General Terms and Conditions


You are advised to read these General Terms and Conditions carefully as they, in conjunction with Client Terms and Conditions or the Hunter Terms and Conditions, govern Client’s or Hunter’s use of the Services.


Client or Hunter is not allowed to use the Services, or any aforementioned parts, for any third party’s benefit or in any way not permitted by the Terms.


Modifications may at any time be made by SecureBug, and in such case, Clients and/or Hunters will be notified in advance. If such changes are not objected in writing by the Client or Hunter while continuing to use the Services, it is considered that the Client and Hunter have agreed to be bound by the modified Terms.


Both SecureBug and Client understand that they may receive Confidential Information of one another. Hunter also understands that they may receive Confidential Information of both Client and SecureBug. The receiving side is bound not to disclose any confidential information to any third party for any purpose not included in the Terms. Clients and Hunters acknowledge and agree that SecureBug Aggregate Data is not Confidential Information and consent to the collection and use of SecureBug Aggregate Data.


Securebug employs a Privacy Policy, which defines how SecureBug collects, uses, and discloses information from its Clients and Hunters with respect to the Services. Please refer to our Cookies Policy for further information.


SecureBug’s Platform security pertaining to its Services is described in the Data & Information Security Policy section.


SecureBug’s Vulnerability Disclosure Guidelines, describing the default policy that determines Hunter’s Submissions through the Services, will be applicable to the Services. In case of any disparities or inconsistencies, individual Program Policies will replace SecureBug’s Vulnerability Disclosure Guidelines.


Each party is bound to conform to all Applicable Law regarding the performance of its obligations and the exercise of its rights in the Services. Without imposing restrictions on the aforementioned, SecureBug respects copyright law in every aspect of its business and expects its Clients and Hunters to do the same. SecureBug has the right to terminate Clients and Hunters in the event they infringe the rights of copyright holders. For more information, please refer to Copyright and IP policy.


SecureBug may include in its Services links to third party websites or resources solely for the purpose of convenience and is not liable for the content, products, services or links available on such websites. Each Client and Hunter is deemed liable for using such third party websites and resources and the risks involved for such use.








Please bear in mind that any Client’s and/or hunter’s name and/or logo may be publicized by SecureBug for advertising purposes describing the relationship between parties.


The total and exclusive agreement between SecureBug and Client or Hunter is comprised of the Terms and any applicable executed Order Form referring to the Terms, which supersede and replace any and all previous oral or written agreements between SecureBug and Client or Hunter pertaining to the Services. In the event any provision of the Terms is rendered prohibited, invalid, or otherwise unenforceable by legal authority of competent jurisdiction, the other provisions of the Terms shall remain enforceable, and the invalid or unenforceable provision shall be deemed modified so that it is valid and enforceable to the maximum extent permitted by law. The Terms are assignable by SecureBug and will bind and inure to the benefit of the parties, their successors, and assigns. Client or Hunter is not allowed to assign the Terms without SecureBug’s prior written approval.

SecureBug may communicate or provide any notices under the Terms, including any possible modifications to the Terms, via email or through posts on SecureBug website.

In the event any party fails to enforce any right or provision of the Terms, this will not be deemed as a waiver of such right or provision. Such waiver will only be accepted if it is written and signed by a duly authorized representative of the party issuing such waiver.

Customer Terms and Conditions


We highly recommend that all our Clients read these Terms and Conditions carefully before using SecureBug Services.


Hereby you agree to our Terms and Conditions by using our Services as a Client and therefore you are bound by the Client Terms and Conditions here and the General Terms and Conditions.
Please feel free to contact us in case you do not understand any terms used in these terms and conditions. Remember that you are not allowed to use or access our Services without agreeing to adhere to all of these Client Terms and Conditions and the General Terms and Conditions (altogether called Agreement hereinafter).

Note: All the terms used here in Capital are defined in the glossary section, which can be found here at the General Terms and Conditions.


1. SecureBug Platform. The Client agrees to access and use the Platform only for its business and its affiliates so as to connect to Hunters and use the Services either issued and elaborated in an Order Form by SecureBug or agreed by both SecureBug and Client in advance. The Client may devise Programs under which it offers Rewards to Hunters for their Submissions. If Hunters are eager to take part in Programs offered by SecureBug through its Platform and make Submissions under Hunter Terms and Conditions or Program Policy, they can either browse the Programs or simply call the Client via SecureBug Platform. SecureBug may change all or any part of its Platform or Site, only if such changes conform to the Terms of the Agreement and so not affect the Services provided to the Clients.

2. Services at SecureBug. The Services provided by SecureBug are previously elaborated in a fully executed Order Form or otherwise agreed by both SecureBug and the Client.

3. Services by Third Party. The Services may include Third Party Services provided by the third party to the Client if these Services are elaborated on a completely executed Order Form. SecureBug is neither liable for Third Party Services nor makes any warranty or representation regarding such Services. Once the Client purchases Third Party Services, the Client agrees to conform to any terms and conditions provided to the Client by the Third Party Services provider that is in charge of the use of the applicable Third Party Services. Unless otherwise agreed, the Client will settle payments for the Third Party Services directly to SecureBug within 30 days of issuing the invoice, and SecureBug will pay the Third Party Services provider.

