Master Privacy Policy

Effective Date: October 31, 2025 | Last Updated: December 13, 2025

ERMITS LLC ("ERMITS," "we," "our," or "us") is committed to protecting your privacy through a Privacy-First Architecture that ensures you maintain control over your data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Services across all ERMITS product lines.

By using our Services, you consent to the data practices described in this policy. If you do not agree with this Privacy Policy, please do not use our Services.

1. SCOPE AND APPLICABILITY

1.1 Services Covered

This Privacy Policy applies to all ERMITS products and services, including:

CyberSoluce™:

Enhanced Asset Inventory Management Platform
Dependency-aware visibility into asset inventory
Focus signals for attention areas
Service funneling guidance toward appropriate ERMITS services

SocialCaution:

Personalized privacy platform
AI-powered persona detection
Privacy exposure index and risk scoring
Service catalog with privacy risk profiles

TechnoSoluce™:

SBOM (Software Bill of Materials) Analyzer
Software supply chain security and vulnerability analysis
Client-side SBOM processing

CyberCertitude™:

CMMC 2.0 Level 1 Implementation Suite
CMMC 2.0 Level 2 Compliance Platform
NIST SP 800-171 assessment and compliance tools
Original Toolkit (localStorage-based compliance management)

VendorSoluce™:

Supply Chain Risk Management Platform
Vendor assessment and monitoring
Third-party risk evaluation

CyberCorrect™:

Privacy Portal (workplace privacy compliance)
Privacy Platform (multi-regulation privacy management)
Data subject rights management

CyberCaution™:

RansomCheck (ransomware readiness assessment)
Security Toolkit (comprehensive cybersecurity assessments)
RiskProfessional (CISA-aligned security assessments)

1.2 Geographic Scope

This Privacy Policy applies to users worldwide and complies with:

General Data Protection Regulation (GDPR) - European Union, United Kingdom, Switzerland
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
Lei Geral de Proteção de Dados (LGPD) - Brazil
Other applicable privacy and data protection laws

2. PRIVACY-FIRST ARCHITECTURE OVERVIEW

2.1 Core Privacy Principles

ERMITS implements Privacy-First Architecture built on five fundamental principles that distinguish our approach:

Client-Side Processing

All core computational functions are performed locally within your browser or self-managed environment whenever technically feasible:

Security Assessments: CMMC, cybersecurity assessments processed in your browser
Asset Inventory: CyberSoluce asset data processed client-side
SBOM Analysis: TechnoSoluce processes SBOM files entirely client-side
Risk Scoring: All risk calculations performed locally
Compliance Evaluations: Assessment scoring and gap analysis done in your browser
Privacy Analysis: SocialCaution persona detection runs entirely client-side

Your data remains under your control throughout the analysis process.

Data Sovereignty Options

You choose where your data resides:

Local-Only Mode: All data stored exclusively in your browser (IndexedDB, localStorage)
Self-Managed Cloud: Deploy to your own cloud infrastructure with full control (AWS, Azure, GCP)
ERMITS-Managed Cloud: Optional encrypted cloud synchronization with zero-knowledge architecture
Hybrid Deployment: Local processing with selective encrypted cloud backup
On-Premises: Enterprise customers can deploy on their own infrastructure

Zero-Knowledge Encryption

When using ERMITS-managed cloud features with encryption enabled:

Data is encrypted client-side using AES-256-GCM before transmission
Encryption keys are derived from your credentials using PBKDF2 and never transmitted to ERMITS
ERMITS cannot decrypt, access, or view your encrypted data
You are solely responsible for maintaining access to encryption keys
Lost keys = permanent data loss (we cannot recover your data)

Data Minimization

We collect only the minimum data necessary for service functionality:

Never Collected:

Asset inventory data and dependency information
Raw SBOM files, component lists, dependency graphs
Assessment content, responses, or findings
Vulnerability scan results or CVE data
Compliance documentation (SSPs, POA&Ms, evidence)
CUI (Controlled Unclassified Information)
FCI (Federal Contract Information)
PHI (Protected Health Information)
Proprietary business data or trade secrets

