EUSEC
Solution
The Problem & Solution How it works Rating Criteria Pricing Legal Assessment API
Testing Podcast About Us & Our Security Dashboard
Legal & Compliance

Lawful by design.
Independent by principle.

The legal framework for independent Cyber Security Ratings.

Our cyber risk ratings are legal, and we observe every legal requirement that applies to what we do. This page sets out the basis on three fronts: independence in how we compete, a passive and lawful method for our security scans, and a defined data-protection basis for the personal data we process.

Independent Lawful in DE & EU GDPR-aligned
01
Competition
Independence & fairness

No advice, no incentives, no hidden weightings — a 14-day right to object.

 02
Security scans
A passive, lawful method

No exploitation, no break-in — only what is public or voluntarily disclosed.

 03
Data protection
A defined GDPR basis

Art. 6(1)(f) legitimate interest — the basis credit bureaus have used for decades.
Exhibit 01 — Independence & fairness

A rating is only worth the independence behind it.

EUSEC is structured so that no commercial relationship can influence a grade. We compete on the quality and neutrality of our ratings — never on who pays us. The result is an assessment that stays fair for every company we rate.

We rate. We do not advise.

EUSEC provides no consulting or remediation services, and we are not part of network formats, alliances or referral arrangements that could compromise our independence or reputation. There is no second business line a rating could be steered to feed.

No incentives, no favouritism.

We do not favour any vendor, and we accept no incentives. No rated company — and no competitor of a rated company — can pay to raise, lower or suppress a grade.

Unsolicited & subscriber-funded.

Outside Ratings are unsolicited. They are not commissioned or paid for by the rated issuer. We assess publicly observable signals on our own initiative and make the existing results available to subscribers — the rated company is neither our customer nor our paymaster for these ratings.

Equal, transparent weighting.

The nine assessment areas (01–09) of the Inside Rating carry the same weight for every company. There are no hidden, company-specific weightings. Where a specific weighting is applied at all, it is disclosed openly — with the reason it is necessary and who commissioned it — so the comparison stays fair for everyone.

Automated, built by experts.

Ratings are produced automatically by a system that is designed, calibrated and maintained by qualified security personnel. The methodology is uniform — human expertise sits in the model, not in case-by-case discretion that could be lobbied.

An open dispute process.

Every rated company can challenge a grade. We correct inaccurate inputs and re-assess on new evidence — a standing channel, not a one-off appeal.

The 14-day window

No adverse rating is circulated without a fair chance to respond.

Ratings of B or worse are held for roughly 14 days before they are made available to other subscribers. During this window the rated company can raise an objection and explain its position. Combined with our ongoing dispute process, this protects against false comfort in either direction — for the rated party and for the subscriber relying on the grade.

14
days' notice
on every rating of B or below
Object Explain Correct
Exhibit 02 — The method & its lawfulness

Passive & lawful by design.

We read only what is public or voluntarily disclosed. No exploitation, no break-in — only what a server, a record or a document already reveals on its own.

Legal opinion — lawful in Germany & the EU
§ 202a / 202b / 303a StGB

No criminal-law violation.

No data is specially protected or intercepted, no access safeguard is circumvented, and no data is altered.

GeschGehG · Dir. (EU) 2016/943

No trade-secret breach.

The observed system data is general technical information the server provides voluntarily — not a protected secret.

DE & EU compliant

Lawful across the EU.

The method is lawful throughout Germany and aligned with EU compliance requirements — unlike many international providers.

EUSEC's legal opinion on the lawfulness of its methodology.
Exhibit 03 — Data protection (GDPR)

May we look is one question. May we process is another.

The criminal-law and trade-secret analysis above answers whether we may look. Data-protection law answers whether we may process the personal data we see. Here is our basis.

Corporate data — no GDPR basis needed

Most of our signals — TLS configuration, open ports, DNS, certificates, BGP routing, banners — are technical data of legal persons. The GDPR protects natural persons only. For purely corporate data, no legal basis under the GDPR is required.

Personal inputs — where the GDPR applies

Some inputs relate to identifiable people in their professional role: business email addresses, patterns and phone numbers (area 03); named employees, titles and departments (area 05); breach-related credentials at domain level (area 04); and the named data protection officer (area 09). For these, we rely on a defined legal basis.

Our basis

Art. 6(1)(f) GDPR — legitimate interest.

We process this personal data on the basis of Art. 6(1)(f) GDPR. This is the same basis on which credit bureaus such as SCHUFA, Creditreform and Dun & Bradstreet have operated for decades — court-tested and expressly recognised. In legal terms, an outside-in cyber rating is a cyber-risk reference service of the same family: it assesses an organisation, in the legitimate interest of those who must manage supply-chain risk. The other lawful bases do not fit — consent is excluded by the model, contract covers only the subscriber, there is no legal obligation, and we are not a public authority.

Basis by data type
Data type Legal basis Status
Corporate data (TLS, DNS, ports, certificates…) None required — no natural person Settled
Personal inputs (employees, business emails, DPO) Art. 6(1)(f) legitimate interest Sound — conditions met
Breach data (area 04) Art. 6(1)(f) — aggregated only Strict minimisation
How we keep it

Legitimate interest is earned through a balancing test — not assumed.

We hold ourselves to five conditions. Our fairness and rights process is therefore a legal precondition, not decoration: without a working right to object, the balance would fail.

01

Professional sphere only

We process data about people strictly in their work role, never their private life. A business email is a corporate datum; a private mobile number is not.

02

Public or disclosed sources only

We use only data that is public or voluntarily disclosed — consistent with our method principle above.

03

Data minimisation

We aggregate. Breaches are counted at domain level; we never store or display individual leaked passwords.

04

Transparency (Art. 14)

We maintain a public privacy notice explaining the processing, relying on the disproportionate-effort exemption in Art. 14(5)(b) — as credit bureaus do.

05

Data-subject rights upheld

Objection (Art. 21), rectification (Art. 16) and access (Art. 15) are honoured. This is the same channel as our rating dispute process — the right to be heard is built in.

Breach data, handled carefully

Leaked credentials are the one input a person did not disclose voluntarily. We therefore use them only in aggregate, at domain level (“N breach incidents affect this domain”), and never reproduce individual records — the same approach as Have I Been Pwned, which public authorities themselves accept.

Automated decisions — Art. 22

The CJEU's SCHUFA ruling (Case C-634/21, December 2023) concerns automated decisions about natural persons. Our rating evaluates an organisation, not an individual, so Art. 22 does not apply — and we keep it that way: we rate the company, never the person.

Fair ratings · right to be heard

Think a rating is wrong?

Raise an objection, request access to or correction of your data, or open a dispute on a grade. We respond, correct inaccurate inputs and re-assess on new evidence.

Data Privacy & rights Contact via imprint →

This page describes EUSEC's own legal position on the lawfulness of its methodology and is provided for information. It is not legal advice and does not create any contractual entitlement.