4. Hunters Using SecureBug’s Platform Services. In case a Client or an employee of a Client wishes to access and utilize the Services as a Hunter with the agreement of the Hunter, then the Hunter Terms and Conditions will govern the Client’s or the Client’s employee’s use of the Services, as a Hunter. The Hunter Terms and Conditions are independent of, and in addition to, these Client Terms and Conditions. In such case, the Client or the Client’s employee, is solely liable for practicing the Hunter’s obligations under the Hunter Terms and Conditions.

Hunter Submissions and Hunters

1. Hunters are not endorsed by SecureBug. Securebug is not held liable for any loss, harm or damage incurred as a result of interactions between Clients and Hunters, or Clients and other Clients, either through the Services or otherwise. SecureBug may present reputation and description for Hunters, which, however, does not mean an endorsement of any type by SecureBug. The Client will select and use any Hunter at their own risk.

2. SecureBug does not endorse, represent, or guarantee the completeness, truthfulness, reliability or accuracy of any Hunter Submission. SecureBug is not responsible for any omissions or errors in any Hunter Submission, or any damage or loss of any type, resulting from the use of Hunter Submission.
3. Hunters are considered independent third parties participating in Programs connecting them to Clients through the Services. Hunters are not by any means SecureBug’s employees, contractors, or agents. Unless otherwise SecureBug clearly agrees to in writing, the Client agrees that any legal remedy that the Client pursues to obtain for actions or omissions of a Hunter with respect to the Client’s Program or Hunter Submissions will be confined to a claim against the particular Hunter. Any agreement, interaction, or contract between a Client and a Hunter, including anything related to Client Program Policy, will be between The Client and the Hunter only, and SecureBug has no connection with such agreements or contracts and therefore shall disclaim all the concerning liabilities relating to such contracts or agreements.


1. Rewards. Based on the Program Policy and according to the Client’s Program, a Client may grant rewards to Hunters who make Submissions while participating in the Client’s Program and/or making Hunter Submissions that meet the Client’s requirements. SecureBug agrees to take care of such Reward payments on behalf of such Clients; Only if, however, Securebug receives a Reward prepayment from the Client for the Program or the Client must have a credit card on file with SecureBug. Securebug takes no liability for delays in payments outside its reasonable authority, or unless otherwise with prior agreement in an Order Form by SecureBug, for processing or providing to hunters any Reward that is not in monetary form.

2. SecureBug Fees. The Client agrees to pay SecureBug all the fees for SecureBug’s Services as well as, unless otherwise agreed in a written Order Form, a Reward fee which amounts to 20% of each monetary Reward awarded to a Hunter (collectively called “SecureBug Fees”) and any Reward prepayments listed in any applicable Order Form within 30 days from the date SecureBug issues the invoice unless otherwise stated in Order Form in advance. Apart from any amounts disputed in faith, all undisputed previous payments will incur 1.5% monthly interest rate or the highest legitimate rate, whichever is less. Clients are required to reimburse SecureBug for any costs and expenses incurred (including attorney’s fees) in collecting any undisputed overdue amounts. The fees for SecureBug and Hunter’s Reward payments are nonrefundable, except as otherwise referred to in particular herein or in the applicable Order Form.
3. Taxes. The Client is held responsible for any fees, customs, duties, or taxes due in case of using the Services, including any withholding taxes based on the classification of the services provided, excluding any taxes imposed by the United States on SecureBug’s income. In the event the Client is required by Applicable Law to withhold any amount from SecureBug Fees previously mentioned in the Order Form, then the Client will pay SecureBug such Fees as though no withholding were required and shall separately pay the withholding amount to the appropriate governmental authorities and provide evidence of such payment to SecureBug.


1. SecureBug provides managed Programs through its Platform, under which SecureBug is in charge of the management and administration of the Client’s Programs with Client’s approval throughout the Program. Also, SecureBug provides Programs that are self-managed by the Client, for which the Client is solely responsible unless otherwise it is specifically mentioned in the Order Form that SecureBug is responsible for the management. SecureBug’s Vulnerability Disclosure Guidelines, defines the default disclosure policy concerning the reporting of vulnerabilities through Services, except for when the Client its own Program Policy regarding its own Program. In case of any conflicts between a Client’s Program Policy and Securebug’s Vulnerability Disclosure Guidelines, the Client’s Program Policy shall prevail.

2. In the event SecureBug reasonably objects to a Program, or its Policy, it reserves the right to decline the Program. In such case, Securebug will inform the Client of such intention and will collaborate with the Client to address these objections. Furthermore, in case any Program is inactive or unattended by a Client, SecureBug reserves the right to disable or remove access to the related Program Material and/or pause Hunter Submissions if the Client has not communicated with SecureBug’s through email regarding the written notice, which requires consideration within 10 business days after the written notice.
3. Although SecureBug helps Client in preparing Client’s Program Material, Client is solely responsible for Client’s Program Material.


