Privacy Policy

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other data-protection legislation is IJONIS UG (haftungsbeschränkt) (a German limited-liability company). Full mandatory disclosures (registered address, management, commercial register) are listed in our Imprint.

For privacy questions, you can reach us at ops@deepmantis.io.

This Privacy Policy applies to the marketing website deepmantis.io and to the upstream onboarding flow (contact form, questionnaire, email verification, signing of the scope-of-work agreement).

Not covered here is processing that takes place during an active engagement on the DeepMantis platform. That processing is governed by your individual scope-of-work agreement and our Data Processing Agreement (DPA) — see the section on Engagement Data and Platform Use.

We process personal data only on one of the following lawful bases under Art. 6(1) GDPR:

• Contact form: Art. 6(1)(b) GDPR (steps prior to entering into a contract) and Art. 6(1)(f) GDPR (legitimate interest in handling your enquiry).
• Onboarding questionnaire: Art. 6(1)(b) GDPR (contract initiation and scope definition).
• Email verification (OTP): Art. 6(1)(b) GDPR (a mandatory prerequisite for contract conclusion).
• Signed agreement: Art. 6(1)(b) GDPR (contract conclusion) and Art. 6(1)(c) GDPR (compliance with statutory retention obligations under the German Commercial Code and Fiscal Code).
• Server logs: Art. 6(1)(f) GDPR (legitimate interest in security, stability, and abuse prevention).

We collect only the data strictly required for each respective purpose:

Contact form

Mandatory fields: name, email address, company, target URL of the application to be tested, scope description. Optional: phone number. Submissions are checked against spam via Cloudflare Turnstile and delivered through Resend to our internal recipients (jamin@ijonis.com, keith@ijonis.com). A rate limit of five submissions per 60 seconds applies per IP address.

Onboarding questionnaire

Access is token-based; the token is issued individually per engagement outside of this website. Recorded fields are scope responses: in-scope hostnames, out-of-scope ranges, rate limits, and notes on fragile systems.

Email verification (OTP)

Email address and a single-use 6-digit code (valid for up to 24 hours). The code is delivered via Resend and stored in Supabase until verification is complete.

Signed agreement

First and last name, typed signature, cryptographic SHA-256 audit hash, timestamp, and IP address at the moment of signing. The resulting PDF is stored in Supabase as an audit artefact.

Server logs

IP address, user agent, request path, and timestamp — automatically captured by Vercel. Retention is approximately 30 days, per Vercel’s default setting.

Browser localStorage

We store only your language preference (locale) in your browser’s localStorage. This is not personal data and the value never leaves your device.

The following third parties process personal data on our behalf. We have a Data Processing Agreement (DPA) under Art. 28 GDPR in place with each of them.

Some of the providers listed above process data outside the European Economic Area (EEA). For those transfers we secure an adequate level of data protection through the following mechanisms:

• Resend Inc. (USA): Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR plus certification under the EU-US Data Privacy Framework (DPF).
• Cloudflare Inc. (global): Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR plus certification under the EU-US Data Privacy Framework (DPF).
• Google LLC (USA): Standard Contractual Clauses (SCCs) plus certification under the EU-US Data Privacy Framework (DPF). Note: we do not embed a Google Calendar widget. You deliberately follow an outbound link to calendar.app.google — Google’s privacy policy applies only once you arrive there.
• Anthropic PBC, Google LLC (Gemini API), OpenRouter Inc. (all USA): Standard Contractual Clauses (SCCs); for Google additionally certification under the EU-US Data Privacy Framework (DPF). Processing takes place exclusively within the DeepMantis platform (see Engagement Data and Platform Use).

Note on Schrems II: Despite these safeguards, US authority access to transferred data cannot be ruled out. We choose providers with EU regions wherever possible (Vercel, Supabase, Langfuse, and our self-hosted vLLM instance on Google Cloud are EU-only) and limit third-country transfers to what is technically necessary.

We do not store personal data longer than is necessary for the respective purpose or required by law:

• Contact-form enquiries without a follow-on engagement: 12 months, then deleted.
• Onboarding and questionnaire data per engagement: as set out in the individual scope-of-work agreement, by default 24 months after engagement completion.
• Signed agreements: 10 years, in line with the retention obligations under HGB § 257 (German Commercial Code) and AO § 147 (German Fiscal Code).
• OTP records: deleted after verification, at the latest after 24 hours.
• Server logs (Vercel): approximately 30 days, per the hosting provider’s default setting.
• Email metadata at Resend: in line with Resend’s standard retention periods (see their privacy policy).

We do not use analytics, advertising, or tracking cookies. Because we set no consent-requiring cookies, no cookie banner is needed.

