Bitdefender

Bitdefender is a Romanian cybersecurity vendor. The operating entity S.C. Bitdefender S.R.L. is registered at 15A Soseaua Orhideelor (Orhideea Towers), 6th District, Bucharest, Romania (ONRC J40/20427/2005, CUI 18189442, VAT RO18189442). The group is structured under Bitdefender Holding B.V. (Dutch BV registered in The Hague on 2016-07-21 at 174 Maanweg, 2516 AB) with the ultimate parent BILTECH INVESTMENT LTD (Cyprus). Bitdefender also operates Bitdefender, Inc. (Santa Clara CA + Fort Lauderdale FL + San Antonio TX SOC) for US customers, plus regional operating subsidiaries in Germany, France, UK, Australia, Singapore, Indonesia and others (~25 group entities). Founder Florin Talpes remains CEO; co-founder Mariuca Talpes is COO.

Founder-controlled with PE minority. Florin Talpes and the Talpes family retain majority ownership and management control; Vitruvian Partners (London-based PE) holds a 30% minority stake acquired in December 2017 for approximately USD 180 million at a ~USD 600 million valuation. A 2021 US IPO was previously planned and shelved; ION Analytics has reported a possible 2024-2026 IPO window. As of May 2025 reporting on FY24 results, Vitruvian's 30% stake is still in place with no recorded exit. Bitdefender is therefore privately held but not bootstrapped: the founders set the strategic direction while a single PE house has board representation and a meaningful minority economic interest.

Yes, indirectly. The primary EU operating entity (Bitdefender S.R.L., Romania) and the Dutch holding (Bitdefender Holding B.V.) sit outside CLOUD Act reach, but Bitdefender, Inc. (US -- California-registered with offices in Santa Clara CA, Fort Lauderdale FL and the San Antonio TX SOC since 2019) is subject to US law and could be compelled to disclose data it processes. EU customers using the default GravityZone Cloud Console are processed in 'Romania, Ireland, or other state members of the European Union' per the business privacy policy. Customers using the sovereign EU SKUs -- GravityZone on OVHcloud SecNumCloud (FR) or SysEleven (DE) -- get explicit Bitdefender commitments that data 'is never accessible, transferred, or processed outside the European Union' with 'full immunity from extraterritorial laws.' Bitdefender's standard transfer mechanism for non-EU processors is Standard Contractual Clauses under GDPR Article 46.2.

The default GravityZone Cloud Console runs on AWS multi-region, with security servers automatically placed in the nearest AWS region; endpoint agents contact the nearest-region server, so default residency is region-tied rather than customer-tied. For sovereign EU deployments, Bitdefender launched two SKUs in October 2025: GravityZone on OVHcloud SecNumCloud (announced 2 October 2025, hosted in Roubaix / Gravelines / Strasbourg) and GravityZone on SysEleven OpenStack Cloud (announced 8 October 2025, in partnership with German cybersecurity vendor secunet, hosted in Germany). Quote from the secunet release: 'With GravityZone on the SysEleven OpenStack Cloud, customers know that their data stays within the EU' (Andrei Florescu, GM Business Solutions). Both sovereign SKUs cover EPP, EDR, XDR and cloud-native security. MDR operates 24x7 across three SOCs in Bucharest, San Antonio and Singapore on follow-the-sun shifts.

Bitdefender intentionally does not publish a consolidated subprocessor list. The business privacy policy is explicit: 'due to confidentiality obligations the specific information regarding the processors used will be provided to competent authorities' and 'specific information regarding the name and details for each processor used will be provided only to competent authorities.' Only generic categories are disclosed -- hosting + WAF in EU and USA; live support channels in EU, USA, Singapore, UK; offline support in EU and USA. The DPA at bitdefender.com/en-us/site/view/data-processing-agreement-for-bitdefender-solutions is publicly hosted (party named as 'Bitdefender SRL') and incorporated into the License and Services Agreement, with SCCs under GDPR Article 46.2 for non-EU transfers. Customers requiring specific subprocessor disclosures must request them under their data-processing agreement. Inferred from the published architecture documentation: AWS is the primary infrastructure subprocessor for the default GravityZone Cloud Console; OVHcloud and SysEleven are explicitly named for the sovereign-cloud SKUs.

ISO/IEC 27001 (claimed for GravityZone) and SOC 2 Type II (annual AICPA SSAE-16 audit, claimed for GravityZone Business Security Enterprise). The GravityZone Compliance Manager produces customer-facing compliance reports across GDPR, NIS 2, DORA, PCI DSS, CISv8, SOC 2, CMMC 2.0, HIPAA, ISO 27001 and UK Cyber Essentials -- these frameworks are reported on, not all certified for Bitdefender itself. Independent industry recognition: AV-TEST Top Product 2023-2025, AV-Comparatives Outstanding Security Award, Gartner Magic Quadrant Visionary and Forrester Wave Leader in Endpoint Security. Bitdefender is a CNA-equivalent contributor through Bitdefender Labs (CVE disclosures and APT attribution). Strategic partnerships include Europol EC3, FBI, DEA and the Romanian National Cyber Security Directorate (DNSC), including the dedicated Ukraine cybersecurity support program.