1. SecureBug does not claim any rights regarding ownership in any Program Material or Hunter Submissions. Moreover, nothing in this Agreement will be considered to dispossess the Client of the right to utilize its Program Material and Hunter Submissions. SecureBug and its licensors exclusively own all right, title, and interest in and to the Securebug Property.
2. Once the Client provides a Program Material through the Services, the Client hereby grants to SecureBug a permanent, non-exclusive, irrevocable, sublicensable, transferable, global, royalty-free license to use, copy, reproduce, adapt, modify, display, transmit, and publish copies of that Client’s Program Material for the sole aim of providing the Services.
3. SecureBug hereby grants to the Client a non-exclusive, non-sublicensable, non-transferable, global, royalty-free license to use the SecureBug platform and access and view the content that SecureBug provides on the its platform and other property content solely regarding your permitted use of the SecureBug platform.
4. SecureBug hereby grants to the Client a non-exclusive, non-sublicensable, non-transferable, global, royalty-free license to use the Hunters’ Submissions and access and view the content that SecureBug provides on the its platform solely regarding your permitted use of the SecureBug platform.
5. Based on SecureBug’s ownership of its Property, the Client will own all right, title, and interest to each Client Report. SecureBug hereby grants to the Client a non-exclusive, non-transferable, perpetual, worldwide license to access, use, and reproduce any SecureBug Property included in each Client Report.
The Client and SecureBug are bound by the Terms and Conditions herein to protect Confidential Information of the other party.


1. SecureBug guarantees that the Platform and Services offered to the Client will be provided as indicated in the Order Form or, as otherwise agreed by both SecureBug and the Client beforehand, by qualified personnel professionally, and will comply to all material regarding the documentation and content by Securebug. To make a claim for breach of the aforementioned warranty, the Client must present a notice of such breach within 30 days following such breach pointing out the details. Provided that a Client submits such notice to SecureBug in time, as the Client’s sole and exclusive remedy, SecureBug will either re-perform such part of Services or make every reasonable effort to correct any such breach, within 30 days after receiving the notice.


1. The Client is bound here to compensate, defend and not harm SecureBug and its officers, administrators, staff, and agents, from and against any demands, claims, frictions, liabilities, losses, damages, and costs and expenses, including, without limitation, reasonable legal and accounting fees resulting from a third party claim (i) that the Client’s Program Material infringe upon a patent, copyright, trademark, or trade secret of a third party, or (ii) arising from the Client’s use of a Hunter Submission in violation of its Program Policy.
2. SecureBug will compensate, defend and not harm the Client and its officers, administrators, staff, and agents, from and against any demands, claims, frictions, liabilities, losses, damages, and costs and expenses, including, without limitation, reasonable legal and accounting fees resulting from a third party claim that the SecureBug Platform infringes upon a patent, copyright, trademark, or trade secret of a third party, only if Securebug will not be held liable for any such claim to the degree resulting from or relating to a Hunter Submission or the Client’s Program Materials.
3. The compensation party shall provide immediate written notice of all claims for which compensation is demanded for and shall act in defending such claims, at the expense of the compensation party. The compensation party will have the sole administration of the defense and settlement of any claim for which it has previously agreed to provide compensation for; only if the compensation party shall have the right to provide for its separate defense at its own expense. The rights and remedies described here in this section declares a party’s exclusive liability and the other party’s exclusive rights and remedies regarding the claims put forward by a third party for intellectual property infringement or violation of a third party’s intellectual property rights.
Please see Client Terms and Conditions related to Order Forms for further information.

Hunter Terms and Conditions


Once you sign up here as a Hunter, you agree to the following Terms and Conditions. By way of definition, Hunter is a security researcher, hacker, or anyone ready to hunt and resolve bugs and vulnerabilities in a company’s environment of technology.
Note: All the Terms used here as Capital are defined in the glossary section, which you can find by clicking here.


As long as you act in accordance with the Terms and Conditions here, you may use SecureBug Platform to participate in Programs and Submissions.


Since SecureBug firmly believes in business ethics and it is aimed both for Clients and Hunters’ benefits, we require all our Platform users to conform to professional and courteous conduct in Terms of their interaction with SecureBug and other Hunters. The Platform shall be used properly and we will have zero-tolerance policy to any activity that violates our code of conduct. In case of any misconduct, SecureBug reserves the right to terminate Hunters use of the Platform at its sole discretion. For more information click here.


As you provide any Submissions for the Clients on our Platform, you comply with our Program Policy. In case of any conflicts, SecureBug’s Vulnerability Disclosure Guidelines are supplanted by individual Program Policies. Further information about our Vulnerability Disclosure can be found here.
Hereinafter, you (as a Hunter) are bound to refrain from causing any infringement, misappropriation, or violation to a third party’s intellectual property rights, or rights of publicity or privacy, or violation of any applicable law or regulation, including export control laws.


Rewards may be granted to a Hunter for their Submissions to a Client in case the Submissions follow the Client’s requirements in the Program Policy. SecureBug will Reward the Hunter on behalf of the Client in monetary form within 10 business days after the Client settles the Reward payments with SecureBug. (or in case of Client’s Reward prepayment, within 10 business days after the Client notifies SecureBug that the Hunter is granted a Reward). SecureBug denies any liability for delays in payments due to any possible contingencies.


SecureBug respects your confidentiality as you can prefer anonymity using a pseudonym. Nevertheless, in order to be able to have a Reward, we need to have your latest accurate and complete information including your address, TIN (tax identification number) (if any) as well as any other information that you will be notified of by our team in due course. In case you fail to provide this information, SecureBug will have the right to remit your Reward to a charity. Please bear in mind that SecureBug will not be liable to any tax payments on your part and that you are solely responsible for paying all taxes related to your Reward.
SecureBug will have no liabilities for any Program in any forms, including any omissions or errors in any Program Policy, or any damage or loss incurred as a result of your reliance on any Program Policy.


