Security
How Obscurity Ltd handles ConsentMark customer data, the sub-processors involved, and how to reach us about a security issue. Detailed control documentation is available under NDA on request.
Last updated: 19 May 2026
Data handling
- Data controller and processor: Obscurity Ltd, registered in Ireland (company number 622475), trading as ConsentMark. For most engagements we act as a processor on behalf of the customer; a Data Processing Agreement is available on request.
- Data residency: All ConsentMark customer data is processed and stored in AWS eu-west-1 (Dublin, Ireland). No data leaves the EU.
- Encryption: AWS KMS Customer Managed Keys for data at rest; TLS 1.3 for external transport.
- Authentication: Customer-facing sign-in uses Amazon Cognito with WebAuthn passkeys and email one-time codes. The dashboard does not expose a password input field.
Sub-processors
The vendors below process ConsentMark customer data under our instruction. We will notify customers under a Data Processing Agreement of any material change to this list at least 30 days before the change takes effect. Internal tooling that does not handle customer data is omitted; the full vendor registry is available under NDA via contact@consentmark.com.
| Sub-processor | Purpose | Data residency |
|---|---|---|
| Amazon Web Services EMEA SARL | Hosting (ECS Fargate, RDS PostgreSQL, S3, CloudFront), transactional email (SES), authentication (Cognito) | eu-west-1 (Dublin, Ireland) |
| Google Workspace (Google Ireland Ltd) | Operator mailbox at contact@consentmark.com and calendar scheduling | EEA (Google Ireland Ltd for EEA users) |
| GitHub Enterprise Cloud | Source code and CI/CD. No customer data in repositories. | US (Standard Contractual Clauses) |
| Functional Software, Inc. (Sentry) | Application error tracking. Stack traces and metadata only; no customer scan results or end-user observations. | EU (Sentry EU region) |
| Stripe Payments Europe Ltd | Subscription billing and payment processing for paid product tiers. | Ireland (EU) |
| Anthropic | Automated content classification. Never receives customer beacon data or end-user observations. Zero-retention API calls. | US (Standard Contractual Clauses, zero-retention) |
| OpenAI | Automated content classification. Never receives customer beacon data or end-user observations. Zero-retention API calls. | US (Standard Contractual Clauses, zero-retention) |
Incident response and vulnerability disclosure
If you believe you have found a security issue affecting ConsentMark, please email contact@consentmark.com with the subject line "Security Disclosure". We acknowledge receipt within one business day (Ireland, Mon-Fri) and provide a triage update within five business days. We will not pursue legal action against researchers who report responsibly under a coordinated disclosure model and who do not access, modify, or exfiltrate customer data beyond what is necessary to demonstrate the issue. We do not currently operate a paid bug bounty.
For incidents that affect customer data, we follow a documented response process with severity classification, containment procedures, and a GDPR 72-hour breach notification path where applicable. The detail is available under NDA on request.
For public scan result disputes (defamation, finding accuracy, takedown requests), contact the same address. We respond within one business day; we operate a global kill switch and per-scan takedown to handle disputed findings.
Compliance
GDPR-compliant by design. SOC 2 is on the roadmap; timing depends on customer demand. We're happy to walk procurement and security teams through our controls in detail under NDA.
Contact
For procurement, security, or data protection questions: contact@consentmark.com. Document owner: Dónal Troddyn. This page is reviewed annually or on material change to the underlying posture, whichever is sooner.