This Security Research Data Processing Notice ("Notice") explains how NorthQuinn Inc. processes personal data submitted by security researchers through NorthQuinn's Vulnerability Disclosure Program. It supplements NorthQuinn's main Privacy Policy and applies specifically to data received in connection with vulnerability reports submitted to abuse@northquinn.com.
Effective: April 24, 2026 • Last Updated: April 24, 2026
1. Introduction
When security researchers submit vulnerability reports to NorthQuinn, they may provide personal data including contact information, technical details, and proof-of-concept materials. NorthQuinn processes this data solely for the purpose of receiving, triaging, remediating, and responding to reported security vulnerabilities, and for maintaining records of NorthQuinn's security disclosure activities.
This Notice is intended to fulfill NorthQuinn's transparency obligations under applicable privacy law, including Articles 13 and 14 of the GDPR, with respect to personal data received through the vulnerability disclosure channel.
2. Data Controller
| Controller | NorthQuinn Inc., a Delaware corporation |
| Contact | privacy@northquinn.com |
| VDP Contact | abuse@northquinn.com |
3. Categories of Personal Data Processed
NorthQuinn may process the following categories of personal data received through vulnerability reports:
- Identity Data: Name or pseudonym provided by the researcher
- Contact Data: Email address, PGP key, or other contact information provided for follow-up communications
- Technical Data: IP addresses, system identifiers, URLs, HTTP request/response logs, and other technical artifacts included in proof-of-concept materials
- Communications Content: The full text of the vulnerability report and all subsequent correspondence
- Professional Data: Researcher affiliation, organization, or handle, if voluntarily provided
NorthQuinn does not require researchers to provide their real name or organization. Anonymous and pseudonymous reports are accepted and will be processed in the same manner.
4. Purposes of Processing and Legal Basis
| Purpose | Legal Basis (GDPR) |
|---|---|
| Receiving, triaging, and responding to vulnerability reports | Legitimate interests (Article 6(1)(f)) — securing NorthQuinn's systems and fulfilling its security obligations to clients and users |
| Remediating reported vulnerabilities | Legitimate interests (Article 6(1)(f)) |
| Maintaining records of disclosed vulnerabilities for security governance and legal purposes | Legitimate interests (Article 6(1)(f)); Legal obligation (Article 6(1)(c)) where applicable |
| Public acknowledgment of the researcher (recognition) | Consent (Article 6(1)(a)) — only where the researcher has explicitly opted into acknowledgment |
| Coordinated disclosure with the researcher or third parties | Consent (Article 6(1)(a)) — only where coordinated disclosure has been agreed in writing |
Legitimate Interests Assessment
NorthQuinn's legitimate interest in processing security research data is the identification and remediation of security vulnerabilities in its systems. This interest is not overridden by researchers' rights and freedoms given: (i) the data is voluntarily submitted by the researcher for the specific purpose of vulnerability disclosure; (ii) researchers are not in a vulnerable position relative to NorthQuinn; (iii) NorthQuinn processes only the minimum data necessary to triage and remediate the reported vulnerability; and (iv) NorthQuinn does not use this data for commercial purposes.
5. Retention
| Data Category | Retention Period |
|---|---|
| Active vulnerability report and correspondence | Duration of remediation plus 3 years from closure |
| Remediated vulnerability records (technical details, timeline) | 5 years from remediation date — security governance and potential legal proceedings |
| Researcher contact data (where consent for recognition given) | Duration of recognition listing, or until withdrawal of consent |
| Anonymous or pseudonymous reports | 5 years from closure — no personal data processed beyond technical artifacts |
Upon expiration of the applicable retention period, NorthQuinn will securely delete or anonymize personal data consistent with its internal data lifecycle procedures.
6. Disclosure and Sharing
NorthQuinn does not sell, rent, or share security research personal data with third parties for commercial purposes. NorthQuinn may disclose personal data from vulnerability reports in the following limited circumstances:
- Legal obligation: Where required by applicable law, court order, or regulatory demand
- Third-party vendor disclosure: Where the reported vulnerability affects a third-party component and coordinated disclosure requires notifying that vendor — only with the researcher's prior consent or where legally required
- Law enforcement: Where NorthQuinn determines in good faith that a report relates to active criminal activity requiring law enforcement notification
NorthQuinn will not disclose a researcher's identity, contact information, or the existence of their report to any third party without the researcher's explicit written consent, except as required by law.
7. Researcher Rights
Researchers who are EEA or UK residents have the rights described in Section 11 of NorthQuinn's Privacy Policy, including the rights of access, rectification, erasure, restriction, portability, and objection. U.S.-based researchers have the rights described in Section 10 of the Privacy Policy, subject to applicable state law.
To exercise any of these rights with respect to data submitted through the vulnerability disclosure channel, contact privacy@northquinn.com with the subject line "VDP Privacy Request." NorthQuinn will respond within the applicable statutory period.
Note that some personal data in vulnerability reports may be subject to retention obligations that limit NorthQuinn's ability to delete or restrict processing — for example, records required for security governance or potential legal proceedings. NorthQuinn will inform you of any such limitation at the time of your request.
8. Contact
| Privacy Inquiries | privacy@northquinn.com |
| Legal Inquiries | legal@northquinn.com |
| Security / VDP Reports | abuse@northquinn.com |
| VDP Policy | northquinn.com/security.html |