Updated On:
5/14/2026
Threat Breaker — Privacy Policy
1. Introduction
This Privacy Policy describes how TBCS Inc. ("Threat Breaker", "we", "us", or "our") collects, uses, shares, and protects information when our customers deploy the Threat Breaker endpoint detection and response (EDR) software on their managed devices and when administrators use the Threat Breaker management dashboard.
Threat Breaker is a business-to-business (B2B) security product. The personal data we process is, in most cases, processed on behalf of our customers, who act as the data controllers in respect of the end users (typically their employees, contractors, or end-customers). We act as the data processor in such relationships and process data only in accordance with the Data Processing Agreement (DPA) executed with each customer.
If you are an end user whose employer or service provider has deployed Threat Breaker on a device you use, please refer to that organization's privacy notice for primary information about how your data is handled. This document provides additional transparency into how our software functions.
2. Information We Collect
Threat Breaker is a security tool whose purpose is to detect malicious or anomalous activity on protected endpoints. To perform this function, the software collects telemetry data about system activity. The categories of data are listed below.
2.1 Endpoint telemetry
Process activity: executable file paths, command-line arguments, process identifiers (PIDs), parent process relationships, executable hashes (SHA-256), code signature information (signed/unsigned status and signer name where available), and process start/end timestamps.
File system events: file paths and operations (create, modify, rename, delete) within monitored directories, plus SHA-256 hashes of changed files. File contents themselves are not collected, except where a file is explicitly quarantined or submitted to forensics by an authorized administrator.
Network connections: local and remote IP addresses, ports, protocols, hostnames resolved via DNS, and associations with the originating process. Packet payloads are not collected.
System information: operating system name and version, kernel version, machine identifier (UUID), hostname, MAC addresses of network adapters, installed software inventory (for vulnerability matching against CVE databases), and hardware specifications (CPU model, total RAM).
Performance metrics: current CPU utilization, memory usage, disk usage, and agent uptime — collected with each heartbeat for service health monitoring and dashboard display.
Authentication events: logon and logoff events, including the operating-system account name of the currently logged-in user, and (on Linux/macOS) entries from system login logs. Passwords and authentication tokens are never collected.
Forensic snapshots: when an administrator triggers a forensic action on a high-severity incident, the agent collects a snapshot containing: the full process list, currently-open network connections, scheduled tasks and cron entries, persistence locations (autorun keys, LaunchDaemons/LaunchAgents, systemd units, login items), recent login records, and recent system log entries (Windows Event Log / journalctl / Unified Log).
Screen captures: when an administrator with appropriate role permissions invokes the screen-capture action on a specific endpoint, the agent captures the current screen of that endpoint as a PNG image and transmits it to the dashboard. Screen captures are not collected automatically — only on explicit administrator action — and are subject to the customer's own deployment-policy controls (which may further restrict who can invoke this action and on which endpoints).
2.2 Dashboard usage data
Account data: administrator email address, full name, role, and authentication identifiers.
Session data: login timestamps, IP addresses used to access the dashboard, browser user-agent strings, and audit log entries reflecting administrative actions.
Communication preferences: settings related to email notifications, scheduled reports, and integration webhooks.
2.3 Information we do not collect
We do not collect: file contents (other than the explicit quarantine and forensics cases noted above), full network packet payloads, keystrokes, browser history outside of network connection telemetry, or passwords and authentication tokens. Screen captures are not collected automatically — only on explicit administrator action as described in Section 2.1.
3. Purpose and Legal Basis for Processing
We process the categories of data described above for the following purposes:
Threat detection and response: to identify malicious software, intrusions, policy violations, and anomalous activity on customer endpoints.
Incident investigation: to provide administrators with the context necessary to understand and remediate detected incidents.
Software performance and reliability: to detect errors, crashes, or performance regressions in the agent or dashboard, and to improve them.
Product analytics: limited aggregated, non-personally-identifying metrics to understand feature usage and prioritize development.
Compliance and regulatory reporting: where customers use Threat Breaker to satisfy their own compliance obligations, we make data available to support those obligations.