Specifically: no Google Analytics, no Vercel Analytics, no PostHog, no Meta Pixel, no LinkedIn Insight Tag, no Hotjar, no session recording. Neither client-side nor server-side.

Strictly necessary (no consent required):

• A localStorage entry for your language preference (locale).
• Short-lived session cookies set by Vercel and Cloudflare to deliver this website securely (session IDs, CSRF and security tokens).
• Cloudflare Turnstile briefly sets a cookie during the CAPTCHA check on the contact form to detect bots; it is removed once the check completes.

Under the GDPR you have extensive rights with respect to us as the data controller:

• Access (Art. 15 GDPR): you can request information about which of your data we process.
• Rectification (Art. 16 GDPR): you can request the correction of inaccurate data or completion of incomplete data.
• Erasure (Art. 17 GDPR, “right to be forgotten”): you can request deletion of your data, provided no statutory retention obligations stand in the way.
• Restriction of processing (Art. 18 GDPR): you can have the processing of your data restricted under certain conditions.
• Data portability (Art. 20 GDPR): you can request release of your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21 GDPR): you can object to the processing of your data on grounds relating to your particular situation — in particular for processing based on Art. 6(1)(f) GDPR.
• No automated decision-making (Art. 22 GDPR): we do not make decisions about you that are based solely on automated processing and produce legal effects.

To exercise your rights, email us at ops@deepmantis.io. We respond within 30 days, in line with Art. 12(3) GDPR.

Without prejudice to any other administrative or judicial remedy, you have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority. The authority responsible for us is:

Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit)
Thomas Fuchs
Ludwig-Erhard-Str. 22, 7th floor
20459 Hamburg, Germany
Phone: +49 40 428 54-40 40
Email: mailbox@datenschutz.hamburg.de
Website: https://datenschutz-hamburg.de/

We implement technical and organisational measures under Art. 32 GDPR to protect your data against unauthorised access, loss, and alteration:

• TLS 1.3 for every connection between browser and server.
• Encryption of sensitive data in Supabase (AES-256 at rest, on EU infrastructure).
• Row-Level Security (RLS) on Supabase databases — no cross-engagement access to other customers’ data.
• OTP-gated agreement signing with a cryptographic SHA-256 audit hash and a timestamped audit trail.
• Strict access controls on production systems, audit logging, and regular review of access rights.

Once you commission an engagement, additional processing takes place via the DeepMantis platform. The list below supplements the website-stack processors above. Specific processing purposes, retention periods, and technical and organisational measures are governed by your individual scope-of-work agreement and our Data Processing Agreement (DPA) — both available on request at ops@deepmantis.io.

AI and LLM processing

During an engagement the DeepMantis platform uses large language models (LLMs) for autonomous vulnerability analysis. Where required to demonstrate a given vulnerability, engagement content is transmitted to these models — including target URLs, HTTP requests and responses, vulnerability context, and findings to be evidenced in the report. The scope is limited to what is required to prove the specific vulnerability concerned (see § 5 of our Terms). We currently use:

• Anthropic (Claude models) — commercial API. Anthropic does not train its models on API data under its Commercial Terms.
• Google (Gemini API) — paid tier. Google does not train its models on paid-tier API data.
• OpenRouter — routing layer for supplementary models.
• Self-hosted vLLM instance on Google Cloud (europe-west4, Netherlands) — open-weights models from the Qwen3 family for NDA engagements; dedicated per tenant, no third-party sharing.

IJONIS does not use this data to train AI models. For the US providers (Anthropic, Google, OpenRouter), third-country transfer is based on Standard Contractual Clauses (SCCs); for Google additionally on the EU-US Data Privacy Framework (DPF).

OSINT and reconnaissance lookups

As part of passive reconnaissance the platform queries publicly available APIs to surface known vulnerabilities, exposed repositories, or leaked credentials. Only engagement metadata is transmitted (for example, domain names, email addresses being checked) — no customer data in the narrow sense. Currently used services:

• GitHub API — code dorking and CI/CD configuration review (USA, GitHub Inc.).
• Censys — passive infrastructure reconnaissance (USA, Censys Inc.).
• Have I Been Pwned (HIBP) — checks against known breach corpora; queries are sent with a hashed email address, never in clear text (Australia/UK).

Observability

For quality assurance and platform debugging, sampled traces of LLM calls are sent to Langfuse (EU region). The sampling rate is reduced by engagement phase; sensitive content is redacted prior to transmission where technically feasible.

We update this Privacy Policy when our processing activities or the legal landscape change. The current version, with its revision date, is always available here. For material changes we notify you by email before they take effect (provided we have your email address).

For privacy questions, you can reach us at ops@deepmantis.io.

We have not appointed an external Data Protection Officer — this role is not legally required at our company size. Requests are handled directly by management.