Optionally Collected:

Account information (name, email, company) - only when you create an account
Pseudonymized telemetry (anonymous performance metrics) - opt-in only
Encrypted user data (if cloud sync enabled) - we cannot decrypt

Transparency and Control

You have complete control over your data:

Export all data at any time in standard formats (JSON, CSV, PDF)
Delete all data permanently with one click
Opt in or opt out of telemetry collection anytime
Choose your deployment and storage model
Review detailed data flow documentation for each product

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

Account Information (Optional): When you create an account or subscribe to paid features, we collect:

Name: Your full name or preferred name
Email Address: For authentication, communications, and billing
Company Name and Job Title: Optional, for business context

Billing Information: Processed by Stripe, Inc. (our payment processor)

ERMITS does not store complete payment card information
We receive only: transaction status, last 4 digits of card, billing address
Password: Cryptographically hashed using bcrypt, never stored in plaintext

User-Generated Content:

Support Requests: Questions, issues, or feedback sent to support@ermits.com
Survey Responses: Feedback provided through user surveys
Customization Preferences: UI preferences, notification settings, feature preferences

3.2 Information We Do NOT Collect

ERMITS explicitly does NOT collect, access, store, or transmit:

Assessment and Analysis Data:

Asset inventory data and dependency information
Security assessment responses or scores
CMMC compliance assessments or documentation
Cybersecurity evaluation results
Privacy assessments or persona analysis results

Technical Data:

SBOM (Software Bill of Materials) files or contents
Software component lists or dependency graphs
Vulnerability scan results or CVE findings
Package metadata or software inventories

Compliance and Regulatory Data:

System Security Plans (SSPs)
Plans of Action and Milestones (POA&Ms)
Compliance evidence or audit documentation
Certification materials or assessment reports

Controlled Information:

CUI (Controlled Unclassified Information)
FCI (Federal Contract Information)
PHI (Protected Health Information) under HIPAA
PCI data (payment card information) except via Stripe

Business Data:

Trade secrets or proprietary information
Confidential business strategies
Financial records (except billing data)
Customer lists or business relationships

Due to our client-side processing model, this data is processed entirely in your browser or local environment. It never leaves your device unless you explicitly enable cloud sync with encryption.

3.3 Automatically Collected Information

Pseudonymized Telemetry (Optional - Opt-In Required): With your explicit consent, we collect anonymous, aggregated performance data:

What We Collect:

Feature usage statistics (which tools are used, how often)
Performance metrics (page load times, API response times)
Error reports (crash logs, exceptions) with PII automatically scrubbed by Sentry
Browser and device information (browser type/version, OS, screen resolution)
Session metadata (session duration, navigation paths, timestamps)

Privacy Protections:

Irreversible Pseudonymization: User identifiers are cryptographically hashed (SHA-256) and cannot be reverse-engineered
No Content Data: Telemetry never includes file contents, assessment results, or user inputs
Differential Privacy: PostHog analytics use differential privacy techniques to prevent individual identification
Opt-Out Available: You can disable telemetry at any time in account settings with retroactive deletion
Aggregate Only: Data used only in aggregate; individual user behavior cannot be identified

Technical and Security Data:

IP Addresses:

Collected for: Security monitoring, rate limiting, geolocation for service delivery
Not linked to: User accounts or identifiable information
Retention: 90 days in server logs, then automatically deleted
Use: Fraud prevention, DDoS protection, regional service optimization

Server Logs:

Standard web server access logs (timestamp, HTTP method, endpoint, status code, IP)
Error logs for debugging and system monitoring
Retention: 90 days, then automatically deleted
Access: Restricted to security and engineering teams only

Cookies and Similar Technologies:

See our separate Cookie Policy for detailed information
Essential cookies for authentication and security only (required)
Optional cookies for analytics and preferences (opt-in)

3.4 Information from Third Parties

Authentication Providers (OAuth): If you use OAuth for authentication (Google, Microsoft, GitHub), we receive:

Name and email address from the provider
Profile information you choose to share with the provider's permission
Provider's unique identifier for your account (for account linking)

We do not access your contacts, files, or other data from these providers.