Our legal basis for processing under the General Data Protection Regulation (GDPR), the UK GDPR, and analogous regimes is:
Performance of a contract (Article 6(1)(b)) with our customer, under whose instructions we process endpoint and dashboard data;
Legitimate interests (Article 6(1)(f)) in maintaining the security and integrity of our services and our customers' networks, as well as in pursuing product improvements that are essential to delivering security efficacy;
Legal obligation (Article 6(1)(c)) where applicable, such as for tax records, financial reporting, or response to lawful regulatory inquiries.
4. How We Share Information
Threat Breaker does not sell personal data. We share the categories of data described above only with the following recipients:
Our customers: the data collected by the agent on a customer's endpoints is made available exclusively to that customer's authorized administrators through the Threat Breaker dashboard. Data is isolated per customer; one customer cannot access another customer's data.
Threat Breaker personnel: members of our engineering and customer-success teams may access customer data on a need-to-know basis, exclusively to provide support, investigate technical issues, or fulfill the customer's instructions. Access is logged and audited.
Legal authorities: we may disclose information when compelled to do so by a valid legal process (subpoena, court order, regulatory demand) or where disclosure is necessary to protect our rights, property, or the safety of users.
In the context of a corporate transaction: in the event of a merger, acquisition, financing, or sale of all or part of our business, customer data may be transferred to the acquiring or surviving entity, subject to confidentiality protections.
Service providers (sub-processors): we use the specific third-party processors listed in Section 4.1 below. Each is bound by a written data processing agreement with terms at least as protective as those we accept with our customers.
4.1 Current sub-processors
The following third-party processors receive specific, limited categories of customer data to perform discrete functions necessary for the delivery of the service. The list is current as of the effective date of this policy and is updated when sub-processors are added, removed, or replaced.
Anthropic, PBC (Claude API) — AI-assisted incident analysis. When an administrator (or our automated workflow on high-severity incidents) requests AI-generated analysis of a detected threat, the metadata of that incident is transmitted to Anthropic's Claude API endpoint (api.anthropic.com). The data transmitted includes: the detection rule name, severity, textual description, contextual details (process name, command-line, file path, network endpoint), MITRE ATT&CK classification, and timestamp. Raw file contents, network packet payloads, screen captures, and customer credentials are never transmitted to Anthropic. Anthropic processes the request to generate a natural-language analysis and does not retain the data for model training, in accordance with their commercial-tier API terms. Region: United States.
VirusTotal (Google LLC / Chronicle) — file reputation lookups. When a file is observed on a monitored endpoint, the agent computes its SHA-256 hash and, when reputation information is requested by an administrator (or as part of automated enrichment for high-severity detections), the hash value alone is transmitted to VirusTotal's API (virustotal.com/api/v3/files). Only the hash is transmitted — the file itself, its path, its contents, and the host on which it was observed are not transmitted. Region: United States.
Hosting infrastructure provider — operational hosting of Threat Breaker dashboard and License Manager. All customer telemetry data, dashboard account data, and audit logs are stored on infrastructure operated by OVHcloud, under a data processing agreement which requires the provider to act only on our documented instructions and to implement appropriate technical and organizational security measures.
Email delivery provider — outbound transactional and notification emails. Emails sent by the dashboard (account verification, scheduled reports, incident notifications, password resets) are delivered via Google/gmail. The data transmitted is limited to the recipient email address, subject line, message body, and any report attachments configured by the administrator.
The Company maintains a current list of sub-processors engaged in the processing of Personal Data (the “Sub-processor List”), which shall be made available to Customers upon request or via the Company’s website.
The Company may update the Sub-processor List from time to time to reflect changes in its operations or service delivery.
The Company shall use reasonable efforts to ensure that any sub-processors engaged provide an appropriate level of data protection consistent with applicable data protection laws and the terms of this Agreement.
5. International Data Transfers
Threat Breaker operates infrastructure in multiple geographic regions. Depending on the customer's deployment region, telemetry data may be processed and stored in the European Economic Area, the United Kingdom, the United States, or other regions disclosed to the customer at the time of contracting.
Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a recipient in a country that has not been deemed by the European Commission or the corresponding authority to provide an adequate level of data protection, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms permitted by applicable law.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. The default retention periods for the principal categories of data are:
Endpoint telemetry and incident data: ninety (90) days from collection, unless the customer has contracted for an extended retention period. Customers may also configure shorter retention.
Dashboard audit logs: twelve (12) months
Account data: for the duration of the customer's contract, plus a reasonable period thereafter for transition and dispute resolution (typically not exceeding ninety (90) days post-termination).