By having you registered on our Platform, SecureBug is by no means liable to hire, have a contract with you or hold you as its representative. You are an independent third party linked with the Client through participating in Programs. In the Terms, it is not intended by any means to render you and SecureBug partners, joint ventures, or employee and employer. SecureBug and you are under no circumstances considered as employer and employee, which means you have no rights as an employee of SecureBug.
Please note that Clients are third parties who are linked with you through Services in the Program and that they are not affiliates, contractors, employees, or representatives of SecureBug. In the event you seek to obtain any legal remedy for actions or omissions on the part of Client or any other third parties concerning Client’s Program, including Hunter Submissions, you are bound to make claims only limited to that Client or third party who caused you to inflict damages, and you will not attempt to impose liability on SecureBug or seek any legal remedy from SecureBug regarding those actions or omissions. Any form of agreement, contract or other interactions regarding any Program Policy will be between you and the Client only. SecureBug disclaims any liability arising from or related to such interactions, contracts or agreements.


SecureBug disclaims any proprietorship rights in any Hunter Submissions. Hereby, you admit that SecureBug may use any statistical data or other type of information relating to Hunter Submissions to use to SecureBug’s advantage. Apart from any Hunter Submissions, SecureBug and its licensors exclusively reserve all the rights, titles and interests in and to the Services and contents in the Services, including all intellectual property rights.
All the Services and SecureBug contents are subject to copyright, and protected by trademark and other laws of the United States and foreign countries.
Once you provide a Client with Hunter Submissions through Services, you hereby grant to SecureBug a permanent, non-exclusive, irrevocable, sublicensable, transferable, global, royalty-free license to use, copy, reproduce, adapt, modify, display, transmit, and publish copies of that Hunter Submissions, for the sole aim of providing the Services.
Once you provide a Client with Hunter Submissions through Services, you hereby grant to the client a permanent, non-exclusive, irrevocable, sublicensable, transferable, global, royalty-free license to use, copy, reproduce, adapt, modify, display, transmit, and publish copies of that Hunter Submissions.
SecureBug hereby grants to you a non-exclusive, revocable, non-sublicensable, non-transferable, global, royalty-free license to use the SecureBug Platform and access and view the content that SecureBug provides on the its Platform solely regarding your permitted use of the SecureBug Platform. SecureBug may alter or terminate all or any part of its Platform, including your access at its sole discretion.


In case you are using Services on our Platform while representing a company or organization (e.g. your employer), or a Client or other legal entity, you have the authority to bind that organization, company or other legal entity to the terms you already comply with. If you are under the age of 18, your parents or lawful guardian must agree to these Terms on your behalf. In such case, we may call on additional data authenticating that agreement by your parents/guardian.

Privacy Policy

1. Introduction

This privacy policy (“Privacy Policy”) governs the relationship between SecureBug AB, reg. no 559201-3030, (“Platform Provider”) and you as a user (“User”) of the service SecureBug©️ when you register as a User at SecureBug (“SecureBug”).

2. User

The User is the data controller of any personal data entered into SecureBug. The User is responsible for the accuracy, completeness and correctness for any personal data or other information added in SecureBug. Platform Provider acts as data processor and has signed a Data protection agreement for that purpose.
Should you as User provide data concerning a third party, you shall also be responsible for such data and that consent has been given for the disclosure of such data by the third party concerned. Platform Provider hereby reserves the right when necessary or when legally required to inform the third party, whose personal data you as User have given to Platform Provider, regarding Platform Provider’s processing of that third party’s personal data.
It is also possible not to set up an account in the SecureBug, but only to agree that the Provider Platform sends information to such a person. In such a case, only the last subparagraph of point 4 shall apply, and the remaining provisions of the privacy policy shall apply respectively. The consent may be withdrawn at any time.

3. Personal Data

The personal data that Platform Provider may process includes, but not be limited to, full name, address, email address, certificates, education, work experience, photographs, assignments applied for and granted, CV’s, references, rates, availability and other related information that you have entered into SecureBug©️.

4. Purpose

Platform Provider may use the information that you provide for the following purposes:
• invite you to the Bounty program, the Customer, and assignment-related services and events
• send you newsletters with info from SecureBug©️
• send you updates with new requests
• compiling statistics
• for support and service regarding your User Account
• to administrate your User account
• to enable you to use SecureBug©️
• to enable the Customer to connect with you in SecureBug©️ and send you job requests
• to send you job offers, guides, blog, posts, invites to events and other information with content referring to the consultant market and SecureBug©️.

5. Your rights

User has the right at any time and at no cost request an extract of the file of User’s personal data that Platform Provider has saved concerning you. Should User’s data be incorrect, incomplete or irrelevant, User may request to have the information corrected or deleted. Platform Provider may not delete User’s data when a statutory requirement exists for storage, such as accounting rules or standards, or when other legitimate reasons exist as to why the data must be saved, such as unpaid liabilities. If User have provided information about a third party, such third party shall have the same rights.