Payment Processor (Stripe): Stripe provides us with:

Payment success/failure status
Subscription status and billing cycle information
Last 4 digits of payment method (for your reference)
Billing address (for tax compliance)

We do not receive or store complete payment card numbers.

Vulnerability Databases (Public APIs): When you use SBOM analysis or security assessment tools, your browser makes anonymous, client-side queries to:

OSV.dev (Google Open Source Vulnerabilities)
NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV) catalog

Privacy Protection:

Queries performed client-side directly from your browser
Only public component identifiers sent (package name, version)
No proprietary information, file paths, or business context transmitted
ERMITS does not track or log your queries to these services
These services may have their own logging policies (outside ERMITS control)

4. HOW WE USE INFORMATION

4.1 Service Delivery and Operation

We use collected information to:

Provide Services: Deliver CyberSoluce, SocialCaution, TechnoSoluce, CyberCertitude, VendorSoluce, CyberCorrect, and CyberCaution services
Process Transactions: Handle subscriptions, billing, and payment confirmations
Authenticate Users: Verify identity and maintain account security
Enable Features: Provide cloud synchronization, multi-device access, collaboration features (when opted-in)
Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance

4.2 Service Improvement and Analytics

We use pseudonymized, aggregate data to:

Analyze Usage Patterns: Understand which features are used and how often (aggregate only)
Identify Issues: Detect and fix bugs, errors, and performance problems
Develop Features: Plan and build new features based on anonymized usage trends
Conduct Research: Perform security and privacy research using aggregated, anonymous data
Benchmark Performance: Measure and improve service performance and reliability

We do NOT:

Analyze your individual assessment results or SBOM data
Use your data to train AI models or machine learning systems
Profile users for behavioral targeting or marketing
Sell or monetize your data in any way

4.3 Communication

We use your contact information to:

Service Announcements: Notify you of system updates, maintenance, or service changes
Security Alerts: Send critical security notifications or breach notifications
Support Responses: Reply to your support requests and feedback
Transactional Emails: Send receipts, invoices, account confirmations
Product Updates: Inform you of new features or product launches (opt-in only)
Marketing Communications: Send promotional content only with your explicit consent (easy opt-out)

You can opt out of marketing emails anytime. You cannot opt out of critical service/security notifications.

4.4 Security and Fraud Prevention

We use technical data to:

Detect Threats: Identify and prevent security threats, attacks, and abuse
Monitor Security: Track unauthorized access attempts or account compromise
Enforce Policies: Ensure compliance with Terms of Service and Acceptable Use Policy
Prevent Fraud: Detect fraudulent transactions, account creation, or service abuse
Protect Users: Safeguard ERMITS, our users, and third parties from harm

4.5 Legal and Compliance

We process information as required to:

Comply with Laws: Fulfill legal obligations and respond to lawful requests
Enforce Rights: Protect ERMITS' legal rights and enforce agreements
Liability Protection: Defend against legal claims or liability
Audits: Conduct internal audits and maintain business records
Regulatory Compliance: Meet requirements under GDPR, CCPA, HIPAA, and other laws

5. INFORMATION SHARING AND DISCLOSURE

5.1 Service Providers (Sub-Processors)

We share limited data with trusted third-party service providers who assist in delivering the Services:

Service Provider	Purpose	Data Shared	Location
Supabase	Database and authentication	Email, encrypted user data (if cloud sync enabled)	United States
Stripe	Payment processing	Email, billing information	United States
Sentry	Error monitoring	Error logs with PII automatically scrubbed	United States
PostHog	Analytics	Pseudonymized usage metrics with differential privacy	United States / EU
Vercel	Hosting and CDN	IP address, HTTP headers (standard web traffic)	Global CDN