Backups: backup copies may persist for up to thirty (30) days after data is removed from primary systems, after which they are securely overwritten.
After the applicable retention period expires, data is either deleted or anonymized such that it can no longer be associated with an identifiable individual.
7. Security
We employ administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of the data we hold. These include:
Encryption of data in transit using TLS 1.3 + fallback 1.2 or 1.2+, with certificate pinning between agents and our infrastructure;
Encryption of data at rest using AES-256-GCM or equivalent;
Network segmentation, principle of least privilege, and access control mechanisms with multi-factor authentication for administrative access to production systems;
Logging and monitoring of access to production systems and customer data;
Self-protection mechanisms on endpoint agents: anti-debug checks, anti-tamper integrity verification (SHA-256 hash of the agent binary verified at runtime), single-instance locking, and signed-binary verification of update payloads before installation;
Independent security assessments and penetration testing performed at regular intervals (minimum annually);
Vulnerability management and timely patching of infrastructure components;
Personnel screening, training, and confidentiality obligations for individuals with access to customer data.
No method of electronic transmission or storage is absolutely secure. While we strive to use commercially acceptable means to protect personal data, we cannot guarantee its absolute security.
8. Your Rights
Depending on your jurisdiction, you may have certain rights regarding the personal data we hold about you, including the rights to:
Access the personal data we hold about you;
Request correction of inaccurate or incomplete data;
Request erasure of your personal data, subject to certain legal exceptions;
Restrict or object to certain processing;
Request portability of your data in a structured, commonly used format;
Lodge a complaint with a data protection authority in your jurisdiction.
If you are an end user of an organization that has deployed Threat Breaker on your device, please direct rights requests first to that organization. If you have not received a response or believe the response is inadequate, you may contact us directly using the details in Section 11, and we will assist the responsible organization in fulfilling the request.
9. Cookies and Similar Technologies
The Threat Breaker administrative dashboard uses cookies and similar local-storage mechanisms strictly necessary for authentication, session management, security (including protection against cross-site request forgery), and user preferences. We do not use the dashboard to deploy advertising or third-party analytics trackers. Endpoint agents do not use cookies.
10. Children
Threat Breaker is a business product not intended for use by individuals under the age of sixteen (16). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to delete that information.
11. Contact
Questions, requests under applicable data protection law, or other inquiries regarding this Privacy Policy or our data practices may be directed to:
TBCS Inc.
910 Cherry Street, Panama City, F L 32401
Email: privacy@threatbreaker.com
The Company has determined that it is not obligated to appoint a Data Protection Officer pursuant to Article 37 of the GDPR and has therefore not designated one.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational factors. When we make material changes, we will notify customers through the dashboard and update the "Effective date" at the top of this document. The most current version of this Policy is always available at https://threatbreaker.com/privacy.
Updated On:
5/14/2026
Threat Breaker — Privacy Policy
1. Introduction
This Privacy Policy describes how TBCS Inc. ("Threat Breaker", "we", "us", or "our") collects, uses, shares, and protects information when our customers deploy the Threat Breaker endpoint detection and response (EDR) software on their managed devices and when administrators use the Threat Breaker management dashboard.
Threat Breaker is a business-to-business (B2B) security product. The personal data we process is, in most cases, processed on behalf of our customers, who act as the data controllers in respect of the end users (typically their employees, contractors, or end-customers). We act as the data processor in such relationships and process data only in accordance with the Data Processing Agreement (DPA) executed with each customer.
If you are an end user whose employer or service provider has deployed Threat Breaker on a device you use, please refer to that organization's privacy notice for primary information about how your data is handled. This document provides additional transparency into how our software functions.
2. Information We Collect
Threat Breaker is a security tool whose purpose is to detect malicious or anomalous activity on protected endpoints. To perform this function, the software collects telemetry data about system activity. The categories of data are listed below.
2.1 Endpoint telemetry
Process activity: executable file paths, command-line arguments, process identifiers (PIDs), parent process relationships, executable hashes (SHA-256), code signature information (signed/unsigned status and signer name where available), and process start/end timestamps.
File system events: file paths and operations (create, modify, rename, delete) within monitored directories, plus SHA-256 hashes of changed files. File contents themselves are not collected, except where a file is explicitly quarantined or submitted to forensics by an authorized administrator.
