For data security teams
who own sensitive-data findings as a structured record

A data security workspace built around the data domain engagement record

Data security teams own the workflow that sits between data classification policy, sensitive-data exposure findings, secret scanning output, cloud storage configuration findings, DPIA artefacts, and the audit evidence pack into GDPR, HIPAA, PCI DSS, ISO 27018, ISO 27701, SOC 2, NIST SP 800-171, and the wider compliance estate. The work usually carries across a DSPM export, a CSPM export, a DLP alert queue, a code-scanner secret-detection dashboard, an authenticated DAST tool that someone configured once, an external scanner that runs on a quarterly cadence, a folder of DPIAs in a shared drive, a record-of-processing spreadsheet, an exception email thread, and an audit committee deck that gets rebuilt from scratch every cycle. The cost is not the licensing. It is the reconciliation hours each cycle and the residual privacy drift between cycles.

SecPortal gives data security teams one workspace for engagement records per data domain, findings management with CVSS 3.1 scoring and owner-of-record across every source, code scanning via Semgrep against connected GitHub, GitLab, and Bitbucket repositories under OAuth for hard-coded credential and unsafe data handling rule findings, authenticated DAST with encrypted credential storage against pages handling regulated data, external scanning across the verified perimeter that surfaces exposed cloud storage and leaked credentials, compliance tracking that covers GDPR, HIPAA, PCI DSS, ISO 27018, ISO 27701, SOC 2, NIST SP 800-171, and the other 21 supported frameworks in parallel, AI-assisted programme reporting, role-based access control with multi-factor authentication, document management for DPIAs and classification policies, and an append-only activity log that ties the trail together. The data security programme reads from one record rather than from a folder hierarchy and a quarterly reconciliation spreadsheet.

SecPortal is not a dedicated DSPM platform. It does not crawl databases or cloud storage to discover and classify data at rest, it does not run a data-flow graph across the data estate, it does not perform native DLP egress inspection, and it does not ship with a packaged data classification engine. Teams running a dedicated DSPM, CSPM, or DLP platform import the resulting findings into the engagement record for the data domain so the data-side findings live alongside the wider security backlog and read against the same compliance evidence pack. Teams that operate without a dedicated DSPM still benefit from the consolidated record for sensitive-data findings that surface from authenticated DAST, external scanning, code scanning, manual review, and pentest reports.

Capabilities data security teams use cycle to cycle

How data security teams run the discipline inside SecPortal

A data security programme that holds up under regulator review, audit fieldwork, cyber insurance underwriting, customer security questionnaires, and incident post-mortem operates on a small set of disciplines. The classification policy, the DPIA, the data flow diagram, the record-of-processing entry, the data retention schedule, the residual-risk decision log, the secret scanning queue, the exposed cloud storage register, and the audit-evidence trail inherit each one rather than carving out a parallel operating model per artefact.

From classification policy to audit committee readout, on one engagement record

The data security programme loop is open the data domain engagement, run the sensitive-data scanner coverage, land the findings, map the controls, record the exceptions, route the cross-team work, regenerate the leadership view, and read the recurring cadence. SecPortal runs a single workflow that the data security team, the data protection officer, the privacy counsel, the engineering owners, the privacy steering committee, and the audit committee can all work against without re-keying state into another tool.