Sub-Processor Requirements: All sub-processors are contractually required to:

Use data only for specified purposes (providing services to ERMITS)
Implement appropriate security measures equivalent to ERMITS standards
Comply with applicable privacy laws (GDPR, CCPA, etc.)
Not use data for their own purposes or share with others
Delete data when no longer needed for service provision
Execute Data Processing Agreements and Standard Contractual Clauses (for international transfers)

Sub-Processor Changes:

30 days' advance notice before adding or changing sub-processors
Notification via email and in-app announcement
Enterprise customers may object to new sub-processors
Alternative arrangements if objection cannot be resolved

5.2 Legal Requirements

We may disclose information if required by law or in response to:

Court Orders: Subpoenas, search warrants, or judicial orders
Government Requests: Law enforcement or regulatory investigations
Legal Process: Lawful requests under applicable legal authority
National Security: Threats to national security or public safety (where legally required)

Our Commitments When Legally Required to Disclose: When legally permitted, we will:

Notify affected users of legal requests before disclosure
Challenge requests that are overly broad, improper, or unlawful
Provide only minimum information required by law
Seek confidentiality for user information disclosed
Publish transparency reports when request volume warrants

Privacy-First Architecture Limitation: Due to zero-knowledge encryption, we cannot decrypt user data even under legal compulsion. We can only provide account metadata and encrypted data (which we cannot read).

5.3 Business Transfers

If ERMITS is involved in a merger, acquisition, asset sale, or bankruptcy:

User information may be transferred as part of business assets
We will provide notice before information is transferred to a new entity
The successor entity will be bound by this Privacy Policy
You will have the option to delete your data before transfer (minimum 30 days notice)
Enterprise contracts and DPAs will remain in effect or require renegotiation

5.4 Consent-Based Sharing

We may share information with your explicit consent for purposes such as:

Third-Party Integrations: Sharing data with services you authorize (HRIS, GRC platforms, etc.)
Organization Administrators: Sharing data with your organization's designated admins (Enterprise accounts)
Testimonials: Publicly sharing your feedback with identifying information only if you approve
Case Studies: Using your organization as a case study with explicit written permission
Research Participation: Including your data in research studies with explicit opt-in consent

You control consent-based sharing and can revoke consent anytime.

5.5 Aggregated and Anonymous Data

We may share aggregated, anonymous data that cannot identify you:

Industry Benchmarks: Comparative statistics for security maturity, compliance readiness
Research Publications: Academic or industry research on cybersecurity trends
Public Reports: Trend analysis, threat intelligence, industry insights
Product Insights: Feature adoption rates, performance statistics

Privacy Protections:

Data is irreversibly anonymized using differential privacy techniques
Minimum anonymity set: At least 10 organizations in any aggregate statistic
Cannot be reverse-engineered to identify individuals or organizations
Opt-out available: You can request exclusion from aggregated datasets

6. DATA SECURITY MEASURES

6.1 Encryption

Data in Transit:

TLS 1.3 encryption for all data transmission (minimum TLS 1.2 for legacy systems)
HTTPS required for all web traffic
Certificate Pinning for critical connections
Perfect Forward Secrecy (PFS) enabled to protect past sessions
Strong Cipher Suites only (AES-256-GCM, ChaCha20-Poly1305)

Data at Rest:

AES-256-GCM encryption for cloud-stored data
Client-Side Encryption with user-controlled keys (zero-knowledge architecture)
Encrypted Database Backups with separate encryption keys
Secure Key Management using industry-standard HSMs and key rotation

Data in Use:

Client-Side Processing minimizes data exposure during computation
Memory Encryption where supported by browser and OS
Secure Coding Practices to prevent data leakage
Input Validation and Output Encoding to prevent injection attacks

6.2 Access Controls

Authentication:

Multi-Factor Authentication (MFA) available for all accounts, required for administrators
Strong Password Requirements: Minimum 12 characters, complexity requirements
Password Breach Detection: Checking against known compromised password databases
Session Management: Automatic timeout after 4 hours idle, 12 hours maximum
OAuth 2.0 Integration with trusted providers (Google, Microsoft, GitHub)

