What we assess
What your
GDPR test covers
We test the systems that actually touch personal data and report findings by data-exposure risk, giving your DPO evidence of Article 32 testing rather than a generic scan.
Personal Data Exposure
The paths an attacker could take to reach, extract, or leak personal data.
We test for
- Data exposure and exfiltration paths
- Excessive data in responses
- Insecure direct object references
- Backup and export exposure
Access Control & Authentication
Who can reach personal data and how they prove who they are.
We test for
- Access control and least privilege
- Authentication and MFA
- Session management
- Privilege escalation
Encryption & Transmission
Whether personal data is protected at rest and as it moves.
We test for
- Encryption in transit and at rest
- TLS configuration
- Key management
- Cleartext data handling
Breach Readiness
Whether an intrusion against personal data would be detected and contained.
We test for
- Logging and monitoring coverage
- Detection of data access abuse
- Segmentation around data stores
- Incident response evidence
How it works
How your engagement runs
From scope through the final retest, your team stays in the loop at every step,
with findings tracked live in our platform.
- 01
Map the data
We identify each system that stores, processes, or transmits EU personal data.
- 02
Article 32 test
We test the technical measures that protect personal data, meeting Article 32.
- 03
DPO report
Findings ranked by personal-data exposure risk, as evidence for your DPO.
- 04
Fix & retest
Fix the findings, then a free retest that lowers your risk of a costly breach.
Resources
Field notes from the offensive side
Offense in Depth in Red Team Operations
Defense in depth layers protection. Offense in depth layers attack paths so a red team still reaches its objective when one route fails. Here is how it works.
Security Between Penetration Tests
An annual pentest covers two weeks and leaves fifty uncovered. Here is how to secure the rest of the year without waiting for the next scheduled engagement.
The Limits of AI in Penetration Testing
AI is changing penetration testing, but it will not replace human testers. Here is what it does well, where it falls short, and why judgment still wins.
Want to see a real report first?
Request a redacted sample report before you scope an engagement.
01Does GDPR require penetration testing?
Article 32(1)(d) requires a process for regularly testing, assessing, and evaluating the effectiveness of your technical and organisational security measures. It does not name a method, but penetration testing is the most widely accepted way to demonstrate that testing actually happens.
02What systems are in scope for a GDPR test?
The applications, infrastructure, and integrations that store or process EU personal data. We confirm the data flows with you during scoping so testing concentrates on the systems that carry real exposure.
03How does this reduce our breach and fine risk?
Most reportable breaches trace back to exploitable technical flaws. Finding and fixing them first reduces the chance of a notifiable incident, and the report itself evidences the regular testing regulators look for when they assess how seriously you took Article 32.
Ready to test your defenses?
Talk to our team about what your GDPR compliance requires.
Get a Fixed-Scope Quote
Tell us what you need tested. We reply within one business day.
Thanks, we've received your message.
We'll be in touch shortly.