SecureSphereLabs ("we," "our," or "the Company") is committed to protecting the personal information of our clients, partners, and website visitors. This Privacy Policy describes how we collect, use, disclose, and safeguard your information in connection with our services, website, and communications.
We operate in compliance with applicable privacy regulations including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and equivalent legislation in all jurisdictions where we operate. System Verified
1. Information We Collect
We collect information you provide directly and information collected automatically through your use of our services.
1.1 Information You Provide
- Contact and inquiry data: Name, business email address, phone number, company name, job title, and the content of your communications with us when you submit a consultation request, contact form, or other inquiry.
- Engagement data: Information necessary to scope and deliver security services, including network architecture details, asset inventories, and system configurations provided under a signed Non-Disclosure Agreement.
- Account credentials: If you access a client portal System Verified, we collect login credentials you create.
- Payment information: Billing name, company address, and payment method information processed through PCI-compliant third-party processors. We do not store full payment card numbers.
1.2 Automatically Collected Information
- Usage data: Pages visited, time spent, links clicked, and navigation patterns on our website.
- Technical data: IP address, browser type and version, operating system, referring URLs, and device identifiers.
- Cookies and similar technologies: Session cookies (essential only). We do not deploy advertising trackers. See our Cookie Notice System Verified.
2. How We Use Your Information
- To respond to consultation requests, inquiries, and support tickets.
- To deliver, manage, and improve our cybersecurity services.
- To send service-related communications, including engagement reports and invoices.
- To comply with legal obligations and regulatory requirements.
- To protect the security and integrity of our systems and services.
- To analyze aggregated, anonymized data for service improvement. No individual is identifiable in these analyses.
We do not sell your personal data to any third party. We do not use your information for behavioral advertising.
3. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Access
Request a copy of the personal data we hold about you.
Rectification
Request correction of inaccurate or incomplete data.
Erasure
Request deletion of your data subject to legal retention obligations.
Portability
Receive your data in a structured, machine-readable format.
Objection
Object to processing based on legitimate interests.
Restriction
Request that we limit processing of your data in certain circumstances.
To exercise any of these rights, contact our Data Protection Officer at privacy@securespherelab.com Verified. We will respond within 30 days.
4. Data Retention
We retain personal data for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, and resolve disputes. Specific retention periods:
Client engagement data
7 years Verified
Legal/contractual obligation
Contact/inquiry data
3 years from last interaction Verified
Legitimate interest
Website analytics
13 months rolling Verified
Legitimate interest
Financial records
As required by applicable law Verified
Legal obligation
5. Third-Party Processors
We engage third-party sub-processors to support service delivery. All sub-processors are contractually bound to process data only on our instructions and in accordance with this policy. A current list of sub-processors is available upon request System Verified.
6. International Transfers
We operate globally. Where data is transferred outside the EEA or your jurisdiction, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable. System Verified
7. Contact & DPO
For privacy-related queries, contact:
These Terms of Service ("Terms") govern your access to and use of SecureSphereLabs' website, services, and deliverables ("Services"). By accessing our website or engaging our services, you agree to be bound by these Terms. If you disagree with any part of the Terms, you may not access the Services.
1. Scope of Services
SecureSphereLabs provides enterprise cybersecurity services including but not limited to: managed security operations, penetration testing, vulnerability management, red team engagements, and compliance advisory. The specific scope, deliverables, and acceptance criteria for each engagement are defined in a separate Statement of Work (SOW) or Master Services Agreement (MSA) executed between the parties.
These Terms apply to your use of our public website and any pre-sales communications. Client engagements are governed by the applicable MSA/SOW, which take precedence over these Terms in the event of any conflict.
2. Intellectual Property
All content on this website — including text, graphics, logos, methodology documentation, and software — is the intellectual property of SecureSphereLabs or its licensors and is protected by applicable copyright, trademark, and other IP laws.
Engagement deliverables (reports, assessments, recommendations) produced for clients under a signed agreement remain the property of the client upon full payment, subject to SecureSphereLabs retaining rights to use anonymized, aggregated findings for research and product improvement.
3. Acceptable Use
You agree not to use this website or our services to:
- Violate any applicable law, regulation, or third-party rights.
- Reverse-engineer, decompile, or attempt to extract source code from any SecureSphereLabs software or tool.
- Attempt unauthorized access to our systems, networks, or those of any third party without explicit written authorization.
- Transmit malicious code, viruses, or any material designed to interfere with the operation of our services.
- Misrepresent your identity, affiliation, or authority when engaging with our services or personnel.
- Use our brand, name, or deliverables without written authorization for promotional purposes.
4. Confidentiality
Information shared by clients in the course of an engagement is treated as strictly confidential. We operate under Non-Disclosure Agreements for all client engagements and maintain internal access controls to ensure that engagement data is accessible only to assigned team members.
Clients must not disclose engagement methodologies, proprietary tooling information, or unpublished vulnerability details received from SecureSphereLabs to third parties without our prior written consent.
5. Disclaimers & Limitation of Liability
The website and its content are provided "as is" without warranty of any kind, express or implied. SecureSphereLabs does not warrant that the website will be uninterrupted, error-free, or free of viruses or other harmful components.
To the maximum extent permitted by applicable law, SecureSphereLabs shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of this website. Liability limitations specific to service engagements are defined in the applicable MSA.
