Responsible data & security

A useful feed should not createan unmanaged risk.

We build managed data feeds—not permission to ignore privacy, access boundaries, source rights, or security. Every project is reviewed for purpose, source, access method, requested fields, destination, and intended use before production.

Responsible collection

Boundaries before bandwidth.

Public availability is not a blanket legal conclusion. We review the actual project and expect customers to obtain qualified advice for their purpose and jurisdiction.

A defined purpose

We scope the business decision, source set, requested fields, cadence, destination, and intended use before production. We collect only what the agreed feed needs.

Public or authorised access

Our standard work uses public or customer-authorised sources. We do not bypass authentication, paywalls, or technical access controls without documented authority.

Source review

We review technical feasibility, relevant licences and terms, machine-readable crawler preferences, rate expectations, data categories, and known rights before accepting a project.

Respectful collection

Collection plans use sensible schedules, request pacing, caching, backoff, and concurrency limits designed to avoid unnecessary load on source systems.

Privacy by design

Publicly visible personal data can still be personal data. Projects involving it require a documented purpose, minimised fields and retention, and an agreed controller–processor position where applicable.

A right to decline

We may narrow, pause, or refuse work when the access method, requested data, purpose, or downstream use creates unresolved legal, privacy, security, or source risk.

Security baseline

Controls matched to the data,destination, and risk.

We do not claim a certification that has not been independently completed. Project controls and responsibilities are documented during scoping and reflected in the contract where required.

Access

MFA where supported, least-privilege project access, and customer-specific access boundaries.

Credentials

Secrets kept outside source code, shared only where needed, and rotated or revoked when access changes.

Transfer

TLS for the website and supported network transfers, with delivery through agreed customer-controlled destinations such as Azure or Amazon S3.

Engineering

Code review, dependency maintenance, automated validation, manual QA, and separation of test and production concerns appropriate to the project.

Monitoring

Run, data-quality, and delivery signals designed around the agreed feed specification, with documented investigation and recovery steps.

Data minimisation

Limited sensitive content in logs, defined project retention, and deletion or return procedures at offboarding.

Ownership & offboarding

Your data remains yours.

As between WebTruffle and the customer, delivered project outputs remain available to the customer in the agreed format, subject to applicable third-party and source rights. You can request an export of the agreed data and schema during the engagement.

WebTruffle retains ownership of scraper code, reusable libraries, internal tooling, templates, and technical know-how unless a written agreement explicitly says otherwise. The service delivers the data outcome; it does not transfer our collection software.

At offboarding, we complete the agreed final data delivery, revoke project access, and return or delete customer personal data according to the contract and applicable retention duties. Customer-controlled destination credentials are revoked or removed from our systems.

Evidence & reporting

Inspect the quality process.

Our public specimen shows how a feed can report source coverage, field completeness, validation exceptions, freshness, and delivery evidence without exposing customer data.

View the sample quality report

Report a data or security concern

Source operators, data subjects, customers, and security researchers can contact hello@webtruffle.com. Include enough detail for us to identify the source, project, or affected system. Do not include exploit code or sensitive personal data unless we ask for a secure transfer.

Standards and legal references

Our approach is informed by GDPR Articles 13, 14, 28 and 32, the NIST Cybersecurity Framework, OWASP application-security guidance, and the IETF Robots Exclusion Protocol. The protocol defines crawler preferences but explicitly does not grant access authorisation.