Legal Information | BlackShield

Irish company, US-hosted service, security-first operating model.

BlackShield is operated from Ireland and delivered as a hosted B2B SaaS platform. The default production control plane runs in AWS us-east-1, so legal and privacy review should treat the service as an Irish-operated product with US-hosted infrastructure unless a separate deployment arrangement is expressly agreed.

Effective date

March 18, 2026

Last updated

March 18, 2026

Company and service scope

BlackShield is an Irish-operated software service built for security teams that need one place to ingest, normalize, and review findings from open-source scanners and related telemetry.

The service is intended for business use by customers acting within their own authorized environments.
Commercial terms, plan boundaries, and any negotiated security or privacy commitments are defined in the applicable order form and master agreement.
Customers remain responsible for choosing what scanners to run, which assets to scan, and which users receive tenant access.

Hosting, geography, and international transfers

The company is Irish, but the default production hosting footprint is in AWS us-east-1. That means customer data may be stored or processed in the United States as part of delivering the service.

If a customer uploads data from the EEA, UK, or Switzerland, cross-border transfer considerations apply because the managed service runs in the US-hosted region by default.
Where needed for procurement or privacy review, transfer safeguards and data processing commitments are handled through the contracting process and the applicable DPA.
Customer-operated scanners may run in customer-owned accounts and regions, but the aggregated SaaS control plane still follows the hosted-region design unless otherwise agreed in writing.

Privacy, subprocessors, and due diligence

BlackShield is a processor for customer workspace data in the ordinary course of service delivery and publishes companion privacy and trust documentation to support vendor review.

The public privacy page explains the categories of account, tenant, findings, and operational telemetry processed by the service.
Subprocessor review, security questionnaires, and enterprise legal requests are supported through the same legal and support channels listed on this page.
If a customer needs specific regional or contractual handling requirements, those constraints should be captured before production onboarding.

Acceptable use and customer obligations

The platform exists to support legitimate security operations, not unauthorized testing or abusive automation.

Customers must only scan infrastructure, applications, repositories, or accounts they own or are explicitly authorized to assess.
Customers must protect their credentials, API keys, and tenant admin access, and must rotate or revoke them promptly if compromise is suspected.
Customers must not attempt to bypass tenant isolation, abuse rate limits, interfere with the service, or use the platform to process unlawful content.

Notices, contracting, and escalation

Routine legal, privacy, procurement, support, and security notices are handled through the published contact channel and escalated internally based on severity.

Security incident coordination, privacy requests, and procurement due diligence should include the tenant slug, environment, region, and relevant timestamps where available.
Material service commitments are only binding when included in signed commercial documents, not solely on marketing or documentation pages.
Responsible disclosure and trust-review requests are reviewed on business days and routed to the appropriate internal owner.