Commissioning a pentest in the German mid-market today hits a contradiction: GDPR Article 32 requires "security of processing" — but the pentest itself is often already a GDPR problem. This post explains why, and what the solution looks like. The contradiction A standard pentest with a SaaS provider works like this: the customer enters their domains and IP ranges into the tool, the scan runs, results are stored on the provider's server, a PDF report is generated. For US-based tools (Intruder, Tenable, Qualys), this means scan raw data (including subdomain structures, software versions, open ports) goes to US infrastructure. Legal basis: usually the EU-US Data Privacy Framework (DPF) since 2023 — which the CJEU could strike down at any time (as with Schrems I and II). For companies with health data, financial data, or municipal data, this is not permissible at all , even with DPF. What supervisory authorities say The German DSK in its 2023 guidance made clear: metadata like IP structures, user mappings, and access patterns are personal data as soon as they're linkable to real people. For a hospital, that means scans of internal networks (with hostnames like radiology-doctor-smith-pc ) must not be uploaded to a US tool. Not with DPF, not with Standard Contractual Clauses. Three ways out of the dilemma Build in-house: hire internal pentesters, develop your own toolchain. Realistic only for organizations with 500+ employees and a security budget. German-only service providers like SySS, usd, or Secuvera perform on-site pentests, data stays in Germany. High quality but expensive (starting ~15,000 EUR per pentest) and typically only annual. Self-hosted tooling: OpenVAS (outdated), Nuclei (good but no AI planning), Metasploit (just an exploit framework, no scan automation). Historically, a modern AI-powered self-hosted platform was missing. SentinelClaw closes that gap. Minimum requirements for a GDPR-compliant pentest Execution entirely on customer-controlled infrastructure No metadata telemetry to the vendor Raw data deletion after pentest, configurable retention Audit trail for every action (ISO 27001 A.12.4.1) Clear TOM documentation in the data processing agreement if an external provider runs it How SentinelClaw handles this SentinelClaw runs as a Docker Compose stack on a server of your choice (your own VPS, Hetzner instance, on-premise machine). The entire pentest — reconnaissance, planning, execution, report — happens on that server. AI planning uses local LLMs (Ollama), no call-home. Raw data is automatically deleted after a configurable period. Audit logs in SIEM-compatible JSON. Conclusion GDPR-compliant pentests are not a theoretical problem — they're the new normal for any German mid-market company with sensitive data. Self-hosted tooling is becoming a compliance standard, not a nice-to-have. Questions on implementation — with SentinelClaw or other tools — get in touch at kontakt@techlogia.de . Initial consultation is free.
