Who is the data controller?

The data controller is ISGroup SRL, with headquarters in Via Cantarane, 14, 37129 Verona VR.

Does EasyAudit store credit card data?

No. Online payments are handled by ISGroup's selected payment processor, currently Stripe, and ISGroup does not store card numbers, CVVs or full credit card data.

Does EasyAudit use third-party analytics?

The site uses self-hosted Matomo for aggregate statistics. Analytics data is not shared with third parties for independent purposes.

Privacy Policy.

1. Data controller

The data controller is ISGroup SRL, Via Cantarane, 14, 37129 Verona VR, Italy - Fiscal Code and VAT number 04164220230 - REA VR-397513 - SDI M5UXCR1.

Privacy contacts and requests relating to personal data: [email protected]. For formal communications it is possible to use the PEC [email protected].

2. Scope of the information

This information describes how ISGroup SRL processes personal data collected through the EasyAudit website, contact forms, order forms, the newsletter, commercial requests, partnerships and the provision of EasyAudit services.

The EasyAudit site and services are aimed at businesses, professionals, institutions and organizations. They are not intended for consumers or minors. If personal data of company representatives, employees, collaborators, suppliers or other subjects connected to the Customer are entered, the Customer declares to have a suitable legal basis to communicate them to ISGroup.

3. Categories of data processed

ISGroup may process the following categories of personal data:

identification and contact data: name, surname, company, role, email, telephone, address, billing data, VAT number, tax code, SDI, PEC and other administrative data;
data sent via form, email, PEC, telephone or other channels: requests, messages, commercial notes, preferences, information about the company, data relating to the partnership or the service requested;
navigation and security data: IP address, date and time of access, requested URLs, user agent, browser, operating system, language, technical logs, security events, application errors and data necessary to protect the site;
analytics data: statistical data collected through self-hosted Matomo, configured for site measurement and service improvement purposes, without sharing analytics data with third parties for autonomous purposes;
order and payment data: purchased service, amount, payment status, transaction identifier, payment method, transaction outcome and tax data. ISGroup does not store full credit card numbers, CVVs or payment credentials;
technical data relating to the EasyAudit Targets: domains, subdomains, IP addresses or IP ranges, exposed services, ports, banners, publicly observable configurations, technical evidence, vulnerabilities detected, timestamps of the activities and technical contents necessary for drafting the report;
personal data that may be present, visible or deducible from the systems subject to black-box analysis, such as email addresses, usernames, metadata or other information exposed by the Target. These data are not sought for autonomous purposes and are processed only if necessary for the verification and technical documentation of the service;
data relating to the newsletter, if the user decides to subscribe: email address, preferences and consent or unsubscription log.

4. Purpose and legal bases

The data is processed for the purposes and on the legal bases indicated below.

Purpose	Legal basis
Site management, technical security, abuse prevention, logging, maintenance and continuity of web services	Legitimate interest of the owner in the security and correct functioning of its systems
Aggregated statistics and measurement of the site via Matomo self-hosted	Legitimate interest, within the limits applicable to analytics tools configured in a proportionate manner; consent where required by the technical configuration or applicable legislation
Response to requests for contact, quote, partnership or pre-contractual assistance	Execution of pre-contractual measures requested by the interested party or the Customer
Order management, activation, provision, delivery and support relating to EasyAudit services	Execution of the contract or measures pre-contractual
Invoicing, accounting, fiscal and administrative obligations and legal obligations	Legal obligation
Management of payment online or via agreed bank transfer	Execution of the contract and administrative obligations
Commercial management, CRM, history of requests, offers, follow-ups and reports B2B	Execution of pre-contractual measures, contract and legitimate interest in the management of commercial relationships B2B
Operational communications on the service, renewals, deadlines, payments, cancellations and contractual aspects	Execution of the contract and legitimate interest in the correct management of the relationship
Newsletters and promotional communications not strictly operational	Consent of the interested party, revocable at any time; where applicable, legitimate interest within the limits permitted for similar services
Establishment, exercise or defense of rights in judicial or extrajudicial proceedings	Legitimate interest and protection of the owner's rights

5. Nature of the provision

Providing the data requested in the forms marked as mandatory is necessary to receive a response, complete an order, activate the service, issue an invoice or fulfill administrative obligations. Failure to provide it may prevent the management of the request or the provision of the service.

The provision of data for newsletter or marketing purposes is optional. Consent can be revoked at any time without prejudice to the lawfulness of the processing carried out before the revocation.

6. Technical data of the EasyAudit service

Unless otherwise agreed in writing, standard EasyAudit services are carried out with a black-box approach and do not involve the delivery, storage or use of access credentials, passwords, administrative users, private keys or tokens relating to the Customer's systems.

The Customer indicates the Targets to be analyzed and declares to be their owner, owner, legitimate manager or otherwise authorized to subject them to vulnerability analysis. ISGroup processes the technical information of the Targets within the limits necessary to carry out the checks, produce evidence and draw up the report.

EasyAudit is a vulnerability identification and reporting service and does not involve system administration, systems management, IT security risk management, remediation, continuous monitoring or operational takeover of the Customer's infrastructure.

