Privacy Policy

1. Information We Collect

Information You Provide Directly

We collect information you voluntarily provide when you:

• Contact us through our contact form or via email
• Request information about our services
• Book a consultation or call
• Submit documents through our SOC 2 Trust Tool, including SOC 2 reports and related assessments
• Subscribe to newsletters or communications
• Create an account or profile on our services

This information may include your name, email address, phone number, company name, job title, and other information necessary to provide our services to you.

Information Collected Automatically

When you visit our website, we automatically collect certain information about your device and browsing activity, including:

• IP address and geolocation data
• Browser type and version
• Operating system
• Referring website or source
• Pages visited and time spent on each page
• Clicks and interactions with website elements
• Device type and screen resolution
• Cookies and similar tracking technologies

Information from SOC 2 Submissions

When you submit SOC 2 reports or other compliance documents through our SOC 2 Trust Tool, we collect and store:

• The SOC 2 Type II report or attestation document
• Metadata about the submission (date, file details)
• Our assessment and analysis of the submitted SOC 2 report
• Recommendations and evaluation results

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve our services and website
• To respond to your inquiries and fulfill your requests
• To conduct SOC 2 assessments and provide trust evaluations
• To communicate with you about our services, updates, and promotional offers
• To analyze website usage patterns and improve user experience
• To monitor and analyze trends, usage, and activities for security and fraud prevention
• To comply with legal obligations and enforce our agreements
• To develop new features, products, and services
• For marketing and analytics purposes
• To create aggregate and anonymized insights about the state of SOC 2 compliance across industries and company sizes

Aggregate SOC 2 Reporting

We may use aggregated, anonymized, and de-identified data derived from SOC 2 reports and assessments submitted through our SOC 2 Trust Tool to create industry insights, trend analyses, and publicly available reports about the state of SOC 2 compliance. This may include statistical analyses, benchmarking data, and observations about common compliance gaps, best practices, and industry trends. These aggregated insights may be shared publicly or with industry partners to advance cybersecurity and compliance practices.

Important: We will not disclose, publish, or share any specific contents of individual SOC 2 reports, raw report data, company-identifying information, or individual assessment details in any aggregate reporting or public insights. All data used in aggregate reporting is thoroughly anonymized and de-identified to ensure no individual organization, company, or person can be identified from the published insights.

3. Analytics and Tracking Technologies

We use analytics and tracking technologies to understand how visitors interact with our website and to improve our services. This includes:

Cookies

We use cookies (small text files stored on your device) to:

• Remember your preferences and settings
• Understand how you use our website
• Track website performance and user behavior
• Deliver targeted content and advertisements

Web Beacons and Similar Technologies

We may use web beacons, pixels, and similar technologies to track your interactions with our website and emails.

Analytics Services

We use third-party analytics services (such as Google Analytics) to monitor and analyze website traffic, user behavior, and engagement. These services may collect and process your information according to their own privacy policies.

Your Choices

You can control cookie preferences through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. Please note that disabling cookies may affect the functionality of our website. You can also opt out of targeted advertising through industry opt-out mechanisms.

4. Information Sharing and Disclosure

We do not sell your personal information to third parties. However, we may share your information in the following circumstances:

Service Providers

We may share information with third-party service providers who assist us in operating our website and providing our services, including hosting providers, analytics services, email providers, and payment processors. These providers are contractually obligated to use your information only as necessary to provide services to us.

SOC 2 Assessment Results

When you use our SOC 2 Trust Tool, your assessment results may be shared with you and your authorized representatives. We will not share your individual SOC 2 reports, specific assessment details, or company-identifying information with third parties without your explicit consent, except as required by law.

However, we do use de-identified and aggregated data from all submitted SOC 2 reports and assessments to create industry insights and benchmarking reports, which may be published publicly or shared with industry partners. This aggregate data will be thoroughly anonymized to prevent identification of any individual organization or submission.

Legal Compliance

We may disclose your information when required by law or when we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service and other agreements
• Protect the security or integrity of our services
• Prevent fraud, abuse, or illegal activities

Business Transfers

If we are involved in a merger, acquisition, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Storage and Security

We implement appropriate technical, administrative, and physical safeguards designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Secure server infrastructure and access controls
• Regular security assessments and vulnerability scanning
• Limited access to personal information on a need-to-know basis
• Employee training on data protection and privacy practices

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

SOC 2 Report Storage

SOC 2 reports and related assessment documents submitted through our SOC 2 Trust Tool are stored securely on our servers. We maintain these documents for the duration of your use of our services and for a reasonable period thereafter for record-keeping and aggregate analysis purposes. The data from these submissions may be used to generate de-identified, anonymized aggregate insights about SOC 2 compliance trends and industry benchmarks, even after individual reports are deleted or accounts are terminated.

You may request deletion of your individual SOC 2 report documents subject to legal retention requirements. However, because we may have already extracted de-identified and aggregated data from your submission for use in trend analysis and reporting, deletion of your documents does not remove the aggregated insights that may have been derived from your data.

6. Data Retention

We retain your personal information for as long as necessary to provide our services, comply with legal obligations, and resolve disputes. The retention period varies depending on the type of information and the purposes for which we use it:

• Contact information and inquiry details: retained for up to 3 years
• Cookies and analytics data: retained according to cookie lifespan settings
• SOC 2 reports and assessments: retained for as long as your account remains active, plus 1 year after account termination, unless longer retention is required by law
• Server logs: typically retained for 90 days for security and troubleshooting purposes

7. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information, including:

Access and Portability

You have the right to request access to your personal information and receive a copy of the data we hold about you in a portable format.

Correction and Deletion

You have the right to request correction of inaccurate information and deletion of your personal information, subject to certain legal exceptions and our legitimate business needs.

Opt-Out

You have the right to opt out of marketing communications and targeted advertising. You can update your communication preferences by clicking the unsubscribe link in our emails or by contacting us directly.

Do Not Track

Some browsers include a "Do Not Track" feature. Currently, there is no industry standard for recognition of Do Not Track signals, and we do not respond to Do Not Track browser signals. However, you can use other tools to control data collection and use as described in this policy.

To exercise any of these rights, please contact us at the information provided below. We will respond to your request within the timeframe required by applicable law.

8. Children's Privacy

Our website and services are not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we discover that we have collected information from a child, we will delete such information promptly. If you believe we have collected information from a child, please contact us immediately.

9. Third-Party Links and Services

Our website may contain links to third-party websites and services that are not operated by us. This Privacy Policy applies only to our website and services. We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any third-party services before providing your information.

10. International Data Transfer

Your information may be transferred to, stored in, and processed in countries other than your country of residence. These countries may have different data protection laws than your home country. By providing your information to us, you consent to the transfer, storage, and processing of your information in countries outside your country of residence, including the United States.

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, and other factors. We will notify you of material changes by updating the "Last Updated" date at the top of this page and, in some cases, by sending you a notification email. Your continued use of our website and services after any updates constitutes your acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at: