Scalepoint cannot recognize the headline and the journalistic angle of the case, which is why we find it necessary to clarify some individual allegations.
The article insinuates that our customers' data have been leaked. This is not correct. No data has left Scalepoint's servers, and we can document via our logs that no leak took place. Thus, no data has fallen into the wrong hands, nor has it been exposed to anyone other than trusted developers.
The article also states that Scalepoint has tried to hide the incident. This is not correct. When we became aware of the incident, we immediately contacted our external DPO (Data Protection Officer), who made a professional assessment of the security incident and concluded that no data had been leaked.
Nevertheless, we informed our customers about the security incident and our DPO's professional assessment. However, several of our customers made a different professional assessment, and they chose to report the incident to the Danish Data Protection Agency.
We acknowledge that we, as data processor, should not guide our customers on whether or not they should report such incidents to the Danish Data Protection Agency. This decision is entirely made by our customers DPOs with full access to all required information from Scalepoint.
Scalepoint acknowledges that the incident has meant that the GDPR rules have been violated, because real data has been used for testing for a period of time. We apologize for that mistake. Since the incident, we have changed our test environments and today we only use fictitious data. In addition, we have moved our Ukrainian activities into the EU.
We have continuously been in close dialogue with our customers about the incident, which means that we have implemented completely new security levels when it comes to handling our customers' data. This work continues, of course. It is Scalepoint's intention to be at the forefront of data security - partly because both society's and our customers' demands for security are growing.
Scalepoint is now awaiting the Danish Data Protection Agency's decision in the incident in question.