1. 1Open an engagement per data security workstream and per data domain that needs a structured baseline. Capture the data domain owner, the data classes in scope (personal, payment, health, intellectual property, other regulated), the applicable framework set (GDPR, HIPAA, PCI DSS, ISO 27018, ISO 27701, SOC 2), the in-scope repositories, the in-scope authenticated DAST targets, the in-scope external scanner targets, and the named audit observers on the engagement record. Attach the data inventory baseline, the data flow diagram, the DPIA, the classification policy, the retention schedule, and the record-of-processing entry as documents.
2. 2Run sensitive-data scanner coverage off the engagement record. Authenticated DAST runs against pages behind the login screen that touch regulated data. External scanning runs across the verified perimeter for the data domain, covering exposed cloud storage, leaked credentials, subdomain enumeration, certificate transparency, TLS configuration, and security headers. Code scanning runs Semgrep-based SAST and dependency analysis against connected GitHub, GitLab, or Bitbucket repositories, with hard-coded credential and unsafe data handling rule findings landing on the engagement record.
3. 3Land every data security finding on the engagement record for the data domain with auto-calculated CVSS 3.1 vector, severity, evidence, named owner, and remediation status. DSPM and CSPM exports import in bulk through CSV with custom column mapping. DLP alert escalations log manually. Third-party pentest findings consolidate on the same record. Findings deduplication, prioritisation, and the owner-of-record routing read from one queue rather than from four scanner consoles.
4. 4Map findings, scanner output, and engagement records against GDPR articles, HIPAA Security Rule safeguards, PCI DSS requirements, ISO 27018, ISO 27701, SOC 2 Trust Services Criteria, NIST SP 800-53 control families, NIST SP 800-171 controls, and the other supported frameworks through compliance tracking. The GDPR Article 32 evidence pack, the HIPAA technical safeguards pack, the PCI DSS Requirement 3 stored cardholder data pack, and the SOC 2 CC6.7 confidentiality pack read from the same engagement record.
5. 5Capture risk acceptances, exceptions, and compensating control decisions on residual sensitive-data exposure on the same record as the findings they cover, with linked finding, severity, compensating controls, residual likelihood, residual impact, business rationale, expiry, and review cadence. The privacy review cycle, the steering committee, and the audit committee read exceptions that are actually due rather than re-debating the same items.
6. 6Route the work through role-based access control and multi-factor authentication. Data security engineers see the engagements for the data domains they cover, the data protection officer reads the privacy-relevant engagements, engineering owners see the findings assigned to them, privacy counsel reads the DPIA and exception trail, and the audit committee reads the programme posture across the data estate without seeing the full operational backlog.
7. 7Regenerate the data security leadership view through AI-assisted reporting. Executive summaries, per-domain status writeups, programme remediation roadmaps, DSR readiness narratives, breach notification rehearsal summaries, underwriter evidence packs, and customer security questionnaire responses draft from the live engagement data on demand. The data security team edits drafts rather than writes the deck from a blank page each cycle.
8. 8Read the recurring programme cadence from the append-only activity log. Every finding update, scan run, document upload, retest run, exception decision, comment, credential rotation, and team change is recorded with the actor, the timestamp, and the action. CSV export keeps the programme trail reproducible at regulator review time.

Where the data security view connects to the rest of the workspace

Most data security functions adopt SecPortal in three phases: bring every data domain onto an engagement record so the classification policy, the DPIA, the data flow diagram, and the findings live on one record; layer in code scanning, authenticated DAST, and external scanning so sensitive-data coverage runs off the live record rather than a quarterly reconciliation spreadsheet; and route the privacy review, audit, and underwriter cadence through compliance tracking, role-based access control, and AI-assisted reporting so the data protection officer, the privacy steering committee, the audit committee, and the engineering owners all read from the same source the data security team runs on. The relevant capability, workflow, framework, and blog pages explain each phase in detail.