Authorization:

Row-Level Security (RLS): Database-level policies ensure users can only access their own data
Role-Based Access Control (RBAC): Granular permissions (Admin, Editor, Viewer, etc.)
Principle of Least Privilege: Users and systems granted minimum necessary permissions
Attribute-Based Access Control: Fine-grained policies based on user attributes and context
Just-in-Time Access: Temporary elevated permissions for specific tasks

Access Logging:

All data access logged with timestamp, user, action, resource
Audit logs retained for 3 years (configurable for Enterprise)
Regular audit log review for anomalies and security events
Immutable logs stored separately (cannot be altered or deleted)
SIEM integration available for enterprise security monitoring

6.3 Infrastructure Security

Cloud Security:

Secure Hosting: Enterprise-grade infrastructure (Supabase on AWS, Vercel on AWS/GCP)
Network Segmentation: Isolated production, staging, and development environments
DDoS Protection: Distributed denial-of-service attack mitigation
Web Application Firewall (WAF): Protection against common web attacks
Intrusion Detection/Prevention (IDS/IPS): 24/7 monitoring for suspicious activity
Regular Vulnerability Scanning: Automated and manual security assessments
Penetration Testing: Annual third-party security audits

Application Security:

Secure Coding Practices: Following OWASP Top 10 guidelines
Code Review: All code changes reviewed for security issues
Input Validation: Comprehensive sanitization of all user inputs
SQL Injection Prevention: Parameterized queries and prepared statements
XSS Protection: Content Security Policy (CSP) and output encoding
CSRF Protection: Anti-CSRF tokens for state-changing operations
Dependency Management: Regular updates and vulnerability scanning
Security Headers: HSTS, X-Frame-Options, CSP, and other protective headers

6.4 Employee and Contractor Access

Personnel Security:

Background Checks for employees with data access
Enhanced Screening for security and engineering roles
Confidentiality Agreements: All employees and contractors sign NDAs
Security Training: Annual security awareness training, GDPR training
Access on Need-to-Know Basis: Limited to personnel requiring access
Regular Access Reviews: Quarterly review and revocation of unnecessary access
Immediate Revocation: Access terminated immediately upon employment end

Privilege Management:

Least Privilege: Staff granted minimum necessary access
Separation of Duties: No single person has complete system access
Privileged Access Monitoring: Enhanced logging for administrative actions
Multi-Person Control: Critical operations require approval from multiple people

6.5 Security Incident Response

In the event of a data breach or security incident:

Detection:

24/7 security monitoring and alerting systems
Automated threat detection and anomaly analysis
Real-time intrusion detection

Containment:

Immediate action to isolate affected systems
Disable compromised accounts or services
Prevent further unauthorized access

Investigation:

Forensic analysis to determine scope and impact
Root cause identification
Evidence preservation for potential legal action

Notification:

Users notified within 72 hours of breach discovery (GDPR requirement)
Supervisory authorities notified as required by law
Notification includes: Nature of breach, data affected, steps taken, recommendations for users

Remediation:

Implement fixes to prevent recurrence
Update security controls and policies
Provide credit monitoring or identity theft protection if appropriate
Conduct post-incident review and lessons learned

7. DATA RETENTION

7.1 Active Account Data

We retain your data for as long as your account is active or as needed to provide Services:

7.2 Product-Specific Retention

Data Type	Retention Period	Purpose
Account Information	Duration of account + 30 days after termination	Service delivery, support, billing
User-Generated Content	User-controlled (can delete anytime); deleted 30 days after account termination (90 days for backups)	Service functionality, user requests
Encrypted Cloud Data	User-controlled (can delete anytime); deleted 30 days after account termination (90 days for backups)	Cloud synchronization, multi-device access
Authentication Tokens	1 hour (access token), 30 days (refresh token)	Session management, security
Support Communications	3 years after last interaction	Customer support, quality improvement, legal compliance
Pseudonymized Telemetry	Indefinite (anonymous, cannot be deleted or linked to individuals)	Service improvement, analytics, research
Server Logs (IP addresses)	90 days	Security monitoring, fraud prevention, debugging

