BARGHEST conducts security research, reverse engineering, incident response, penetration testing, digital forensic investigations, and open-source security tool development. Because this work may involve sensitive and high-risk data, we handle data lawfully, securely, and transparently.
This policy covers research, DFIR, reverse engineering, and related security work. It is separate from the privacy policy that explains how this website handles visitor analytics.
BARGHEST acts as a data controller for forensic investigation data we receive, our internal operations, reverse engineering operations, and open-source development or community interactions. We determine the purpose and means of processing within the scope of each case.
We process data strictly for investigative and research purposes. This may include:
This data may contain personal data, sensitive personal data, confidential information, or other high-risk information.
We collect limited operational data such as names, email addresses, organization details, and communication records where needed to operate and communicate.
When users interact with our public repositories, we may process usernames, public profile information, issue reports, comments, discussions, commits, pull requests, and related contribution metadata. This information is publicly available and provided directly by users.
Our open-source tools do not collect telemetry or usage data. If this changes, it will be clearly documented, opt-in only, and will not include personally identifiable information.
We process data only to:
We do not use investigation data for marketing, profiling, or unrelated secondary purposes.
We process personal data under the General Data Protection Regulation where necessary for legitimate interests, including conducting digital forensic investigations, identifying security threats, supporting security research and analysis, and protecting individuals or organizations from harm.
Where investigations involve special category data, we may rely on Article 9 conditions including processing necessary for the establishment, exercise, or defence of legal claims, reasons of substantial public interest where applicable, or scientific and research purposes with appropriate safeguards.
Investigations are typically conducted on a consensual basis at the request of, and with authorization from, the device owner or responsible party. However, investigation data may include information about individuals who have not directly provided consent, so consent is not relied on as the primary GDPR legal basis.
In some cases, we process data not obtained directly from an individual, such as data contained within forensic artefacts. Where applicable, we may rely on GDPR exemptions, including Article 14(5), where providing notice would be impossible, involve disproportionate effort, or prejudice the objectives of the investigation.
We may also process data where necessary to comply with applicable legal obligations.
Investigation data is retained only as long as necessary for analysis, reporting, or legal purposes. Data is securely deleted when it is no longer required.
We do not sell or monetize data. We may share data only with authorized stakeholders involved in the investigation or where required by law.
We implement appropriate technical and organizational safeguards, including encryption in transit and at rest, least-privilege access controls, isolated analysis environments, and audit logging.
When we identify vulnerabilities, we follow responsible disclosure practices that balance public interest, user safety, vendor remediation timelines, transparency, and accountability. We report vulnerabilities to affected vendors or maintainers where appropriate, avoid exploit activity beyond what is necessary to validate impact, and take particular care in high-risk and civil society contexts.
If you discover a vulnerability in our tools or infrastructure, report it to info@barghest.asia . Include a description of the issue, steps to reproduce, affected versions or components, and any proof-of-concept where appropriate.
We may update this policy periodically. Updates will be published with a revised effective date.