6. Access to submitted data

users decide who has access to their data by choosing the setting on the account. Platform Provider may transmit data to a third party, partners if necessary for executing and providing our service to User – for example for request administration or technical support. Data that is shared with a third party or third country will only be used in accordance with the purposes set forth in this Privacy Policy.
In addition, Platform Provider may provide personal data if Platform Provider be obliged to do so in accordance with prevailing legislation, a court ruling or if such is otherwise necessary in order to assist a legal inquiry.

7. Retention and storage of personal data

The information will be stored as long as User has an active account. User may at any time delete User’s account and the data will be not available.

8. Protection of personal data

SecureBug©️ have taken technical and organizational measures to protect personal data from loss, manipulation or unauthorized access. SecureBug©️ constantly adapts security measures in accordance with progress and development of the relevant technical area.

9. Contact

SecureBug AB, Kungsportavenyn 23 411 53 Gothenburg, Sweden Tel: +46 72 2807675 Corporate registration number: 559201-3030 Email: [email protected]
For questions on how we process your personal data please contact, [email protected]

Data Processing Agreement


  1. SecureBug AB, reg. no 559201-3030 with registered office at Kungsportavenyn 23 411 53 Gothenburg, Sweden (the Processor); and
  2. The User that has entered into the Terms and Conditions for Service Providers SecureBug©️ (the Controller);

Processor and the Controller are referred to separately as “the Party” and together as “the Parties”.

1. Background

The terms and conditions specified below and Privacy Policy shall apply if and when Processor process personal data on behalf of the Controller and its affiliates in their capacities of data controllers. Should any conflict arise between a clause in this Data Processing Agreement and a clause in the Terms and Conditions for Service Providers SecureBug©️, the provisions in this Data Processing Agreement shall take precedence wherever the provision in this Data Processing Agreement provides greater protection for the Personal Data being processed.

The data processing activities hereunder are further described in the Annex 1.

2. Definitions

In this Data Processing Agreement, the following definitions shall have the meaning set forth below:

“Processing”, “Personal Data Controller”, “Personal Data”, “Personal Data Processor”, “Personal Data Incident”, and “Data Subject” shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”);

“Processing Agreement” is this Processing Agreement and any appendices and annexes to it; “Applicable Legislation” means legislation, regulations and directives in force at the time in the EU and in relevant Member States that are applicable to the Processor and the Controller; and “Applicable Personal Data Legislation” means legislation, regulations and directives in force at the time, including directives notified by relevant supervisory authorities, with respect to the protection of privacy and fundamental rights and freedoms of individuals and, in particular, their right to the protection of their Personal Data with respect to the Processing of Personal Data applicable to the Processor and the Controller, including legislation, regulations and directives within the meaning of Directive 95/46/EC and, from 25 May 2018, the GDPR;


“Third Country” is a country outside the European Union (EU) or the European Economic Association (EEA).

“SecureBug” means the services described in the Agreement;

“Agreement” means the Terms and Conditions for Service Providers SecureBug©️ entered into by the Parties for SecureBug©️.

3. Obligations of the Controller

3.1. The Controller is responsible for ensuring that the Processing of the Personal Data is carried out in accordance with Applicable Legislation and that the Data Subjects are informed about the Processing.

3.2. The Processor does not have an obligation nor the technical means to check the accuracy or completeness of the Personal Data entered into SecureBug©️. This obligation is the sole responsibility of the Controller.

4. Obligations of the Processor

4.1. The Processor shall

  • only process the Personal Data on written instructions (see annex 1) from the Controller;
  • based on the information about the consultant, prepare and make available a report which will better present the consultant as a candidate (profiling, without making automated decisions);
  • keep the Personal Data confidential and ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • maintain a record of all Processing activities carried out on behalf of the Controller.
  • considering the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of the Controller ‘s obligation to respond to requests for exercising the Data Subject’s rights;
  • assist the Controller in ensuring compliance with the obligations pursuant to applicable law, considering the nature of processing and the information available to the Processor as the processor;
  • at the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of SecureBug©️, and delete existing copies unless European Union or EU Member State law requires storage of the personal data;
  • make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this section and allow for, and contribute to, audits, including inspections, conducted by the data controller under applicable law or another auditor mandated by the Controller.

4.2 Based on the information about the consultant and tests made by the consultant, prepare and make available a report which will better present the consultant as a candidate and match your profile to assignments (profiling, without making automated decisions). The workstyles derived from tests results or other information that you have provided.

4.3 SecureBug©️ allow sharing of information, including personal data, in many ways. Where we have made settings available, we will honor the choices make about who can see Content or restricting your content visibility from job and skills searching activities within the service). At this moment there is two main ways to share Content:

  1. a) Invite to bounty program
  2. b) following other User –
  3. c) accept searchable option

Other ways may be added in the future.

5. Security measures

The Processor takes appropriate technical and organizational measures to ensure that the Personal Data that are processed are protected from Personal Data Incidents. The measures must ensure that at least the level of security required by Applicable Personal Data Legislation and by applicable regulations and guidelines of relevant supervisory authorities for personal data security is in place. More information of the security measures taken by the Processor can be found in the Security appendix.

