1. Who we are
This Privacy Policy describes how CyberGrid ("CyberGrid", "we", "us") collects, uses, and shares personal information when you use our services (the "Service"), our website, or interact with us. This policy applies to information processed in our capacity as a data controller / business. Where we process personal data on behalf of a customer in performing security testing services, we act as a processor / service provider — those processing activities are governed by our Data Processing Addendum.
Privacy questions: privacy@thecybergrid.com.
2. What we collect
We collect only what we need to provide the Service:
- Account data: email address, optional name (you provide these when signing in).
- Organization data: company name, billing email, plan.
- Target metadata: hostnames you register and their verification status.
- Scan results: findings, severity ratings, and evidence captured during authorized scanning of your registered targets.
- Pen-test intake data: if you request a penetration-test quote, the form fields you submit (name, email, company, scope, compliance drivers, timeline, notes).
- SOC 2 readiness intake data: if you request a SOC 2 readiness engagement, the form fields you submit (name, email, company, employee-count tier, current security posture, deadlines, and any current GRC tooling in use). During an active SOC 2 engagement we may also process control-evidence metadata (vendor lists, access-review snapshots, policy acknowledgement records) as a processor on your behalf; the GRC platform vendor (Sprinto / Drata / Vanta / Secureframe) is a sub-processor under the DPA.
- Payment metadata: Stripe customer / subscription IDs. We never see or store raw card data — Stripe handles that under its PCI-compliant infrastructure.
- Authentication metadata: magic-link request timestamps, hashed session tokens (we never store passwords because we don't use them).
- Server logs: IP address, user-agent, timestamps. Retained for thirty (30) days, then deleted.
- Communications: emails you send us, and any messages exchanged in a pen-test engagement thread.
3. What we don't collect
- Tracking pixels, third-party advertising / analytics scripts that collect PII, behavioral profiles, or cross-site identifiers.
- Payment card numbers.
- Data from inside your application — we do not have access credentials to your production systems and don't ask for them, except as explicitly provided by you for a pen-test engagement (and then only test-tier credentials).
- Your browsing history outside CyberGrid.
- Special-category data under GDPR Article 9 (race, health, biometric, etc.). If such data is incidentally observed during an authorized pen test, we notify you and apply additional safeguards per the DPA.
4. How we use information
- To provide the Service — run scans, generate reports, issue attestations, conduct pen-test engagements.
- To authenticate you and maintain your session.
- To send transactional email (sign-in links, scan completion notices, engagement updates, billing notices, security incident notifications).
- To respond to support inquiries.
- To improve the Service using aggregated, anonymized data.
- To comply with legal obligations (tax, audit, lawful requests).
We do not sell your personal information. We do not share it with marketers or data brokers. We do not use customer scan results, findings, or pen-test reports to train AI models.
5. Legal bases (GDPR / UK GDPR)
Where the GDPR or UK GDPR applies, we process personal data on the following legal bases:
- Contract performance — to provide the Service you've contracted for.
- Legitimate interests — to secure the Service, prevent abuse, and respond to support requests, balanced against your rights.
- Legal obligation — to comply with tax, accounting, and lawful regulatory requests.
- Consent — only where we explicitly ask for it (e.g., marketing emails you opt in to).
6. Who we share with (sub-processors)
We share personal data only with the service providers necessary to operate the Service. Each acts as our processor / sub-processor and is bound by contractual obligations no less protective than our DPA.
- Netlify — application hosting, serverless functions, file storage (Netlify Blobs)
- Neon — PostgreSQL database hosting
- Fly.io — scan-worker compute
- Stripe — payment processing
- Resend — transactional email delivery
- GitHub — source code repository (no customer personal data stored)
An up-to-date sub-processor list is maintained at /trust-package and in Annex B of our DPA. We notify customers via email at least fourteen (14) days before any change.
We may also disclose information when legally required by court order, subpoena, or government request, and only to the extent legally required. Where lawful, we notify the affected customer before disclosing.
7. Cookies
We use a single first-party session cookie (cg_session) to keep you signed in. It is HttpOnly, Secure, SameSite=Lax, and expires after thirty (30) days of inactivity. We do not use advertising cookies, third-party trackers, or analytics that profile individual users.
8. Your rights
Depending on where you live, you have some or all of the following rights:
- Access — request a copy of personal data we hold about you.
- Correction — ask us to fix inaccurate or incomplete data.
- Deletion / "right to be forgotten" — ask us to delete your data. We honor these within thirty (30) days, subject to legal-retention obligations.
- Portability — receive your reports and findings in a machine-readable format.
- Object — object to specific processing based on our legitimate interests.
- Restrict processing — ask us to limit processing while a dispute is resolved.
- Withdraw consent — where processing relies on consent, withdraw it at any time.
- Lodge a complaint — with your supervisory authority (EU residents may contact their national DPA; UK residents may contact the ICO).
To exercise any of these rights, email privacy@thecybergrid.com. We respond within thirty (30) days.
9. CCPA / CPRA rights (California residents)
California residents have the following rights under CCPA / CPRA:
- The right to know what personal information we collect and how we use it (this policy is that disclosure);
- The right to delete personal information we hold about you;
- The right to correct inaccurate personal information;
- The right to opt out of "sale" or "sharing" of personal information — we do not sell or share personal information as those terms are defined under CCPA / CPRA, so there is nothing to opt out of;
- The right not to be discriminated against for exercising these rights.
10. Data retention
| Category | Retention |
|---|
| Active-account data (email, name, org) | Duration of subscription |
| Scan reports + attestations | Lifetime of underlying record (attestation URL stays verifiable) |
| Pen-test engagement data | 30 days after final report delivery (test data); reports / attestations retained per above |
| Magic-link tokens | Hashed; expire in 15 minutes; deleted after use |
| Session tokens | 30 days of inactivity, then auto-expired |
| Server logs | 30 days |
| Audit logs (auth, admin actions) | 12 months |
| Backups | 90 days post-account-closure, encrypted at rest |
| Financial records (Stripe metadata, invoices) | 7 years (tax / audit requirement) |
After account closure, all customer-identifiable data is deleted within ninety (90) days, except records we are legally required to retain.
11. Security
We implement appropriate technical and organizational measures to protect personal data, including encryption at rest (AES-256) and in transit (TLS 1.2+), role-based access control with MFA on all administrative accounts, audit logging, vulnerability management, and a documented incident response plan. Full details are in /trust and in the DPA's Technical and Organizational Measures annex.
12. International data transfers
Our primary infrastructure is hosted in the United States. If you use CyberGrid from outside the US (including EU / UK / EEA), your personal data is transferred to and processed in the US. Where required, we rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum) as the legal mechanism for transfers, incorporated by reference into our DPA.
13. Children's privacy
The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from children under 16. If we learn we have collected information from a child, we delete it promptly.
14. Security breach notification
If we become aware of a security incident affecting your personal data, we will notify you within seventy-two (72) hours of confirmed incident (faster for critical incidents), per our DPA and applicable Data Protection Laws.
15. Changes to this policy
We may update this Privacy Policy from time to time. Material changes are announced to account holders by email at least thirty (30) days before they take effect. The "Last updated" date at the top of the page reflects the most recent revision.
16. Contact
Privacy questions, DSAR / data-deletion requests, or to report a privacy concern: privacy@thecybergrid.com. Security disclosures: security@thecybergrid.com.