TechnoSoluce (SBOM Analyzer):

SBOM files: Never transmitted to or stored on ERMITS servers
Analysis results: Stored locally in user's browser only
No retention on ERMITS infrastructure

CyberCertitude (CMMC Compliance):

Assessments: User-controlled; deleted with account or on-demand
Compliance documentation: User-controlled
Historical assessment data: Retained while account active (for trend analysis)

SocialCaution:

Privacy assessments: User-controlled; stored locally in browser only
User preferences: Duration of account + 30 days
No personal data from assessments stored on ERMITS servers

7.3 Deleted Accounts

When you delete your account or request data deletion:

Immediate (within 24 hours):

Account access disabled
Data marked for deletion
Stop all processing of personal data

Within 30 days:

User Data permanently deleted from production systems
Account information removed from active databases
Encrypted cloud data deleted (we cannot decrypt, but keys are destroyed)

Within 90 days:

Backup copies permanently deleted
All traces removed from backup systems
Deletion verification available upon request

Exceptions (data retained longer):

Financial Records: 7 years (tax and audit requirements - IRS, SOX)
Legal Hold Data: Retained as required by litigation or investigation
Pseudonymized Analytics: Indefinite (anonymous, cannot identify individuals)
Aggregated Statistics: Indefinite (cannot be reverse-engineered to identify you)

7.4 Data Deletion Verification

Upon request, we will provide written certification that your data has been deleted in accordance with this policy. Contact: privacy@ermits.com

8. YOUR PRIVACY RIGHTS

8.1 Universal Rights (All Users)

All users have the following rights regardless of location:

Right to Access:

Request a copy of all personal data we hold about you
Receive information about how your data is processed
Access your data via Account Settings → Export Data anytime
Request human-readable summary of data processing activities

Right to Rectification:

Correct inaccurate or incomplete personal data
Update information directly in Account Settings
Contact support for assistance: privacy@ermits.com
We will correct errors within 10 business days

Right to Deletion (Right to be Forgotten):

Request deletion of your personal data
Delete account and all data via Account Settings → Delete Account
Data deleted within 30 days (production), 90 days (backups)
Some data retained for legal compliance (financial records, legal holds)

Right to Data Portability:

Export your data in machine-readable formats (JSON, CSV, PDF)
Transfer data to another service provider
Export available anytime via Account Settings → Export Data
Includes all personal data you provided and data generated about you

Right to Restriction of Processing:

Request limitation of processing in certain circumstances
Temporarily suspend processing while disputes are resolved
Object to specific processing activities

Right to Object:

Object to processing based on legitimate interests
Opt out of marketing communications anytime
Disable telemetry collection
Withdraw consent for optional data processing

8.2 Additional Rights for EU/UK/Swiss Users (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights:

Legal Basis for Processing: We process your data based on:

Consent: When you provide explicit consent (marketing, telemetry, optional features)
Contract: To perform our contract with you (provide Services you purchased)
Legitimate Interests: For service improvement, security, fraud prevention (balanced against your rights)
Legal Obligation: To comply with applicable laws (tax, financial reporting, law enforcement)

Right to Withdraw Consent:

Withdraw consent at any time (does not affect prior processing)
Disable telemetry in Account Settings → Privacy → Data Collection
Unsubscribe from marketing emails via link in each email
Withdrawal processed immediately

Right to Lodge a Complaint:

File complaint with your local data protection authority (DPA)
EU: Find your DPA at edpb.europa.eu
UK: Information Commissioner's Office (ICO) - ico.org.uk
Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
You may also contact us first to resolve issues: privacy@ermits.com