Furthermore, the Processor must, if so requested, assist the Controller with information necessary to enable the Controller, as applicable, to be able to meet its obligations to carry out an impact analysis and pre-consultation discussion meetings with relevant supervisory authorities concerning the Processing of Personal Data that are subject to the terms of this Processing Agreement. If the Controller requests the Processor to assist with an impact analysis, even though there is no obligation under Applicable Personal Data Legislation to carry out an impact analysis, the Processor shall be entitled to remuneration as set out in the price list in force at the time.

6. Personal Data Incident

Should a Personal Data Incident occur, the Processor must notify the Controller in writing of the breach without undue delay after the Processor has become aware of the Personal Data Incident.

If it is not unlikely that a Personal Data Incident poses a risk to the privacy of the Data Subjects, the Processor must, immediately after it has become aware of the Personal Data Incident, take all appropriate steps to prevent or minimize the potential negative consequences of the Personal Data Incident.

If requested by the Controller, the Processor shall provide:

  • a description of the Personal Data Incident’s nature, categories of and the number of Data Subjects affected, and categories of and the number of personal data items affected;
  • the likely consequences of the Personal Data Incident; and
  • a description of the measures that the Personal Data Processor, where appropriate, has already taken or intends to take to correct the Personal Data Incident and/or to minimize the potential negative consequences of the Personal Data Incident.

Should it not be possible for the Processor to provide the information in one go, the information may be provided in batches without any further undue delay.

7. Subcontractors

The Processor may hire subcontractors, consultants or other third parties for the Processing of Personal Data on behalf of the Controller (“Subcontractor”).

If the Processor hires a Subcontractor, the Controller consents to the Processor entering into a Processing Agreement directly with the Subcontractor. The obligations under such Processing Agreement with the Subcontractor shall be equal to and no less restrictive than those under this Processing Agreement. The Controller accepts that the Processor and the Subcontractor enter into the Subcontractor’s standard agreement for personal data processing when circumstances so require, on condition that such a standard agreement meets the requirements stipulated in Applicable Personal Data Protection Legislation.

Should the Processor hire a new Subcontractor, the Processor must notify the Controller in writing without undue delay of the following:

  • The Subcontractor’s identity (including details of the company’s name, organisation number and address);
  • the type of service performed by the Subcontractor; and
  • at which location the Subcontractor will be Processing Personal Data on behalf of the Controller.

With respect to hiring new Subcontractors, the Controller is entitled to make objections to the hiring of the Subcontractor.

The Processor is liable to the Controller for the Subcontractor’s Processing of Personal Data and on its own behalf. For approved subcontractors, please see appendix 2 Approved subcontractors.

8. Confidentiality

Without prejudice to the application of any obligations of confidentiality in the User Agreement, the Processor agrees to keep all Personal Data that is processed on behalf of the Controller strictly confidential. Accordingly, the Processor will not, either directly or indirectly, divulge, disclose or communicate any Personal Data to any third party without the prior written consent of the Controller, unless the Processor has an obligation under Applicable Legislation or a decision by a court or authority to provide the Personal Data, or where this is necessary in the fulfilment of the requirements of the Agreement or this Data Processing Agreement. The Processor shall notify the Controller if Personal Data is provided to a third party, unless prevented from so doing by Applicable Legislation or a decision by a court or authority.

The Processor accepts that the obligation of confidentiality shall remain in force even following the termination of the Personal Data Processing Agreement and until all Personal Data have been provided to the Controller or have been securely and irreversibly destroyed or anonymized.

The Controller agrees to keep all information that the Controller receives about the Personal Data Processor’s security measures, procedures, IT systems and any other information of a confidential nature strictly confidential and not to disclose to any third party any confidential information originating from or provided by the Processor or its Subcontractors. The Controller may only disclose such information that the Controller is required to disclose under Applicable Legislation or under the terms of the Agreement or this Processing Agreement. The Controller accepts that this obligation of confidentiality remains in force even after this Processing Agreement is terminated or otherwise ceases to be in effect.

9. Liability

The Processor shall indemnify the Controller against any and all liability, loss, claim or expenses that it incurs which has been caused by the Personal Data Processor, either intentionally or through gross negligence, processing personal data in breach of the terms of the Agreement or Applicable Personal Data Protection Legislation.

The Controller shall hold the Processor harmless from any and all liability, loss, claim or expenses that the Processor incurs as a result of the Controller Processing Personal Data in breach of the terms of the User Agreement or Applicable Personal Data Protection Legislation.

10. Rights of Data Subjects

The Processor shall, to the extent possible, assist the Controller by taking all and any technical and organizational measures that are necessary to enable the Controller to meet its obligation to respond to a request for the exercise of a Data Subject’s right according to the rights of data subjects as required by the Applicable Personal Data Protection Regulation. The Processor shall be entitled to compensation for any expenses that such assistance incurs at the rates stated on the price list in force at the time.

11. Third Countries

Processing and use of Personal Data under this Agreement shall only be carried out within the EU/EEA, and specifically storing of personal Data shall be limited thereto. Any transfer to, or extension into Third Countries requires prior written consent from or agreement with the Controller.

12. Additional protective measures

The processor shall maintain and promptly provide the Controller with up-to-date information regarding its data processing activities as the Controller may reasonably request to meet its obligations under legal data protection requirements.

