External Observation
The evaluation starts from a confirmed root domain and relies on external observation and public sources. No access to your network, credentials, or internal systems is requested.
TRUST AND SECURITY
CSURFACE observes your attack surface in the same way an external adversary would — from the outside, without touching your infrastructure. This page gathers how we conduct our analysis, how we handle data, and what is the security posture of the platform, to give your security team and procurement area what to evaluate before any discussion.
NON-INTRUSIVE ANALYSIS
The analysis reproduces what an adversary observes from the outside — based on publicly accessible sources. This preserves the fidelity of the result and keeps your organization's operations undisturbed.
The evaluation starts from a confirmed root domain and relies on external observation and public sources. No access to your network, credentials, or internal systems is requested.
No agents, no sensors, no installation. No CSURFACE software is running in your environment and no changes are made to your assets.
The preliminary analysis is passive. Active validation tests exist as a platform capability and are non-destructive, with configurable frequency and scope agreed upon with the client.
AUTHORIZATION AND SCOPE
The analysis request includes the statement that you are the owner of the assets under the domain specified or have authorization to request the evaluation. The scope is limited to this domain and to related entities identified from it.
We do not accept free email providers for preliminary analysis, precisely because the assessment runs on the corporate domain specified. The complete terms that govern the analysis are published and available before any request.
DATA PROCESSING · LGPD
The analysis processes publicly observable surface-level data about the organization and contact information provided in the request. The processing follows the principles of the General Data Protection Law (LGPD): specific purpose, minimization, transparency, and security.
Contact information is used to deliver the analysis results and related communications. The data subject may request access, correction, or deletion of their data at any time as described in the Privacy Policy.
PLATFORM SECURITY POSTURE
The platform is operated under the same principles we apply to assessing exposure: minimization of data, access control, and traceability. Security operation is part of the product, not an add-on.
Detailed documentation of platform controls — and the current stage of compliance with recognized market standards — is shared with clients and procurement areas under a confidentiality agreement during the security review process. We respond to supplier questionnaires (VSQs) in the same flow.
We share security and compliance documentation, and respond to vendor security questionnaires (VSQ), under a confidentiality agreement. Contact our team.
Contact the security team