LEGAL

Privacy Policy

Last updated: February 2026

Information We Collect

We collect only the information necessary to deliver the ElectriCISO service to your organization. This includes:

  • Organization profile — name, type, industry, and region
  • User accounts — email address, display name, and role within your organization
  • Compliance data — assessment responses, control statuses, findings, and evidence records you create within the platform
  • Uploaded documents — evidence files, policies, and supporting materials you attach to assessments
  • Usage analytics — page interactions, feature usage patterns, and session metadata to improve the product

We do not collect sensitive personal information beyond what is listed above, and we do not use tracking pixels or third-party advertising cookies.

How We Use Your Data

  • Service delivery — to operate, maintain, and improve the ElectriCISO platform on your behalf
  • Product improvement — to understand how features are used and identify areas for enhancement
  • Security monitoring — to detect anomalous access patterns, abuse, and potential security incidents
  • Support — to respond to your questions, troubleshoot issues, and fulfill your service requests

We do not use your compliance data to train AI models. Your assessment responses, risk register, and evidence files are yours and are never used to train or fine-tune any model.

Data Storage & Security

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Your organization's data is isolated from all other tenants at the database level using Row Level Security (RLS) — a database-enforced policy that prevents any cross-tenant data access, even in the event of an application-layer bug.

  • Tenant isolation enforced at the database layer via PostgreSQL RLS policies
  • Dedicated tenant identifier on every data table — isolation is structural, not relational
  • Evidence files stored in encrypted managed object storage
  • Application-level secrets (API keys) encrypted with AES-256-GCM with unique initialization vectors per record
  • Hosted on managed, enterprise-grade cloud infrastructure

Data Sharing

We do not sell, rent, or monetize your data in any form.

Data may be shared with the following service providers solely to operate the platform, each under a Data Processing Agreement (DPA):

  • AI providers — to power compliance chat, policy generation, and analysis features. Only the content you provide in those interactions is sent, not your full compliance posture or account data.
  • Infrastructure providers — for database hosting, object storage, and authentication services.

We do not share data with advertisers, data brokers, or any third party for purposes other than service delivery.

Your Rights

You have the following rights with respect to your data:

  • Access — request a copy of the data we hold about your organization
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request complete removal of your organization's data (see Retention below)
  • Data portability — request an export of your compliance data in a machine-readable format
  • Opt-out of analytics — contact us to disable usage analytics collection for your organization

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Retention

During an active subscription, your data is retained for the duration of the subscription period. This includes all compliance assessments, risk records, evidence files, policy documents, and vector embeddings.

Upon account cancellation or subscription termination, all organizational data — including database records, file storage, vector embeddings, and backup snapshots — is scheduled for full deletion within 30 days. We provide written confirmation when deletion is complete.

Contact

For privacy inquiries, data requests, or questions about this policy, contact us at:

[email protected]

We take privacy questions seriously and will respond within 2 business days.