Network connections: local and remote IP addresses, ports, protocols, hostnames resolved via DNS, and associations with the originating process. Packet payloads are not collected.
System information: operating system name and version, kernel version, machine identifier (UUID), hostname, MAC addresses of network adapters, installed software inventory (for vulnerability matching against CVE databases), and hardware specifications (CPU model, total RAM).
Performance metrics: current CPU utilization, memory usage, disk usage, and agent uptime — collected with each heartbeat for service health monitoring and dashboard display.
Authentication events: logon and logoff events, including the operating-system account name of the currently logged-in user, and (on Linux/macOS) entries from system login logs. Passwords and authentication tokens are never collected.
Forensic snapshots: when an administrator triggers a forensic action on a high-severity incident, the agent collects a snapshot containing: the full process list, currently-open network connections, scheduled tasks and cron entries, persistence locations (autorun keys, LaunchDaemons/LaunchAgents, systemd units, login items), recent login records, and recent system log entries (Windows Event Log / journalctl / Unified Log).
Screen captures: when an administrator with appropriate role permissions invokes the screen-capture action on a specific endpoint, the agent captures the current screen of that endpoint as a PNG image and transmits it to the dashboard. Screen captures are not collected automatically — only on explicit administrator action — and are subject to the customer's own deployment-policy controls (which may further restrict who can invoke this action and on which endpoints).
2.2 Dashboard usage data
Account data: administrator email address, full name, role, and authentication identifiers.
Session data: login timestamps, IP addresses used to access the dashboard, browser user-agent strings, and audit log entries reflecting administrative actions.
Communication preferences: settings related to email notifications, scheduled reports, and integration webhooks.
2.3 Information we do not collect
We do not collect: file contents (other than the explicit quarantine and forensics cases noted above), full network packet payloads, keystrokes, browser history outside of network connection telemetry, or passwords and authentication tokens. Screen captures are not collected automatically — only on explicit administrator action as described in Section 2.1.
3. Purpose and Legal Basis for Processing
We process the categories of data described above for the following purposes:
Threat detection and response: to identify malicious software, intrusions, policy violations, and anomalous activity on customer endpoints.
Incident investigation: to provide administrators with the context necessary to understand and remediate detected incidents.
Software performance and reliability: to detect errors, crashes, or performance regressions in the agent or dashboard, and to improve them.
Product analytics: limited aggregated, non-personally-identifying metrics to understand feature usage and prioritize development.
Compliance and regulatory reporting: where customers use Threat Breaker to satisfy their own compliance obligations, we make data available to support those obligations.
Our legal basis for processing under the General Data Protection Regulation (GDPR), the UK GDPR, and analogous regimes is:
Performance of a contract (Article 6(1)(b)) with our customer, under whose instructions we process endpoint and dashboard data;
Legitimate interests (Article 6(1)(f)) in maintaining the security and integrity of our services and our customers' networks, as well as in pursuing product improvements that are essential to delivering security efficacy;
Legal obligation (Article 6(1)(c)) where applicable, such as for tax records, financial reporting, or response to lawful regulatory inquiries.
4. How We Share Information
Threat Breaker does not sell personal data. We share the categories of data described above only with the following recipients:
Our customers: the data collected by the agent on a customer's endpoints is made available exclusively to that customer's authorized administrators through the Threat Breaker dashboard. Data is isolated per customer; one customer cannot access another customer's data.
Threat Breaker personnel: members of our engineering and customer-success teams may access customer data on a need-to-know basis, exclusively to provide support, investigate technical issues, or fulfill the customer's instructions. Access is logged and audited.
Legal authorities: we may disclose information when compelled to do so by a valid legal process (subpoena, court order, regulatory demand) or where disclosure is necessary to protect our rights, property, or the safety of users.
In the context of a corporate transaction: in the event of a merger, acquisition, financing, or sale of all or part of our business, customer data may be transferred to the acquiring or surviving entity, subject to confidentiality protections.
Service providers (sub-processors): we use the specific third-party processors listed in Section 4.1 below. Each is bound by a written data processing agreement with terms at least as protective as those we accept with our customers.
4.1 Current sub-processors
The following third-party processors receive specific, limited categories of customer data to perform discrete functions necessary for the delivery of the service. The list is current as of the effective date of this policy and is updated when sub-processors are added, removed, or replaced.