6. Governing Law
These Terms are governed by and construed in accordance with the laws of System Verified, without regard to its conflict of law provisions. Any disputes arising under these Terms shall be subject to the exclusive jurisdiction of courts located in System Verified.
7. Modifications
We reserve the right to modify these Terms at any time. We will provide reasonable notice of material changes. Continued use of the website following notice constitutes acceptance of the revised Terms.
SecureSphereLabs is committed to the responsible handling of security vulnerabilities. We value the contribution of security researchers, penetration testers, and the broader security community in identifying weaknesses in our public-facing infrastructure and services.
This policy defines how to report a vulnerability, what to expect from us, and what protections we extend to researchers who act in good faith.
1. In-Scope Systems
The following assets are in scope for security research and vulnerability disclosure:
DOMAIN: securespherelab.com Verified
SUBDOMAIN: *.securespherelab.com Verified
API: api.securespherelab.com Verified
PORTAL: portal.securespherelab.com Verified
OUT OF SCOPE:
- Third-party services and infrastructure
- Social engineering attacks against employees
- Physical security testing
- Denial-of-service attacks
- Automated scanning producing excessive load
2. Vulnerability Categories
We are particularly interested in the following vulnerability classes:
Critical
Authentication bypass, Remote Code Execution (RCE), SQL injection with data exfiltration potential, privilege escalation to administrative access.
High
Stored XSS, SSRF with internal network access, broken access controls with unauthorized data exposure, insecure deserialization.
Medium
Reflected XSS, CSRF on sensitive actions, information disclosure, rate limiting bypass on authentication endpoints.
Low / Info
Missing security headers, TLS configuration issues, verbose error messages. We review but may not act on all low-severity findings.
3. Reporting Process
To report a vulnerability, send an encrypted email to:
Email: security@securespherelab.com Verified
PGP Key: System Verified
Subject: [DISCLOSURE] Brief vulnerability description
Your report should include:
- A clear description of the vulnerability and its potential impact.
- Steps to reproduce, including URLs, payloads, and screenshots where applicable.
- Your assessment of the severity (Critical / High / Medium / Low).
- Any proof-of-concept code (do not exploit beyond what is necessary to demonstrate the issue).
- Your preferred contact method for follow-up.
4. Our Response Commitments
24–48 hours Verified
Acknowledgement of your report with a unique tracking reference.
5 business days Verified
Initial triage, severity assessment, and status update.
30–90 days Verified
Remediation target based on severity. We will keep you informed of progress.
Post-fix Verified
Coordinated public disclosure with researcher credit (if desired). Bug bounty consideration System Verified.
5. Safe Harbor
We extend good-faith safe harbor to security researchers who: (a) comply with this policy; (b) avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability; (c) do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate it; and (d) do not perform denial-of-service attacks or social engineering.
We will not pursue legal action against researchers acting in good faith under this policy and will work with researchers to understand and validate their findings. System Verified
6. Recognition
Researchers who identify and responsibly disclose valid vulnerabilities will be acknowledged in our Security Hall of Fame System Verified with their consent. Bug bounty rewards may be available for qualifying Critical and High severity findings at our discretion. System Verified
The security.txt file is an industry standard (RFC 9116) that enables security researchers and automated tools to quickly identify how to report security vulnerabilities for any organization. We publish and maintain our security.txt file at the standard location on our domain.
Our security.txt File
The following is the canonical content of our security.txt file System Verified:
# SecureSphereLabs Security Contact
# RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116
Contact: mailto:security@securespherelab.com
Contact: https://securespherelab.com/legal#disclosure
Encryption: https://securespherelab.com/.well-known/pgp-key.txt
System Verified
Acknowledgments: https://securespherelab.com/trust-center#hall-of-fame
System Verified
Policy: https://securespherelab.com/legal#disclosure
Hiring: https://securespherelab.com/company#careers
System Verified
Preferred-Languages: en
Expires: System Verified
Canonical: https://securespherelab.com/.well-known/security.txt
Deployment Instructions
To deploy your own security.txt, follow these steps:
- Create the directory
/.well-known/ in the web root of your domain.
- Create the file
security.txt within that directory with the content above, updated with your organization's details.
- Generate a PGP key pair for your security contact email. Publish the public key at the URL referenced in the
Encryption field.
- Sign the
security.txt file with your PGP private key (detached signature or inline cleartext signature).
- Set the
Expires field to no more than one year in the future and update it annually.
- Verify the file is publicly accessible at
https://yourdomain.com/.well-known/security.txt.
- Validate using the securitytxt.org validator System Verified.
Note for clients: As part of our Compliance Advisory service, we assist organizations in deploying and maintaining RFC 9116-compliant security.txt files as part of a broader Coordinated Vulnerability Disclosure (CVD) program. Contact us to learn more.
Why security.txt Matters
Faster Disclosure
Researchers and automated tools can identify the correct contact instantly, reducing the time between discovery and notification.
Regulatory Alignment
Required or recommended under NIS2, DORA, and various national cybersecurity frameworks for organizations operating critical infrastructure.
Trust Signal
Publishing a security.txt signals operational maturity and openness to the security research community — a recognized best practice.
Incident Reduction
Organizations with clear disclosure channels receive more responsible reports and suffer fewer incidents from undisclosed vulnerabilities.