Privacy Policy

Last Updated: January 28, 2025
Effective Date: January 28, 2025
Your Privacy Matters: At theCISO.ai, we are committed to protecting your privacy and handling your personal information with care. This Privacy Policy explains how we collect, use, share, and protect your information when you use our platform.

This Privacy Policy applies to the theCISO.ai website, platform, and services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Key Definitions

  • "Personal Data" means any information relating to an identified or identifiable individual.
  • "Customer Data" means any data, content, or information that you upload, submit, or store in the Service.
  • "Usage Data" means data collected automatically about how you use the Service.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Processor" means an entity that processes Personal Data on behalf of the Controller.

2. Data Controller

theCISO.ai is the data controller for the Personal Data we collect about users of the Service. When you use the Service to process Customer Data, you are the data controller and we act as a data processor on your behalf.

3. Information We Collect

3.1 Information You Provide

Account Information:

  • Name, email address, and phone number
  • Company name and subdomain
  • Job title and role
  • Password (stored in encrypted form)
  • Payment information (processed by Stripe, our payment processor)

Profile Information:

  • Profile photo (optional)
  • Department and team information
  • Communication preferences

Customer Data:

  • Compliance framework data (controls, assessments, evidence)
  • Risk assessments and incident reports
  • Vendor information and security assessments
  • Audit logs and compliance reports
  • Documents and files you upload
  • Any other information you input into the Service

Communications:

  • Messages you send through support channels
  • Feedback and survey responses
  • Email correspondence with our team

3.2 Information Collected Automatically

Usage Data:

  • IP address and device information
  • Browser type and version
  • Pages visited and features used
  • Time and date of access
  • Referring website addresses
  • Clicks, scrolls, and interactions with the Service

Cookies and Tracking Technologies:

  • Session cookies for authentication
  • Preference cookies for user settings
  • Analytics cookies to understand usage patterns
  • Performance cookies to improve the Service

You can control cookies through your browser settings. However, disabling cookies may affect your ability to use certain features of the Service.

3.3 Information from Third Parties

Single Sign-On (SSO):

If you sign up using Google, Microsoft, or other identity providers, we receive:

  • Name and email address
  • Profile information you've made available
  • Authentication token

Integration Data:

If you connect third-party services (e.g., Microsoft 365, Azure AD, Okta), we may collect:

  • User directory information
  • Access logs and security events
  • Configuration data necessary to provide the integration

4. How We Use Your Information

We use your information for the following purposes:

Purpose Legal Basis (GDPR)
Provide the Service: Account creation, authentication, feature delivery Contract Performance
Process Payments: Billing, invoicing, subscription management Contract Performance
Customer Support: Respond to inquiries, troubleshoot issues Contract Performance, Legitimate Interest
Improve the Service: Analytics, performance optimization, new features Legitimate Interest
Security: Detect fraud, prevent abuse, protect against threats Legitimate Interest, Legal Obligation
Communications: Service updates, security alerts, marketing (with consent) Contract Performance, Consent, Legitimate Interest
Compliance: Meet legal and regulatory requirements Legal Obligation
AI Training: Improve AI features (only with explicit opt-in) Consent

5. AI and Automated Processing

5.1 AI-Powered Features

Our Service uses artificial intelligence and machine learning to provide:

  • Automated risk assessments and scoring
  • Intelligent recommendations for compliance controls
  • Natural language processing for document analysis
  • Predictive insights and trend analysis
  • Automated report generation

5.2 Third-Party AI Providers

We use AI services from:

  • Google Cloud AI (Gemini): Natural language processing and generation
  • Anthropic (Claude): Advanced reasoning and content analysis

When you use AI features, your prompts and content may be sent to these providers. We have data processing agreements in place with all AI providers to ensure they handle your data securely and do not use it to train their models.

5.3 Opt-Out Rights

You can disable AI features at any time through your account settings. This will prevent your data from being processed by AI systems, though some platform functionality may be limited.

6. How We Share Your Information

We do not sell your Personal Data. We may share your information in the following circumstances:

6.1 Service Providers

We share data with trusted third-party service providers who help us operate the Service:

Provider Purpose Data Shared
Stripe Payment processing Payment card information, billing details
SendGrid / Mailgun Email delivery Email addresses, message content
Google Cloud Platform Cloud hosting, AI services Customer Data, Usage Data
Anthropic AI processing Content submitted to AI features
Railway / AWS Infrastructure hosting All Service data

All service providers are bound by data processing agreements and are only permitted to use your data to provide services to us.

6.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or government request, including to:

  • Comply with legal obligations
  • Protect our rights, property, or safety
  • Investigate fraud or security issues
  • Protect against legal liability

6.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6.4 With Your Consent

We may share your information with third parties when you explicitly consent or direct us to do so.