Anthropic, PBC (Claude API) — AI-assisted incident analysis. When an administrator (or our automated workflow on high-severity incidents) requests AI-generated analysis of a detected threat, the metadata of that incident is transmitted to Anthropic's Claude API endpoint (api.anthropic.com). The data transmitted includes: the detection rule name, severity, textual description, contextual details (process name, command-line, file path, network endpoint), MITRE ATT&CK classification, and timestamp. Raw file contents, network packet payloads, screen captures, and customer credentials are never transmitted to Anthropic. Anthropic processes the request to generate a natural-language analysis and does not retain the data for model training, in accordance with their commercial-tier API terms. Region: United States.
VirusTotal (Google LLC / Chronicle) — file reputation lookups. When a file is observed on a monitored endpoint, the agent computes its SHA-256 hash and, when reputation information is requested by an administrator (or as part of automated enrichment for high-severity detections), the hash value alone is transmitted to VirusTotal's API (virustotal.com/api/v3/files). Only the hash is transmitted — the file itself, its path, its contents, and the host on which it was observed are not transmitted. Region: United States.
Hosting infrastructure provider — operational hosting of Threat Breaker dashboard and License Manager. All customer telemetry data, dashboard account data, and audit logs are stored on infrastructure operated by OVHcloud, under a data processing agreement which requires the provider to act only on our documented instructions and to implement appropriate technical and organizational security measures.
Email delivery provider — outbound transactional and notification emails. Emails sent by the dashboard (account verification, scheduled reports, incident notifications, password resets) are delivered via Google/gmail. The data transmitted is limited to the recipient email address, subject line, message body, and any report attachments configured by the administrator.
The Company maintains a current list of sub-processors engaged in the processing of Personal Data (the “Sub-processor List”), which shall be made available to Customers upon request or via the Company’s website.
The Company may update the Sub-processor List from time to time to reflect changes in its operations or service delivery.
The Company shall use reasonable efforts to ensure that any sub-processors engaged provide an appropriate level of data protection consistent with applicable data protection laws and the terms of this Agreement.
5. International Data Transfers
Threat Breaker operates infrastructure in multiple geographic regions. Depending on the customer's deployment region, telemetry data may be processed and stored in the European Economic Area, the United Kingdom, the United States, or other regions disclosed to the customer at the time of contracting.
Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a recipient in a country that has not been deemed by the European Commission or the corresponding authority to provide an adequate level of data protection, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms permitted by applicable law.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. The default retention periods for the principal categories of data are:
Endpoint telemetry and incident data: ninety (90) days from collection, unless the customer has contracted for an extended retention period. Customers may also configure shorter retention.
Dashboard audit logs: twelve (12) months
Account data: for the duration of the customer's contract, plus a reasonable period thereafter for transition and dispute resolution (typically not exceeding ninety (90) days post-termination).
Backups: backup copies may persist for up to thirty (30) days after data is removed from primary systems, after which they are securely overwritten.
After the applicable retention period expires, data is either deleted or anonymized such that it can no longer be associated with an identifiable individual.
7. Security
We employ administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of the data we hold. These include:
Encryption of data in transit using TLS 1.3 + fallback 1.2 or 1.2+, with certificate pinning between agents and our infrastructure;
Encryption of data at rest using AES-256-GCM or equivalent;
Network segmentation, principle of least privilege, and access control mechanisms with multi-factor authentication for administrative access to production systems;
Logging and monitoring of access to production systems and customer data;
Self-protection mechanisms on endpoint agents: anti-debug checks, anti-tamper integrity verification (SHA-256 hash of the agent binary verified at runtime), single-instance locking, and signed-binary verification of update payloads before installation;
Independent security assessments and penetration testing performed at regular intervals (minimum annually);
Vulnerability management and timely patching of infrastructure components;
Personnel screening, training, and confidentiality obligations for individuals with access to customer data.
No method of electronic transmission or storage is absolutely secure. While we strive to use commercially acceptable means to protect personal data, we cannot guarantee its absolute security.