If, in specific cases, the service involves the processing of personal data contained in the Customer's systems on behalf of the Customer to an extent different from ordinary black-box technical processing, the parties will evaluate the need for an agreement appointing data controller or other appropriate privacy documentation before starting.

7. Recipients and suppliers

The data may be processed by staff and collaborators authorized by ISGroup and by suppliers who support the provision of the site, services, payments, e-mail, commercial management and administrative obligations.

As of the update date of this information, the main external suppliers used by ISGroup for the EasyAudit service are:

Aruba, for email services and email communications;
Stripe, for managing online payments via payment processors. ISGroup receives results, identifiers and payment data necessary to manage the order, but does not store complete credit card data;
Pipedrive, for CRM management of contacts, requests, offers, commercial opportunities and B2B follow-ups;
tax consultants, accountants, lawyers, banks and subjects required by law, within the limits necessary for the applicable obligations.
For the rest of the core infrastructure, ISGroup favors self-hosted or directly controlled solutions, with the aim of maximizing security, confidentiality and control of the Customer's data.

8. Data controllers and privacy roles of suppliers

When suppliers process personal data on behalf of ISGroup, they are bound by data processing agreements or contractual conditions consistent with applicable legislation. Some suppliers, in particular payment processors, banks, consultants or parties obliged by law, may act as independent owners for the activities of their respective competence.

The data is not sold or transferred to third parties for the independent commercial purposes of such third parties.

9. Transfers outside the European Economic Area

ISGroup favors infrastructures and suppliers established in the European Economic Area or in any case equipped with adequate contractual and organizational measures. If some providers, including payment processors or CRM tools, process data outside the European Economic Area, the transfer will take place on the basis of an adequacy decision, standard contractual clauses approved by the European Commission or other instrument provided for by applicable law.

10. Storage times

The data are kept for the time necessary for the purposes for which they were collected and, subsequently, for the terms imposed by law or necessary to protect the rights of ISGroup.

contact, quote and partnership requests: up to 24 months from the last useful contact, unless a contractual relationship is established, legitimate CRM B2B conservation or need for further conservation;
contractual data, orders, payments, invoices and administrative documentation: up to 10 years or for the different term provided for by tax and civil legislation;
reports, technical evidence and audit data: normally up to 24 months from delivery or closure of the relationship, unless otherwise requested by the Customer accepted by ISGroup, legal obligations, need for defense or conservation envisaged by the contractual agreement;
site technical logs and security data: normally up to 12 months, except for security needs, verification of abuse or legal obligations;
Matomo analytics data: according to the configuration applied by ISGroup and in any case in a proportionate form with respect to the statistical purposes;
newsletter: until you revoke your consent or unsubscribe;
data relating to disputes or disputes: for the time necessary to manage the dispute and protect rights.

11. Cookies, Matomo and measurement tools

The site uses cookies and technical tools necessary for the functioning of the pages and services requested by the user. The site also uses Matomo self-hosted for aggregate statistics and traffic analysis. The data collected through Matomo is processed by ISGroup on its own infrastructure or on controlled infrastructure and is not shared with third parties for autonomous purposes.

No profiling cookies or third-party behavioral advertising tools are used, unless otherwise indicated in the future and, where necessary, with prior consent. For further details, see the Cookie Policy.

12. Payments and card details

Online payments are managed via the payment processor selected by ISGroup, currently Stripe. During payment, the Customer may be redirected to pages or components managed by the payment processor. ISGroup does not store complete card numbers, CVV codes or payment credentials, but receives the data necessary to verify the outcome of the transaction, manage the order, issue an invoice and fulfill contractual and tax obligations.

Payment by advance bank transfer is permitted only if agreed with ISGroup; in this case the banking and accounting data necessary for reconciling the payment are processed.

13. Rights of the interested party

The interested party may exercise, in the cases provided for by applicable law, the rights of access, rectification, cancellation, limitation, portability, opposition and revocation of consent by writing to [email protected] or via PEC to [email protected].

The request will be handled within the terms established by the applicable legislation. In case of doubts about the identity of the applicant or the legitimacy with respect to company or contractual data, ISGroup may request additional information necessary for verification.

14. Complaint to the supervisory authority

The interested party who believes that the processing of their personal data is in violation of the applicable legislation can lodge a complaint with the Guarantor for the protection of personal data or contact the competent judicial authority.

15. Security measures

ISGroup adopts technical and organizational measures that are reasonable and proportionate to the risk to protect the personal data processed. The prevalent use of self-hosted or directly controlled infrastructures, where applicable, is aimed at maintaining a high level of control, confidentiality and security over the Customer's data.

However, no IT system can be considered immune from risks. ISGroup periodically monitors and updates the security measures applied to its processes, within the limits of its organization and the nature of the services provided.

16. Minors

The EasyAudit site and services are aimed at businesses, professionals, institutions and organizations. They are not intended for minors and do not knowingly collect personal data from minors.

17. Updates

This information is updated to May 2026. ISGroup SRL can modify it to adapt it to regulatory, technical or organizational developments. The updated version is published on this page.