Privacy Policy

Blog Post

1. Introduction

Welcome to Cav, a continuous compliance automation platform provided by [Your Company Name, e.g., Cav, Inc.] ("Cav," "we," "us," or "our"). We are committed to protecting the privacy and security of the data entrusted to us. This Privacy Policy describes how Cav collects, uses, processes, stores, and shares personal information when you access and use our private SaaS deployment of the Cav platform (the "Service").

This policy applies to information we collect:

Through the Service's user interface and administration portals.
In email, text, and other electronic messages between you and the Service.
When you interact with our customer support.

2. Data we collect and why we collect it

Cav primarily processes two categories of data: (A) Account and User Information (which contains PII) and (B) Customer Compliance Data (which does NOT contain PII).

A. Account and User Information (Contains Personally Identifiable Information - PII)

This information is collected when you or your organization (our customer) registers for and manages access to the Cav Service. This data is essential for managing your account, providing access to the Service, and for billing purposes.

Information You Provide to Us:

Customer Account Details: When your organization subscribes to Cav, we collect business contact information, such as company name, billing address, payment details (processed securely via third-party payment processors, we do not directly store full credit card numbers), and administrative contact names and email addresses.
User Account Information: When your organization adds individual users to the Cav Service, we collect their names, email addresses, and create unique user IDs. This information is necessary for user authentication, access control, and communication related to the Service.
Communications: Records and copies of your correspondence with us (e.g., customer support inquiries, feedback, product requests).

Information We Collect Automatically:

Usage Details: Information about your activity on the Service, including login times, features used, pages viewed, and the duration of your sessions. This helps us understand how the Service is used, for performance monitoring and improvement.
Device and Network Information: Details about the device and network you use to access the Service, including IP address, operating system, browser type, and unique device identifiers. This is used for security, troubleshooting, and Service optimization.
Log Data: Server logs that record information about your interactions with our Service, which may include timestamps, request URLs, and error information. This is critical for security, auditing, and debugging.

B. Customer Compliance Data (Does NOT contain Personally Identifiable Information - PII)

This category refers to the core data processed by the Cav continuous compliance automation platform to deliver its primary functionality to customers.

Cav's product functionality is explicitly designed and configured with the strict policy that it does NOT access, retrieve, transport, or store Personally Identifiable Information (PII) from our customers' end-user environments.

The data processed within the Cav solution for compliance automation is limited to:

Metadata about Infrastructure Vulnerabilities: Technical data about your IT infrastructure's security posture. This includes system configurations, software versions, patch levels, network topology, security tool statuses, and identified vulnerabilities (e.g., CVE IDs, severity scores). This data is related to the security health of the infrastructure, not the individuals who interact with it.

Evidence from Security Tools: Aggregated and non-identifiable data points from sources such as:
- Endpoint Detection and Response (EDR) tools: Metrics like threat indicators, incident counts, process hashes, and system integrity details, which focus on system behavior and threats rather than user-specific PII.
- Security Knowledge Training Campaigns: Aggregated data on training completion rates, module scores, and general participation metrics, primarily used to demonstrate the effectiveness of training programs rather than identifying individual performance tied to PII.

3. How we use the information we collect

We use the information collected for the following purposes:

To Provide and Maintain the Service: To operate, deliver, and continuously improve the Cav platform's functionality, including managing your customer account and user access.
To Ensure Security and Compliance of the Platform: To monitor for and prevent fraudulent activity, unauthorized access, and to ensure the security and integrity of the Cav Service itself.
For Product Improvement: To analyze usage patterns and feedback to enhance existing features and develop new functionalities within the Cav platform.
For Customer Support: To respond to your inquiries, provide technical assistance, and troubleshoot issues related to your use of the Service.
For Billing and Account Management: To process payments, send invoices, and manage your subscription.
To Communicate with You: To send service-related notifications, updates, and administrative messages.
To Comply with Legal Obligations: To meet legal, regulatory, or governmental requests, and to enforce our terms and conditions.

4. How we share information

Cav will not sell or rent your personal information to third parties for their marketing purposes. We may share information in the following circumstances:

With Your Consent: We may share your information if you provide us with explicit consent to do so.
Service Providers (Sub-processors): We engage trusted third-party service providers who assist us in operating, maintaining, and improving the Service. These include:
- Amazon Web Services (AWS): Our entire SaaS infrastructure is hosted and managed within AWS data centers. AWS is a cloud service provider that provides the underlying infrastructure (servers, storage, networking) for our Service. We rely on AWS's robust physical and environmental security controls, as detailed in our Physical Security Applicability Statement.
- Other third-party tools for functions like payment processing, customer relationship management (CRM), and analytics. These providers are contractually obligated to protect your information and use it only for the purposes for which we disclose it to them.
Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or subpoena).
Business Transfers: In the event of a merger, acquisition, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Cav's assets, your information may be transferred.
To Protect Our Rights: We may disclose information when we believe it is necessary to protect the rights, property, or safety of Cav, our customers, or others.

5. Data storage and security

Cav is committed to protecting the security of your information.

AWS Cloud Hosting: All Service data is hosted securely within Amazon Web Services (AWS) infrastructure. AWS maintains industry-leading physical, environmental, and network security controls.
Customer-Managed Encryption Key for Database: A critical security feature of the Cav Service is that the primary database containing Customer Compliance Data is encrypted using a customer-provided key. Cav staff do NOT have access to this encryption key. This means that we cannot decrypt the core Customer Compliance Data stored in your database without your explicit provision of the key. This significantly enhances the confidentiality and integrity of your compliance data.
Encryption: Data is encrypted both in transit (using TLS) and at rest (using industry-standard encryption protocols).
Access Controls: Access to your Account and User Information by Cav staff is strictly controlled and limited to a need-to-know basis, based on roles and responsibilities.
Organizational Measures: We implement comprehensive organizational and technical measures, including regular security training for our staff, to protect against unauthorized access, disclosure, alteration, or destruction of information.
Non-PII Nature of Customer Compliance Data: As stated in Section 2(B), the core Customer Compliance Data processed by the Cav solution does not contain PII. This separation of data types further enhances privacy.

6. Data retention

We retain your personal information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Once your account is terminated or data is no longer needed, we will securely delete or anonymize your information, subject to any legal or regulatory requirements for retention.

7. Your data protection rights

Depending on your location and applicable laws (e.g., GDPR, CCPA), you may have certain rights regarding your personal information, including:

Access: The right to request copies of your personal information.
Rectification: The right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
Erasure: The right to request that we erase your personal information, under certain conditions.
Restriction of Processing: The right to request that we restrict the processing of your personal information, under certain conditions.
Object to Processing: The right to object to our processing of your personal information, under certain conditions.
Data Portability: The right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

To exercise any of these rights, please contact us using the contact information provided below. We may need to verify your identity before fulfilling your request.

8. Changes to our privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website or through other appropriate communication channels. Your continued use of the Service after such modifications constitutes your acknowledgment of the updated policy.