Privacy Policy

This Privacy Policy explains how CISOCHECK ("we", "us", "our") handles information in relation to the CISOCHECK software platform ("Software", "Platform"). By using CISOCHECK, you agree to the collection and use of information in accordance with this policy.

CISOCHECK is designed for self-hosted, virtual private cloud (VPC), or on-premise deployment. This means:

• The Software is deployed on your infrastructure (VPC, your cloud environment, or on-premise).
• You manage and control all data processed by the Software.
• We do not access, store, or process your data (audit reports, findings, tasks, evidence, and related records).
• All data remains on your infrastructure and is under your control.

What This Policy Covers

• This Privacy Policy covers minimal data we may collect (if any), such as support requests or licensing information.
• This Privacy Policy does not cover your data processed by the Software, as that data remains on your infrastructure.

Your Data Responsibility

• You are responsible for your own data privacy and security.
• You are responsible for compliance with applicable data protection laws regarding your data.
• This policy does not govern how you process, store, or protect your data on your infrastructure.

We do not collect, store, or process:

• Audit reports uploaded to your Platform instance.
• Findings extracted from audit reports.
• Tasks, evidence, tags, and assets created in your Platform.
• User accounts, passwords, or authentication data on your Platform.
• Activity logs, session information, or usage data from your Platform.
• Any content or data processed by your Platform instance.

All such data remains on your infrastructure and is managed entirely by you.

We may collect minimal information only in the following circumstances:

Support Requests

If you contact us for support, we may collect:

• Your name and email address.
• Support request details.
• Error logs or diagnostic information (only if you choose to share them).

Licensing Information (If Applicable)

If licensing is required, we may collect:

• Organization name.
• License information.
• Contact information for license administration.

Software Updates and Notifications

If you subscribe to updates or notifications, we may collect:

• Your email address.
• Preference settings.

Note: If you deploy CISOCHECK in a fully isolated environment with no external communication, we may collect no information at all.

If we collect any information, we use it solely for:

• Providing Support: Responding to your support requests and resolving issues.
• Software Licensing: Managing software licenses (if applicable).
• Software Improvement: Understanding usage patterns to improve the Software (if usage statistics are shared).
• Communications: Sending important notifications about Software updates or changes (if you subscribe).
• Legal Compliance: Complying with applicable laws, if required.

• We do not access your Platform deployment or data.
• We do not collect data from your Platform instance.
• We do not monitor your Platform usage or activities.
• All data processing occurs entirely within your infrastructure.
• Your Platform instance operates independently on your infrastructure.

Your Infrastructure Control

• Data processing, storage, and management occur on your infrastructure.
• You have complete control over your data.
• You are responsible for data security, backups, and retention.
• We have no access to your infrastructure or data.

AI Processing Location

• If you enable AI Features, processing may occur using third-party AI service providers.
• AI processing uses your API credentials (for example, your OpenAI API key).
• AI processing occurs within or from your deployment environment.
• Data sent to AI service providers is controlled by you, not by us.

Your Responsibility

• You are responsible for entering into separate agreements with AI service providers.
• You are responsible for managing your AI service provider API keys and accounts.
• Data sent to AI service providers is subject to their respective privacy policies.
• You are responsible for complying with AI service provider terms and data handling requirements.

Our Role

• The Software provides functionality to connect to AI service providers.
• We do not access or control data sent to AI service providers.
• We do not manage your AI service provider accounts or API keys.

Minimal Data Sharing (If Any)

If we collect any information (support requests, licensing), we may share it only with:

• Service Providers: Third-party services that help us provide support or manage licenses (if applicable).
• Legal Requirements: If required by law, court order, or government request.

Your Platform Data

• We do not share your Platform data because we do not have access to it.
• Your Platform data remains on your infrastructure under your control.

AI Service Providers

• If you use AI Features, you directly interact with AI service providers using your API credentials.
• We do not act as an intermediary for data sent to AI service providers.
• You are responsible for reviewing and accepting AI service provider privacy policies.

Your Infrastructure Security

• Data security is your responsibility.
• You are responsible for implementing security measures on your infrastructure.
• You are responsible for access controls, encryption, monitoring, and security practices.
• We do not control or access your infrastructure security.

Our Security (If We Collect Any Data)

• If we collect any information (support requests, licensing), we implement appropriate security measures.
• Since we collect minimal data and you control your Platform data, data security is primarily your responsibility.

No Data Access

• We do not have access to your Platform deployment.
• We cannot affect or compromise your data security.
• Security of your Platform and data is entirely under your control.

Your Data

• We do not retain your Platform data because we do not collect it.
• You are responsible for data retention on your infrastructure.
• You determine how long to retain data in accordance with applicable laws.

Our Data (If Any)

• If we collect support requests, we may retain them for support purposes.
• If we collect licensing information, we retain it for the duration of the license agreement.
• You may request deletion of any data we may have collected (see Your Rights below).

Rights Regarding Our Data Collection (If Any)

If we collect any information from you, you have the following rights:

• Access: Request a copy of any personal data we may have collected.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of any data we may have collected.
• Portability: Request export of any data we may have collected (if applicable).
• Objection: Object to processing of your data (where applicable).

Rights Regarding Your Platform Data

• Since we do not collect your Platform data, these rights do not apply to Platform data.
• You have full control over your Platform data on your infrastructure.
• You are responsible for managing your Platform data rights.

To exercise rights regarding any data we may have collected, please contact us using the information provided in the Contact section below.

Your Platform Data

• Your Platform data is stored on your infrastructure (VPC, your cloud, or on-premise).
• Data location is determined by your deployment choices.
• We have no knowledge of or control over where your data is stored.

Our Data (If Any)

• If we collect any information (support requests, licensing), it is stored on our systems.
• Location of our systems: [Region/Location].
• We do not transfer this minimal data internationally unless required for support or legal compliance.

Cookies on Your Infrastructure

• If you deploy CISOCHECK, cookies (such as session tokens) are stored on your infrastructure.
• You control cookie settings and management on your deployment.
• We do not access or manage cookies on your deployment.

Cookies on Our Systems (If Any)

• If you interact with our support portal or website (if applicable), we may use cookies.
• For details, see our Cookie Policy.

Your Platform Data

• Since we do not collect your Platform data, no international transfers by us occur.
• You are responsible for managing international data transfers related to your Platform deployment.

Our Data (If Any)

• If we collect any information and transfer it internationally, we use appropriate safeguards.

CISOCHECK is not intended for children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. Since we do not collect Platform data, this primarily relates to any support or licensing information we may collect.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through Software updates or other reasonable means. Your continued use of the Software after the effective date of the updated Privacy Policy constitutes acceptance of the changes.

We may update these Terms from time to time. If we make material changes, we will notify you through Software updates or other reasonable means. Your continued use of the Software after the effective date of the updated Terms constitutes acceptance of the changes.

If you have questions about this Privacy Policy or wish to exercise your rights regarding any data we may have collected, please contact us at:

• Privacy Inquiries
• Email: info@cisocheck.com
• Address: Office 2102, 21st Floor, East Tower, Bahrain Financial Harbour, Manama, Kingdom of Bahrain

For data subject requests (GDPR and CCPA), please include:

• Your name and email address.
• The type of request (access, deletion, and so on).
• Any relevant details to help us process your request.

Note: This Privacy Policy describes our data practices. Since CISOCHECK is self-hosted and on-premise software, we do not access or manage your Platform data. You are responsible for your own data privacy and security practices. If you have questions, please contact us or consult with legal counsel.