LGPD and GDPR Posture

Audience: Brazilian procurement, security, and DPO contacts (LGPD); EU/EEA equivalents (GDPR).

Purpose: State HailBytes’ regulatory posture under LGPD (Lei nº 13.709/2018) and GDPR (Regulation 2016/679) with specific attention to the BYOC deployment model’s effect on the controller/processor question.

This document does not constitute legal advice. It is a vendor posture statement intended to ground a procurement-side legal review.

Part I — LGPD (Brazil)

1. Roles under LGPD

For customer-scanned asset data (HailBytes ASM) and employee/target/campaign data (HailBytes SAT), HailBytes is neither operador (processor) nor controlador (controller).

The structural reason: HailBytes does not receive, store, transmit, or otherwise treat (tratamento, LGPD Art. 5º, X) this data. It is processed exclusively on infrastructure the customer provisions and controls in their own AWS or Azure account. HailBytes’ product runs inside this customer-owned environment as software the customer operates. See byoc-architecture.md for the technical demonstration of this claim.

For the limited operational data HailBytes does process — support-ticket contents the customer submits, marketing-site form submissions, Marketplace settlement metadata — HailBytes acts as operador under instruction from the customer (controlador). This is governed by the HailBytes DPA / Acordo de Tratamento de Dados.

2. Data residency

HailBytes ASM and SAT can be deployed in any AWS or Azure region the customer’s account has access to. For Brazilian customers requiring data residency in Brazil, the supported regions include:

  • AWS: sa-east-1 (São Paulo)
  • Azure: brazilsouth (São Paulo)

Once deployed in a Brazilian region, customer-scanned asset data, employee target lists, phishing-simulation results, and audit logs remain in that region. They are stored in PostgreSQL volumes on EBS or Azure managed disk, and in object storage (S3 / Azure Blob) within the customer’s account. No HailBytes-operated infrastructure receives copies.

This is verifiable by the customer’s own cloud-account audit logs (CloudTrail, Azure Activity Log).

3. Cross-border transfers (LGPD Art. 33–36)

For customer-scanned data and SAT campaign data: not applicable, because the data does not transfer out of the customer’s tenant. International transfer rules do not engage where there is no transfer.

For HailBytes-side processing of support-ticket contents and Marketplace settlement metadata: HailBytes relies on the customer’s consent and the contractual safeguards in the HailBytes DPA to ground any cross-border processing necessary for support delivery and contract administration. The DPA terms are aligned with ANPD guidance on standard contractual clauses (cláusulas contratuais padrão) issued under Resolution CD/ANPD nº 19/2024 and subsequent guidance.

4. Lawful bases (LGPD Art. 7º)

HailBytes’ processing as operador for support-ticket contents and Marketplace settlement metadata is grounded in:

  • Art. 7º, V (execução de contrato) — performance of the customer agreement.
  • Art. 7º, IX (legítimo interesse) — limited to operational logging needed to deliver and secure the service.

For HailBytes’ marketing communications (separate from customer relationships): consent (Art. 7º, I), with opt-in and clear opt-out, recorded with timestamp and source.

5. Breach notification (LGPD Art. 48)

ANPD expects notification of incidents that may result in relevant risk or damage to data subjects within a reasonable time — current ANPD guidance treats two business days as the working benchmark for initial notification.

HailBytes’ notification obligations and timelines for the limited operational data HailBytes processes are stated in the HailBytes DPA. To request a counter-signed DPA or discuss notification terms, contact contracts@hailbytes.com.

For incidents affecting the data residing in the customer’s tenant: HailBytes does not detect such incidents (HailBytes has no visibility into the customer’s tenant). The customer is the entity that must notify ANPD where applicable. HailBytes supports the customer’s investigation under the terms of the support contract.

6. DPO / Encarregado (LGPD Art. 41)

LGPD Art. 41 requires the controller to designate an encarregado pelo tratamento de dados pessoais. Where HailBytes acts as operador (limited processing scope), Art. 41 obligations attach to HailBytes’ role and HailBytes will designate an encarregado for that scope.

Designated encarregado: David McHale. Contact: dpo@hailbytes.com (alias to be activated alongside publication on hailbytes.com/privacy).

Public-page publication: in progress — target 2026-Q3 — at hailbytes.com/privacy per LGPD Art. 41 §1º (the encarregado’s identity and contact information must be publicly available, “preferably on the controller’s website”).

7. Data subject rights (LGPD Art. 18)

For data residing in the customer’s tenant (the bulk of relevant data): the customer fulfills data-subject rights requests directly, using the product’s own data-export, redaction, and deletion features. Relevant product capabilities:

  • ASM: scan-result deletion, asset-record deletion, full audit log export via API.
  • SAT: target deletion, campaign-result deletion, models/anonymization.go::AnonymizeCampaignResults() for irreversible overwrite of PII fields, audit log export at GET /api/audit/export. PII in target lists is column-encrypted at rest (AES-256-GCM).