8. Your Rights
Depending on your jurisdiction, you may have certain rights regarding the personal data we hold about you, including the rights to:
Access the personal data we hold about you;
Request correction of inaccurate or incomplete data;
Request erasure of your personal data, subject to certain legal exceptions;
Restrict or object to certain processing;
Request portability of your data in a structured, commonly used format;
Lodge a complaint with a data protection authority in your jurisdiction.
If you are an end user of an organization that has deployed Threat Breaker on your device, please direct rights requests first to that organization. If you have not received a response or believe the response is inadequate, you may contact us directly using the details in Section 11, and we will assist the responsible organization in fulfilling the request.
9. Cookies and Similar Technologies
The Threat Breaker administrative dashboard uses cookies and similar local-storage mechanisms strictly necessary for authentication, session management, security (including protection against cross-site request forgery), and user preferences. We do not use the dashboard to deploy advertising or third-party analytics trackers. Endpoint agents do not use cookies.
10. Children
Threat Breaker is a business product not intended for use by individuals under the age of sixteen (16). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to delete that information.
11. Contact
Questions, requests under applicable data protection law, or other inquiries regarding this Privacy Policy or our data practices may be directed to:
TBCS Inc.
910 Cherry Street, Panama City, F L 32401
Email: privacy@threatbreaker.com
The Company has determined that it is not obligated to appoint a Data Protection Officer pursuant to Article 37 of the GDPR and has therefore not designated one.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational factors. When we make material changes, we will notify customers through the dashboard and update the "Effective date" at the top of this document. The most current version of this Policy is always available at https://threatbreaker.com/privacy.
Updated On:
5/14/2026
Threat Breaker — Privacy Policy
1. Introduction
This Privacy Policy describes how TBCS Inc. ("Threat Breaker", "we", "us", or "our") collects, uses, shares, and protects information when our customers deploy the Threat Breaker endpoint detection and response (EDR) software on their managed devices and when administrators use the Threat Breaker management dashboard.
Threat Breaker is a business-to-business (B2B) security product. The personal data we process is, in most cases, processed on behalf of our customers, who act as the data controllers in respect of the end users (typically their employees, contractors, or end-customers). We act as the data processor in such relationships and process data only in accordance with the Data Processing Agreement (DPA) executed with each customer.
If you are an end user whose employer or service provider has deployed Threat Breaker on a device you use, please refer to that organization's privacy notice for primary information about how your data is handled. This document provides additional transparency into how our software functions.
2. Information We Collect
Threat Breaker is a security tool whose purpose is to detect malicious or anomalous activity on protected endpoints. To perform this function, the software collects telemetry data about system activity. The categories of data are listed below.
2.1 Endpoint telemetry
Process activity: executable file paths, command-line arguments, process identifiers (PIDs), parent process relationships, executable hashes (SHA-256), code signature information (signed/unsigned status and signer name where available), and process start/end timestamps.
File system events: file paths and operations (create, modify, rename, delete) within monitored directories, plus SHA-256 hashes of changed files. File contents themselves are not collected, except where a file is explicitly quarantined or submitted to forensics by an authorized administrator.
Network connections: local and remote IP addresses, ports, protocols, hostnames resolved via DNS, and associations with the originating process. Packet payloads are not collected.
System information: operating system name and version, kernel version, machine identifier (UUID), hostname, MAC addresses of network adapters, installed software inventory (for vulnerability matching against CVE databases), and hardware specifications (CPU model, total RAM).
Performance metrics: current CPU utilization, memory usage, disk usage, and agent uptime — collected with each heartbeat for service health monitoring and dashboard display.
Authentication events: logon and logoff events, including the operating-system account name of the currently logged-in user, and (on Linux/macOS) entries from system login logs. Passwords and authentication tokens are never collected.
Forensic snapshots: when an administrator triggers a forensic action on a high-severity incident, the agent collects a snapshot containing: the full process list, currently-open network connections, scheduled tasks and cron entries, persistence locations (autorun keys, LaunchDaemons/LaunchAgents, systemd units, login items), recent login records, and recent system log entries (Windows Event Log / journalctl / Unified Log).
Screen captures: when an administrator with appropriate role permissions invokes the screen-capture action on a specific endpoint, the agent captures the current screen of that endpoint as a PNG image and transmits it to the dashboard. Screen captures are not collected automatically — only on explicit administrator action — and are subject to the customer's own deployment-policy controls (which may further restrict who can invoke this action and on which endpoints).
