SCCs |
| Loops | Email marketing automation | USA | SCCs |
| PostHog | Product analytics and user behavior telemetry | USA | SCCs |
| Slack | Internal communications, customer support channels | USA / Ireland | DPF / SCCs |
We do not sell your personal data to third parties. We do not share your personal data for cross-context behavioral advertising.
We may also disclose personal data when required by law, regulation, court order, or other legal process, or when necessary to protect our rights, your safety, or the safety of others.
Your personal data may be transferred to and processed in the United States and Ireland. When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on the following safeguards:
The specific transfer mechanism for each subprocessor is shown in the table in Section 4 above.
We retain personal data only for as long as necessary to fulfill the purposes described in Section 3. Specific retention periods are listed in the table in Section 3. When a retention period expires or you request deletion, we will securely delete or anonymize your data within 30 days, unless a longer retention period is required by applicable law (for example, employment records are retained for 7 years as required by law).
Under the General Data Protection Regulation, you have the right to:
To exercise any of these rights, contact us at privacy@dreadnode.io. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Under the California Consumer Privacy Act, California residents have the right to:
To submit a request, contact us at privacy@dreadnode.io. We will verify your identity before processing your request.
We use the following technologies to collect technical and usage data automatically when you use the Dreadnode Platform:
We do not use third-party advertising cookies. We do not engage in cross-site tracking.
We implement appropriate technical and organizational measures to protect your personal data, including encryption of data in transit and at rest, access controls, regular security testing, and incident response procedures. We maintain compliance with the ISO 27701 privacy framework and conduct periodic reviews of our security practices.
While we take reasonable measures to protect your data, no system is completely secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant supervisory authorities as required by applicable law.
We may update this policy from time to time to reflect changes in our practices, applicable law, or the ISO 27701 framework. When we make material changes, we will notify you by email to the address associated with your account before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was most recently revised.
If you have questions about this policy, wish to exercise your data protection rights, or have a concern about how we handle your data:
If you are in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.