Data Protection Officer: For GDPR-related inquiries, contact: privacy@ermits.com (Subject: "GDPR Inquiry - [Your Name]")

8.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under CCPA and CPRA:

Right to Know: You can request information about:

Categories of personal information collected
Categories of sources of personal information
Business or commercial purposes for collecting or selling personal information
Categories of third parties with whom we share personal information
Specific pieces of personal information collected about you

Right to Delete:

Request deletion of personal information (subject to legal exceptions)
Exceptions: Legal compliance, fraud prevention, internal uses, service provision

Right to Opt-Out of Sale: ERMITS does not sell personal information and has not sold personal information in the past 12 months. We do not sell personal information of minors under 16.

Right to Correct: Request correction of inaccurate personal information. We will correct errors within 45 days.

Right to Non-Discrimination: Equal service and pricing regardless of privacy rights exercise. No denial of goods or services for exercising privacy rights.

California Consumer Privacy Request: Submit requests via email: privacy@ermits.com (Subject: "CCPA Request - [Your Name]")

8.4 Exercising Your Rights

How to Submit Requests:

Email: privacy@ermits.com (Subject: "Privacy Rights Request - [Type of Request]")
In-App: Navigate to Account Settings → Privacy Rights
Response Timeline: Initial response within 10 business days; complete response within 45 days (may extend for complex requests)
Free of Charge: First two requests per year are free; reasonable fee may apply for excessive, repetitive, or manifestly unfounded requests

9. INTERNATIONAL DATA TRANSFERS

9.1 Data Processing Locations

ERMITS is based in the United States. If you access Services from outside the U.S., your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

Primary Data Locations:

United States: Primary data processing and storage (Supabase US, Vercel US)
European Union: Optional data residency for EU customers (Supabase EU region - Frankfurt)
Global CDN: Content delivery network nodes worldwide (Vercel Edge Network)

Service Provider Locations:

Supabase: United States (default), EU (optional)
Stripe: United States (global processing)
Sentry: United States
PostHog: United States / EU (customer choice)
Vercel: Global (primary US)

9.2 Safeguards for International Transfers

For data transfers from the EEA, UK, or Switzerland to the United States:

Standard Contractual Clauses (SCCs):

ERMITS uses European Commission-approved Standard Contractual Clauses (Decision 2021/914)
SCCs incorporated into agreements with all sub-processors
Module Two (Controller to Processor) SCCs apply
Full text available upon request: privacy@ermits.com

UK International Data Transfer Addendum:

UK Addendum to EU SCCs for UK data transfers
Approved by UK Information Commissioner's Office (ICO)
Compliance with UK GDPR requirements

Additional Safeguards:

Encryption in Transit and at Rest: TLS 1.3, AES-256
Access Controls: RBAC, MFA, Row-Level Security
Regular Security Assessments: Audits, penetration testing
Incident Response Procedures: 72-hour breach notification
Transparency: Government access request notifications (when legally permitted)
Zero-Knowledge Architecture: Technical impossibility of accessing encrypted data

9.3 Data Residency Options

EU Data Residency (Available Now):

Supabase EU region (Frankfurt, Germany)
All data stored and processed within EU
EU-based backups and disaster recovery
Request at signup or contact: privacy@ermits.com

Self-Managed Infrastructure (Enterprise):

Deploy to your own cloud environment (AWS, Azure, GCP)
Choose any geographic region
Complete control over data location
ERMITS provides software and support only

On-Premises Deployment (Enterprise Plus):

Install on your own servers
Air-gapped operation supported
No data leaves your network
Complete data sovereignty

10. CHILDREN'S PRIVACY

10.1 Age Restrictions

The Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

If You Are Under 18:

Do not use the Services
Do not provide any information to ERMITS
Do not create an account
Have a parent or guardian contact us if you have provided information

10.2 Parental Rights

If we learn that we have collected personal information from a child under 18 without verified parental consent:

We will delete the information as quickly as possible
Parents may contact us to request deletion: privacy@ermits.com
Parents have the right to review information collected from their child, request deletion, refuse further collection, and receive information about our data practices