2.2 Dashboard usage data
Account data: administrator email address, full name, role, and authentication identifiers.
Session data: login timestamps, IP addresses used to access the dashboard, browser user-agent strings, and audit log entries reflecting administrative actions.
Communication preferences: settings related to email notifications, scheduled reports, and integration webhooks.
2.3 Information we do not collect
We do not collect: file contents (other than the explicit quarantine and forensics cases noted above), full network packet payloads, keystrokes, browser history outside of network connection telemetry, or passwords and authentication tokens. Screen captures are not collected automatically — only on explicit administrator action as described in Section 2.1.
3. Purpose and Legal Basis for Processing
We process the categories of data described above for the following purposes:
Threat detection and response: to identify malicious software, intrusions, policy violations, and anomalous activity on customer endpoints.
Incident investigation: to provide administrators with the context necessary to understand and remediate detected incidents.
Software performance and reliability: to detect errors, crashes, or performance regressions in the agent or dashboard, and to improve them.
Product analytics: limited aggregated, non-personally-identifying metrics to understand feature usage and prioritize development.
Compliance and regulatory reporting: where customers use Threat Breaker to satisfy their own compliance obligations, we make data available to support those obligations.
Our legal basis for processing under the General Data Protection Regulation (GDPR), the UK GDPR, and analogous regimes is:
Performance of a contract (Article 6(1)(b)) with our customer, under whose instructions we process endpoint and dashboard data;
Legitimate interests (Article 6(1)(f)) in maintaining the security and integrity of our services and our customers' networks, as well as in pursuing product improvements that are essential to delivering security efficacy;
Legal obligation (Article 6(1)(c)) where applicable, such as for tax records, financial reporting, or response to lawful regulatory inquiries.
4. How We Share Information
Threat Breaker does not sell personal data. We share the categories of data described above only with the following recipients:
Our customers: the data collected by the agent on a customer's endpoints is made available exclusively to that customer's authorized administrators through the Threat Breaker dashboard. Data is isolated per customer; one customer cannot access another customer's data.
Threat Breaker personnel: members of our engineering and customer-success teams may access customer data on a need-to-know basis, exclusively to provide support, investigate technical issues, or fulfill the customer's instructions. Access is logged and audited.
Legal authorities: we may disclose information when compelled to do so by a valid legal process (subpoena, court order, regulatory demand) or where disclosure is necessary to protect our rights, property, or the safety of users.
In the context of a corporate transaction: in the event of a merger, acquisition, financing, or sale of all or part of our business, customer data may be transferred to the acquiring or surviving entity, subject to confidentiality protections.
Service providers (sub-processors): we use the specific third-party processors listed in Section 4.1 below. Each is bound by a written data processing agreement with terms at least as protective as those we accept with our customers.
4.1 Current sub-processors
The following third-party processors receive specific, limited categories of customer data to perform discrete functions necessary for the delivery of the service. The list is current as of the effective date of this policy and is updated when sub-processors are added, removed, or replaced.
Anthropic, PBC (Claude API) — AI-assisted incident analysis. When an administrator (or our automated workflow on high-severity incidents) requests AI-generated analysis of a detected threat, the metadata of that incident is transmitted to Anthropic's Claude API endpoint (api.anthropic.com). The data transmitted includes: the detection rule name, severity, textual description, contextual details (process name, command-line, file path, network endpoint), MITRE ATT&CK classification, and timestamp. Raw file contents, network packet payloads, screen captures, and customer credentials are never transmitted to Anthropic. Anthropic processes the request to generate a natural-language analysis and does not retain the data for model training, in accordance with their commercial-tier API terms. Region: United States.
VirusTotal (Google LLC / Chronicle) — file reputation lookups. When a file is observed on a monitored endpoint, the agent computes its SHA-256 hash and, when reputation information is requested by an administrator (or as part of automated enrichment for high-severity detections), the hash value alone is transmitted to VirusTotal's API (virustotal.com/api/v3/files). Only the hash is transmitted — the file itself, its path, its contents, and the host on which it was observed are not transmitted. Region: United States.
Hosting infrastructure provider — operational hosting of Threat Breaker dashboard and License Manager. All customer telemetry data, dashboard account data, and audit logs are stored on infrastructure operated by OVHcloud, under a data processing agreement which requires the provider to act only on our documented instructions and to implement appropriate technical and organizational security measures.