7. Data Security

We implement industry-standard security measures to protect your information:

7.1 Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Vulnerability Management: Regular security scans and penetration testing
  • Logging and Monitoring: Comprehensive audit logs and security monitoring

7.2 Organizational Safeguards

  • Employee background checks and security training
  • Strict access controls and need-to-know policies
  • Incident response and breach notification procedures
  • Regular security audits and compliance assessments

7.3 Infrastructure Security

  • Hosted on secure, SOC 2 compliant cloud infrastructure
  • Automated backups with encryption
  • Disaster recovery and business continuity plans
  • Regular security updates and patch management

No Security is Perfect: While we implement robust security measures, no method of transmission or storage is 100% secure. You acknowledge that you provide information at your own risk.

8. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

Data Type Retention Period
Account Information Duration of active account + 30 days after deletion
Customer Data Duration of subscription + 30 days after termination
Audit Logs 7 years (for compliance purposes)
Billing Records 7 years (for tax and accounting purposes)
Usage Data 24 months
Marketing Data Until you unsubscribe or request deletion

You may request deletion of your data at any time by contacting us. We will comply with your request subject to legal and regulatory retention requirements.

9. Your Privacy Rights

Depending on your location, you may have the following rights:

9.1 GDPR Rights (EU/UK Users)

  • Right to Access: Request a copy of your Personal Data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for specific processing activities
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

9.2 CCPA Rights (California Users)

  • Right to Know: Request details about what Personal Data we collect and how we use it
  • Right to Delete: Request deletion of your Personal Data
  • Right to Opt-Out: Opt out of the "sale" of Personal Data (we do not sell data)
  • Right to Non-Discrimination: Not be discriminated against for exercising your rights

9.3 How to Exercise Your Rights

To exercise any of these rights, please:

  • Email us at privacy@theciso.ai
  • Use the privacy controls in your account settings
  • Submit a Data Subject Access Request (DSAR) through our support portal

We will respond to your request within 30 days (or as required by applicable law). We may ask you to verify your identity before processing your request.

10. International Data Transfers

We are based in [Your Jurisdiction] and our servers are located in [Server Locations]. If you access the Service from outside these locations, your information may be transferred to, stored, and processed in these jurisdictions.

For transfers of Personal Data from the EU/UK to countries without adequate data protection laws, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for transfers to approved countries
  • Your explicit consent where required

11. Children's Privacy

The Service is not intended for users under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect Personal Data from children. If you believe we have collected information from a child, please contact us immediately and we will delete the information.

12. Cookie Policy

We use cookies and similar tracking technologies to provide and improve the Service. Here are the types of cookies we use:

Cookie Type Purpose Duration
Essential Authentication, security, session management Session or 14 days
Functional Remember preferences and settings 90 days
Analytics Understand usage patterns and improve performance 24 months
Marketing Personalize content and measure campaign effectiveness 12 months

You can control cookies through your browser settings or our cookie consent banner. Essential cookies cannot be disabled as they are necessary for the Service to function.

13. Marketing Communications

We may send you marketing emails about new features, updates, and promotions if you have consented to receive them. You can opt out at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Updating your communication preferences in account settings
  • Contacting us at privacy@theciso.ai

Even if you opt out of marketing emails, we will still send you transactional emails related to your account and the Service (e.g., password resets, billing notifications, security alerts).

14. Data Processing Agreement (DPA)

If you are a Controller and we process Personal Data on your behalf as part of the Service, our relationship is governed by a Data Processing Agreement (DPA). The DPA includes:

  • Description of processing activities
  • Security measures and safeguards
  • Sub-processor list and approval process
  • Data subject rights assistance
  • Data breach notification procedures
  • Audit rights and compliance certifications

To request a signed DPA, please contact us at legal@theciso.ai.

15. Compliance Certifications

We are committed to maintaining the highest standards of data protection and security:

  • SOC 2 Type II: Annual security and availability audit
  • GDPR Compliant: EU General Data Protection Regulation
  • CCPA Compliant: California Consumer Privacy Act
  • ISO 27001: Information Security Management (in progress)
  • HIPAA: Available for Enterprise customers (BAA required)

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of material changes by:

  • Posting the updated Privacy Policy with a new "Last Updated" date
  • Sending an email notification to your registered email address
  • Displaying a prominent notice on the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated Privacy Policy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

theCISO.ai - Privacy Team
Email: privacy@theciso.ai
Data Protection Officer: dpo@theciso.ai
Support: support@theciso.ai
Website: https://theciso.ai

EU Representative: [If applicable, include EU representative contact information]

UK Representative: [If applicable, include UK representative contact information]

© 2025 theCISO.ai. All rights reserved. | Terms of Service | Security | Contact Us