Processor may not make any filings or publish any information regarding any Data Breach without the Controller’s prior approval unless required by mandatory law. To the extent the laws require that an individual or authority be notified of a Data Breach, Processor shall at the Controller’s request and prior approval of the content, form and timing, provide any notices to such an individual or governmental authority containing the information as mandated by the mandatory laws. Upon the Controller’s request, Processor shall at its own cost provide remediation services, customer care and other reasonable assistance to individuals impacted by the Data Breach directly or through a third party. Upon the Controller’s request, Processor shall cooperate and provide information about the nature, circumstances and causes of the event at issue. Processor will take all necessary actions to prevent further losses and otherwise limit the consequences of the event at issue. Processor shall conduct professional forensic and security review and audit in connection with such Data Breach. These data breaches, if any, shall be resolved according to the applicable data protection laws and the specific instructions that might be provided to Processor by the Controller.

Subject to what is permitted under mandatory law, if Processor receives a request or complaint from a governmental authority or body (“Authority”) regarding any Personal Data, it shall without delay notify the Controller identifying the Authority, the scope of the request and grounds presented for the request or complaint. Processor shall respond to such Authority request or complaint only with the Controller’s prior approval of the response.

13. Validity

This Processing Agreement shall become effective upon acceptance by the Parties (acceptance by the Processor is given by publication of this agreement on the website, after acceptance by the Controller, the Agreement is treated as concluded between the Parties), and shall remain effective throughout the term of the Agreement.

14. Transfers

Neither Party may transfer, in full or in part, its rights and obligations under this Agreement without the written consent of the other Party.

15. Amendments and additions

The provisions relating to amendments and additions set forth in the Agreement shall apply correspondingly to this Processing Agreement.

16. Applicable law and litigation

The provisions relating to applicable law and litigation set forth in the Agreement shall apply correspondingly to this Processing Agreement.

17. Business contact details

The personal data, including business contact details, of the Controller’s employees and other workforce whose data is provided in the course of carrying out this Agreement, the Agreement, shall only be processed to the limited extent required to administrate the business relation between the Controller and or Processor.

Annex 1

This annex constitutes the instruction for the Processor to process personal data on the Controller’s behalf.

Purpose of the data Processing

The Personal Data is processed for the following purposes:

  • invite you to the Bounty program, the Customer, and assignment-related services and events
  • send you newsletters with info from SecureBug©️
  • send you updates with new requests
  • compiling statistics
  • for support and service regarding your User Account
  • to administrate your User account
  • to enable you to use SecureBug©️
  • to enable the Customer to connect with you in SecureBug©️ and send you job requests
  • to send you job offers, guides, blog, posts, invites to events and other information with content refereeing to the consultant market and SecureBug©️.

Categories of data subjects

The Processor will process data about the following data subjects:

  • Users of SecureBug©️.
  • profiles added by the Service Provider

Categories of Personal Data

The personal data can possibly concern the following categories of data:

  • Phone number
  • Name (surname and first name)
  • Email address
  • Address
  • Photo
  • Log in credentials
  • CV
  • Rate
  • Assignment applications
  • Any information that a user adds in free text
  • Results of tests and analysis (Workstyles)

Processing activities

The Processor will conduct the following processing activities:

  • Collection
  • Storage
  • Structuring
  • Forwarding
  • Erasure

Storage of personal data

The personal data will be retained for as long as the User has an active account unless a longer retain period is needed to fulfill other contractual or legal obligations regarding the individual. The personal data will the delete once the User account is deleted.

Annex 2 Approved subcontractors

Security Appendix

1. Introduction

The Platform Provider of SecureBug©️ is committed to maintain a high level of security for Users data and internal data. We have a structured process in place to enable us to achieve this and we regularly evaluate its performance to continuously improve data security.

This Security Appendix explains how The Platform Provider works to achieve a high level of security for User data, which are processed in SecureBug©️, hereafter referred to as SecureBug©️.

The Appendix also contains a chapter on the requirements that the Platform Provider places on its user companies, and the opportunities and obligations of the user companies to help ensure that security procedures and practices are upheld.

2. Regulatory documents

The Platform Provider has its own set of regulatory documents covering system development, incident management, etc. to ensure that operational security is maintained in the operation and administration of SecureBug©️.

3. Organization

3.1. Security function

An in-house security function works in an integrated way with the business operations and provides the organization with expertise, evaluations and guidelines for data and IT security. The security function deals with a range of issues covering IT security, physical security and personnel security.

3.2. SOC (Security Operation Center)

The company has a team to manage cyber-attacks, with specialist expertise in communications security, client protection, data centers, and other infrastructures. Other specialist expertise can be drawn upon if necessary.

4. Personnel security

All personnel, both our own staff and consultants, sign a confidentiality and non-disclosure agreement before they are given access to IT systems. Employees who work with SecureBug©️ receive training in how the SecureBug©️ is used and what restrictions apply. We hold regular meetings with our own staff to detect and prevent improper conduct.

5. Asset management

The personal data processed in the SecureBug©️ is classified as confidential. The Platform Provider therefore works actively with allocation of access rights via roles. Access rights are only granted to personnel to the extent necessary for them to perform their duties.

