What Reefscan does — and what it doesn't.

Operationalizes the data-subject right by automating broker opt-out workflows and tracking removal status as audit evidence.

Does not prove broker compliance. Does not satisfy a controller's own erasure obligations toward its data subjects.

Credential-exposure monitoring (HIBP) supports the obligation to detect known compromise of personal data.

Not a substitute for technical & organizational measures (TOMs) on the controller's own systems.

Helps consumers exercise the right against data brokers, with timestamped opt-out evidence.

Does not satisfy a business's own duty to honor consumer deletion requests it receives.

Educates clients on the broker ecosystem and provides interim deletion tracking ahead of DROP go-live.

Once DROP is operational, CA residents will use the official CPPA mechanism. Reefscan complements, does not replace.

Surfaces credential-exposure threat data that feeds enterprise risk register & threat-model inputs.

One-shot scans are not a substitute for continuous threat-intelligence feeds.

Personal, visceral exposure reports drive workforce security awareness — far more effective than slides.

Not a formal LMS. Should accompany, not replace, structured awareness programs.

Quarterly exposure scans on workforce email domains produce evidence of ongoing awareness activities.

Must be paired with documented training records to satisfy auditor requirements.

Breach hits can trigger IR procedures — flagged credentials feed incident workflows.

No SIEM integration, no chain-of-custody preservation, not a full IR platform.

Credential breach monitoring referenced in service-organization narratives as supporting control.

Not a standalone SOC 2 control. Must be wrapped in documented procedures.

Personal exposure scans feed awareness program effectiveness metrics.

Must be paired with documented training & assessment records.

Detects exposed credentials of workforce members handling ePHI.

Not BAA-eligible by default. Do not feed actual ePHI into the tool.

k-anonymity password check flags credentials known to be in breach corpora — supports "compromised passwords" policy.

Not a substitute for an enterprise password manager or IAM control.

Exec/employee breach exposure reports operationalize awareness for covered entities.

Not a substitute for written awareness program documentation.

Domain-level breach checks across vendor lists provide TPRM evidence.

Does not perform full vendor assessments — supplements them.

Operationalizes broker removal for protected persons (judges, LEO, healthcare workers) in NJ, FL, TX, and ~15 other states.

State programs (e.g., NJ OIPP) are the authoritative channel; Reefscan handles non-program brokers.

Early surfacing of credential exposure supports incident materiality assessment for public companies.

Not a determination of materiality — assists, does not decide.