For data HailBytes processes as operador (support, billing): HailBytes responds to authenticated data-subject requests within 15 days, per LGPD Art. 19 §1º, and forwards requests originating with the controller’s data subjects to the controller where the request concerns data the controller holds.

8. PII handling in HailBytes SAT specifically

Because SAT operates on employee email lists and observes user behavior under simulated phishing conditions, the LGPD posture here deserves a specific note:

  • All target data is stored in the customer’s PostgreSQL database, on the customer’s VM, in the customer’s chosen region. HailBytes never receives it.
  • PII fields (email, name, position) are column-encrypted with AES-256-GCM. Key material is held in environment variables on the customer’s VM; HailBytes does not have the key.
  • The piiscrub package (Go, piiscrub/piiscrub.go) provides deterministic redaction of PII when a reported phishing email is converted to a reusable template — emails, phone numbers, IPs, MAC addresses, SSNs, credit card numbers, and IBANs are replaced with stable placeholder tokens before the email is reused.
  • The audit/ package records every PII-touching operation: user ID, IP, request ID, event category and type, severity, resource type, resource ID, timestamps. Retention is configurable (default 90 days).

Part II — GDPR (EU/EEA)

9. Roles under GDPR

The analysis tracks Part I closely. For customer-scanned asset data (ASM) and employee/campaign data (SAT), HailBytes is neither controller nor processor, for the same structural reason as under LGPD: HailBytes does not process this data; it is processed exclusively on infrastructure the customer provisions and controls.

For the limited operational data HailBytes does process, HailBytes acts as processor for the customer (controller) and the HailBytes DPA governs.

10. Data residency in the EU/EEA

For EU/EEA customers requiring data residency in-region, supported deployment regions include:

  • AWS: eu-west-1 (Ireland), eu-central-1 (Frankfurt), eu-west-2 (London), eu-west-3 (Paris), eu-north-1 (Stockholm), and others.
  • Azure: northeurope (Ireland), westeurope (Netherlands), germanywestcentral, francecentral, swedencentral, and others.

Once deployed in an EU/EEA region, customer data remains in that region under the same mechanism described in §2.

11. International transfers (GDPR Chapter V)

For customer-tenant data: not applicable for the same reason as LGPD.

For HailBytes-side processing where any party in subprocessor-list.md §A processes EU personal data outside the EEA: HailBytes relies on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the transfer mechanism, supplemented by the technical and organizational measures described in security-evidence-package.md. For United States subprocessors that participate in the EU-U.S. Data Privacy Framework (currently GitHub/Microsoft, AWS, Cloudflare, Stripe, Anthropic), the DPF certification supplies an additional lawful transfer mechanism.

12. Lawful bases (GDPR Art. 6)

Tracks §4: contract performance (Art. 6(1)(b)), legitimate interest for operational logging (Art. 6(1)(f)), consent for marketing communications (Art. 6(1)(a)).

13. Breach notification (GDPR Art. 33–34)

GDPR Art. 33: notification to the supervisory authority within 72 hours where feasible.

HailBytes’ notification obligations and timelines for the limited operational data HailBytes processes are stated in the HailBytes DPA, which incorporates the Art. 33/34 processor obligations including the requirement to enable the customer (controller) to meet the 72-hour supervisory authority notification window. To request a counter-signed DPA, contact contracts@hailbytes.com.

For incidents affecting data residing in the customer’s tenant, the customer is the entity that detects and notifies; HailBytes supports investigation.

14. DPO (GDPR Art. 37)

GDPR Art. 37 requires a DPO designation in specific circumstances (public authorities; core activities involving large-scale regular and systematic monitoring; large-scale processing of special-category data). HailBytes’ own processing scope is unlikely to require a designated DPO under Art. 37, but HailBytes will designate one as a goodwill measure for the enterprise procurement cycle.

Designated DPO: David McHale (same appointee as the LGPD encarregado; the role-overlap is permissible under both regulations given HailBytes’ scale and processing scope). Contact: dpo@hailbytes.com. Public-page publication target 2026-Q3.

15. Data subject rights (GDPR Art. 12–22)

Tracks §7: customer-side fulfillment for data in the customer’s tenant; HailBytes-side fulfillment within statutory deadlines for data HailBytes processes.

Part III — Documents and contacts

  • DPA: published at hailbytes.com/legal/dpa/ — HailBytes’ standard processor agreement with LGPD and GDPR schedules, SCCs incorporated by reference. For a counter-signed standalone DPA, email contracts@hailbytes.com.
  • Privacy notice: hailbytes.com/privacy.
  • Security contact: security@hailbytes.com.
  • Encarregado / DPO: David McHale; dpo@hailbytes.com.

Cross-references: byoc-architecture.md for the technical basis of the role analysis; subprocessor-list.md for the parties in scope of HailBytes’ own processor obligations; compliance-roadmap.md for dated commitments on DPO designation and DPA publication.