Email delivery provider — outbound transactional and notification emails. Emails sent by the dashboard (account verification, scheduled reports, incident notifications, password resets) are delivered via Google/gmail. The data transmitted is limited to the recipient email address, subject line, message body, and any report attachments configured by the administrator.
The Company maintains a current list of sub-processors engaged in the processing of Personal Data (the “Sub-processor List”), which shall be made available to Customers upon request or via the Company’s website.
The Company may update the Sub-processor List from time to time to reflect changes in its operations or service delivery.
The Company shall use reasonable efforts to ensure that any sub-processors engaged provide an appropriate level of data protection consistent with applicable data protection laws and the terms of this Agreement.
5. International Data Transfers
Threat Breaker operates infrastructure in multiple geographic regions. Depending on the customer's deployment region, telemetry data may be processed and stored in the European Economic Area, the United Kingdom, the United States, or other regions disclosed to the customer at the time of contracting.
Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a recipient in a country that has not been deemed by the European Commission or the corresponding authority to provide an adequate level of data protection, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms permitted by applicable law.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. The default retention periods for the principal categories of data are:
Endpoint telemetry and incident data: ninety (90) days from collection, unless the customer has contracted for an extended retention period. Customers may also configure shorter retention.
Dashboard audit logs: twelve (12) months
Account data: for the duration of the customer's contract, plus a reasonable period thereafter for transition and dispute resolution (typically not exceeding ninety (90) days post-termination).
Backups: backup copies may persist for up to thirty (30) days after data is removed from primary systems, after which they are securely overwritten.
After the applicable retention period expires, data is either deleted or anonymized such that it can no longer be associated with an identifiable individual.
7. Security
We employ administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of the data we hold. These include:
Encryption of data in transit using TLS 1.3 + fallback 1.2 or 1.2+, with certificate pinning between agents and our infrastructure;
Encryption of data at rest using AES-256-GCM or equivalent;
Network segmentation, principle of least privilege, and access control mechanisms with multi-factor authentication for administrative access to production systems;
Logging and monitoring of access to production systems and customer data;
Self-protection mechanisms on endpoint agents: anti-debug checks, anti-tamper integrity verification (SHA-256 hash of the agent binary verified at runtime), single-instance locking, and signed-binary verification of update payloads before installation;
Independent security assessments and penetration testing performed at regular intervals (minimum annually);
Vulnerability management and timely patching of infrastructure components;
Personnel screening, training, and confidentiality obligations for individuals with access to customer data.
No method of electronic transmission or storage is absolutely secure. While we strive to use commercially acceptable means to protect personal data, we cannot guarantee its absolute security.
8. Your Rights
Depending on your jurisdiction, you may have certain rights regarding the personal data we hold about you, including the rights to:
Access the personal data we hold about you;
Request correction of inaccurate or incomplete data;
Request erasure of your personal data, subject to certain legal exceptions;
Restrict or object to certain processing;
Request portability of your data in a structured, commonly used format;
Lodge a complaint with a data protection authority in your jurisdiction.
If you are an end user of an organization that has deployed Threat Breaker on your device, please direct rights requests first to that organization. If you have not received a response or believe the response is inadequate, you may contact us directly using the details in Section 11, and we will assist the responsible organization in fulfilling the request.
9. Cookies and Similar Technologies
The Threat Breaker administrative dashboard uses cookies and similar local-storage mechanisms strictly necessary for authentication, session management, security (including protection against cross-site request forgery), and user preferences. We do not use the dashboard to deploy advertising or third-party analytics trackers. Endpoint agents do not use cookies.
10. Children
Threat Breaker is a business product not intended for use by individuals under the age of sixteen (16). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to delete that information.
11. Contact
Questions, requests under applicable data protection law, or other inquiries regarding this Privacy Policy or our data practices may be directed to:
TBCS Inc.
910 Cherry Street, Panama City, F L 32401
Email: privacy@threatbreaker.com
The Company has determined that it is not obligated to appoint a Data Protection Officer pursuant to Article 37 of the GDPR and has therefore not designated one.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational factors. When we make material changes, we will notify customers through the dashboard and update the "Effective date" at the top of this document. The most current version of this Policy is always available at https://threatbreaker.com/privacy.