• The engagement record model that anchors every data domain is covered on the engagement management feature page, the per-domain findings repository on the findings management feature page, and the DPIA, data flow diagram, classification policy, and record-of-processing attachment surface on the document management feature page.
• The Semgrep-based SAST and dependency analysis layer against connected repositories on the code scanning feature page, the authenticated DAST layer against pages behind the login screen on the authenticated scanning feature page, and the encrypted credential storage that authenticated DAST runs on through the encrypted credential storage feature page.
• The external attack surface scanning layer that surfaces exposed cloud storage, leaked credentials, and TLS misconfigurations on the external scanning feature page, the multi-framework control mapping a single engagement record rides on the compliance tracking feature page, and the AI-assisted privacy steering committee summary regeneration on the AI reports feature page.
• The GDPR framework anchor on the GDPR framework page, the HIPAA framework anchor on the HIPAA framework page, and the PCI DSS framework anchor on the PCI DSS framework page.
• The cloud personal data framework anchor on the ISO 27018 framework page, the privacy information management framework anchor on the ISO 27701 framework page, and the SOC 2 framework anchor on the SOC 2 framework page.
• The Data Security Posture Management explainer on the data security posture management explainer, the SaaS Security Posture Management explainer on the SaaS security posture management explainer, and the Cloud Security Posture Management explainer on the cloud security posture management explainer.
• The secret scanning remediation workflow on the secret scanning remediation workflow use case, the customer security evidence room workflow on the customer security evidence room use case, and the breach notification and regulator readiness workflow on the breach notification and regulator readiness use case.
• The audit evidence retention and disposal workflow on the audit evidence retention and disposal use case, the vendor security questionnaire response workflow on the vendor security questionnaire response workflow use case, and the cyber insurance security evidence workflow on the cyber insurance security evidence use case.
• The sensitive data exposure vulnerability explainer on the sensitive data exposure vulnerability page, the hard-coded secrets vulnerability explainer on the hard-coded secrets vulnerability page, and the cloud bucket misconfiguration vulnerability explainer on the cloud bucket misconfiguration vulnerability page.
• The vulnerability acceptance and exception management workflow that captures residual sensitive-data exposure decisions on the vulnerability acceptance and exception management use case, the remediation tracking workflow that follows the data security findings through to verified close on the remediation tracking use case, and the finding state lifecycle that records each transition with an actor and a timestamp on the vulnerability finding state lifecycle use case.

Where the data security team role sits next to adjacent personas

Data security teams run the data-side discipline that sits between the executive sponsor (the CISO), the cross-team programme coordinator (the security program manager), the cloud-side operator function (the cloud security team), the GRC and privacy evidence owner (the GRC and compliance team), the vulnerability management cross-source backlog owner, and the internal security function that runs the consolidated security programme. The data security team owns the data-protection operational layer rather than any one of those adjacent shapes.

If your function is the cloud-side operator that runs CSPM, KSPM, and SSPM workflow against cloud configuration posture and that the data security team reads the cloud-resource side of the data domain off, the SecPortal for cloud security teams page covers the cloud-side operating model that pairs to the data security discipline.

If your function is the GRC and compliance evidence owner that assembles audit packs across GDPR, HIPAA, PCI DSS, ISO 27018, ISO 27701, SOC 2, and the wider compliance estate from the data security findings, the SecPortal for GRC and compliance teams page covers the evidence-side discipline that reads from the same record the data security team operates on.

If your function is the cross-source vulnerability management backlog owner that consolidates the data-side findings into the wider security backlog, the SecPortal for vulnerability management teams page covers the unified queue discipline that the data security findings land on.

If your function is the cross-cutting product security organisation that handles PSIRT-style intake on data-side product issues, the SecPortal for product security teams page covers the PSIRT intake and product security review workflow that sits alongside the data security discipline.

If your function is the identity-side operator that runs the identity engineering, privileged access, non-human identity inventory, federation trust, and MFA rollout discipline adjacent to the data security workflow on sensitive-data access governance, the SecPortal for identity security teams page covers the identity-side operating model that pairs to the data security discipline on the access-control layer.

If your function is the internal security team that runs the consolidated security programme across data security, AppSec, vulnerability management, and incident response, the SecPortal for internal security teams page covers the consolidated workspace view the data security programme rolls into.

If your function is programme-level executive sponsorship and board-level reporting rather than the data security discipline specifically, the SecPortal for CISOs and security leaders page covers the leadership-tier reporting workflow the data security posture rolls up into.

SecPortal is built for data security teams who want one workspace for the classify-cover-track-map-evidence-report loop: engagement records per data domain, code scanning across connected repositories for hard-coded credentials and unsafe data handling, authenticated DAST against pages handling regulated data, external scanning that surfaces exposed cloud storage and leaked credentials, findings management with owner-of-record across every source, multi-framework compliance tracking that covers GDPR, HIPAA, PCI DSS, ISO 27018, ISO 27701, and SOC 2 in parallel, AI-assisted programme reporting, role-based access control with multi-factor authentication, document management for DPIAs and classification policies, and an append-only activity log on top. The data protection officer reads the privacy-relevant engagements, privacy counsel reads the DPIA and exception trail, the audit committee reads the programme posture across the data estate, and the data security team gets back the hours that used to disappear into reconciliation between privacy spreadsheets, scanner exports, and DPIA folders.