6. Access control

Only a few people in The Platform Provider’s Operations Department have full access rights to databases. The team from The Platform Provider’s Systems Development Department, which is responsible for developing the SecureBug©️, has limited read access rights to the database. All logins to the SecureBug©️ are made via personal accounts and are logged into the central log management system.

The Platform Provider’s SecureBug©️ support staff can connect to the user profile and thus gain access to the user company’s data. Written permission to do so must first be obtained from the user . All readings of data in SecureBug©️ are logged for each individual case. These logs can be accessed in SecureBug©️ by authorized staff at the user company.

7. Encryption

The system uses SSL (TLS) encryption with publicly signed certificates. There are documented procedures in place for managing and updating cryptographic material such as keys for certificates.

8. Physical and environmental security

All our data centers are subject to the highest physical and environmental security with access controls, alarms, fire protections, protections systems and surveillance. There is a power protection system installed in case of a power outage. Only authorized personnel have physical access to the data centers. Access to the data centers is permission-based.

9. Equipment

The secure disposal of digital media requires all data on the media to be deleted and the digital media then to be destroyed. This is carried out at a secure facility by approved personnel.

10. Operational reliability

10.1. Communication

The data centers backbone network is connected to multiple Internet service providers. All traffic from and to the application flows through firewall and threat detection service that continuously monitors for malicious activity and unauthorized behavior. Only specific endpoints are exposed to the Internet where the rest of components are deployed in private non-routable networks.

10.2. Traceability and monitoring

Centralized log management is used for SecureBug©️ and for related network communications. Designated personnel actively work to detect high-risk activities via rules-based alarms and tools for analysis of non-conformities. Where necessary, relevant components of the logs can be made available to customer companies.

Data is protected using access rights and multi-factor authentication where it’s applicable that are controlled at all levels in SecureBug©️. Data processing, reading, editing and logins are all logged. Failed attempts to log in are also logged.

SecureBug’s time is taken from the System’s servers. Logged times are presented in the user browser’s time zone and the format is taken from the user’s language settings.

Manipulation of the logs is not possible from inside SecureBug©️. The logs are saved without changes unless the case is removed, or the user is deleted or inactivated. The system logs any changes to and readings of events data. Both successful and unsuccessful logins are logged. Changes to access rights are also logged. Access to logs is dependent on access rights of the roles.

10.3. Backups

Databases and transaction logs are routinely backed up and recovery of backups is tested regularly. The maximum data loss period (i.e. RPO) is 4 hours and the recovery time (i.e. RTO) is 8 hours. Backups of servers in both of the data centers are stored separately from the original.

10.4. Malware protection

SecureBug©️ is separated from other IT systems within the Platform Provider via firewalls. All servers in the environment are protected from malware by whitelisting software. Clients that are used to connect to the servers have anti-virus software enabled. Both servers and clients are hardened prior to deployment. Additionally, all files sent by users are scanned by antivirus software.

10.5. Vulnerability management

A team of dedicated staff is responsible for monitoring information from suppliers about products and components concerning security deficiencies and available updates. A risk analysis is performed, after which serious security deficiencies and important updates are addressed immediately. Other issues are addressed in line with documented procedures for routine version management. All changes to software used and to constituent third-party components in SecureBug©️ are documented.

11. Communications security

The solution is protected by a firewall so that only pre-defined traffic is allowed network access to the solution.

All traffic that passes the firewall is logged. The logs are saved for a period of 12 months. All entries are saved for the same period of time.

12. Acquisition, development and maintenance of systems

12.1. Testing and development

Development team

Systems are developed using an agile approach, based on proactive quality assurance with continuous testing and feedback of performance. The agile approach to system development includes a requirement process and testing. The development team is responsible for all activities needed to assure the quality of each product backlog item (PBI) in each sprint.

The team is also responsible for assuring the quality of SecureBug©️ and the product over the long term.

IT environments

Separate IT environments are used for production and for testing and developing SecureBug©️. To ensure the best quality of the software we deliver we use Continuous Integration process that automates code integration, builds the application and executes the tests.

12.2. Penetration testing

Internal and external parties conduct thorough penetration tests at least once a year to evaluate the system’s security. User companies may not conduct security audits or penetration tests on SecureBug©️ without prior permission of the Platform Provider. Contact The Platform Provider’s support for further information.

13. Managing data security incidents

The Application Manager is responsible for the operative management of serious IT incidents. This involves communication, investigation and reporting of incidents. The Application Manager analyses the IT incidents to ensure that adequate action has been taken to manage the incident and that the experience gained from the incident can be used in the organization’s operative risk management processes.

A solutions team is appointed to solve the incident and assist the Application Manager with the investigation. In the event of a cyber-attack, SOC is enabled. The Platform Provider’s Crisis Management Team can be activated if warranted by the seriousness of the incident.

Incidents relating to personal data are managed in accordance with the Data Processing Agreement.

14. Business continuity management

SecureBug©️ is mirrored in two separate data centers in the EU area. Each data center has the capacity to maintain system availability should one of the data centers go down.

15. Compliance

Securebug is ISO27001-ISMS Certified,The Platform Provider’s Internal Audit operates to an annual audit plan. Internal Audit reports to the Board of Directors and the CEO. The Audit Plan is prepared through an objective and independent assessment of materiality and risk to provide an overall opinion on the adequacy of internal governance and control.