11. PRODUCT-SPECIFIC PRIVACY CONSIDERATIONS

TechnoSoluce™ (SBOM Analyzer):

SBOM files: Never transmitted to or stored on ERMITS servers
Analysis results: Stored locally in user's browser only
No retention on ERMITS infrastructure

SocialCaution:

Privacy assessment responses: Processed 100% client-side
All assessment data stored locally in browser (IndexedDB, localStorage)
Zero data transmission to ERMITS servers during assessments

CyberCertitude™ (CMMC Compliance):

Toolkit (localStorage-based): 100% local storage, no data collected
Level 1 & 2 Platform: Encrypted compliance data with zero-knowledge E2EE
ERMITS cannot decrypt your compliance data

CyberCaution™ (Security Assessments):

Browser-Based: 100% local processing, no data collected
Cloud-Enabled: Encrypted security assessment data (if cloud sync enabled)
Anonymous benchmarking opt-in only with differential privacy

12. SPECIAL CONSIDERATIONS

12.1 Federal Contractor Privacy

For users handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI):

Privacy-First Architecture Benefits:

CUI/FCI processed client-side; never transmitted to ERMITS
Zero-knowledge encryption ensures ERMITS cannot access CUI/FCI
Local storage options eliminate cloud transmission of sensitive data
You maintain complete control over CUI/FCI data

Your Responsibilities:

Properly mark and handle CUI/FCI according to NIST SP 800-171 and 32 CFR Part 2002
Use encryption features and self-managed deployment options for CUI/FCI
Implement appropriate access controls per DFARS requirements
Maintain audit logs for CUI/FCI access
Report cyber incidents as required by DFARS 252.204-7012 (within 72 hours to DoD)

12.2 Healthcare Privacy (HIPAA)

For healthcare organizations subject to HIPAA:

Business Associate Agreement (BAA) Available:

Required for healthcare customers processing PHI
Contact: privacy@ermits.com to execute BAA
HIPAA-compliant infrastructure and safeguards

Recommended Configuration:

Use local-only storage for all PHI
Use self-managed cloud infrastructure
Enable client-side encryption for any cloud-stored data
Implement access controls per HIPAA Security Rule

13. UPDATES TO THIS PRIVACY POLICY

13.1 Policy Updates

We may update this Privacy Policy periodically to reflect:

Changes in data practices or Services
New product launches or features
Legal or regulatory developments
Technological improvements
User feedback and industry best practices

13.2 Notification of Changes

Material Changes: For significant changes affecting your rights or data practices:

30 Days' Advance Notice: Email notification and in-app announcement
Prominent Display: Notice displayed on website and in Services
Opt-Out Option: Option to export data and close account before changes take effect
Continued Use: Continued use after effective date constitutes acceptance

Non-Material Changes: For clarifications, formatting, or minor updates:

Update "Last Updated" date at top of policy
Changes effective immediately upon posting
No advance notice required

14. CONTACT INFORMATION

14.1 Privacy Inquiries

General Privacy Questions: Email: privacy@ermits.com Subject: "Privacy Inquiry"

Data Rights Requests: Email: privacy@ermits.com Subject: "Privacy Rights Request - [Type]"

14.2 Jurisdiction-Specific Contacts

Data Protection Officer (EU/UK/Swiss): Email: privacy@ermits.com Subject: "GDPR Inquiry - DPO"

California Privacy Requests (CCPA/CPRA): Email: privacy@ermits.com Subject: "CCPA Request"

HIPAA Privacy Officer (Healthcare): Email: privacy@ermits.com Subject: "HIPAA Privacy Matter"

14.3 Security Concerns

Email: security@ermits.com Subject: "Security Issue - [Urgent/Non-Urgent]"

15. EFFECTIVE DATE AND ACCEPTANCE

Effective Date: October 31, 2025

Last Updated: December 13, 2025

By using ERMITS Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, you must discontinue use of all ERMITS Services immediately.