Privacy Policy | ERMITS LLC

ERMITS LLC ("ERMITS," "we," "our," or "us") is committed to protecting your privacy through a Privacy-First Architecture that ensures you maintain control over your data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Services across all ERMITS product lines.

By using our Services, you consent to the data practices described in this policy. If you do not agree with this Privacy Policy, please do not use our Services.

1. SCOPE AND APPLICABILITY

1.1 Services Covered

This Privacy Policy applies to all ERMITS products and services, including:

ERMITS Advisory + STEEL™:

Strategic cybersecurity assessments and advisory services
STEEL™ (Strategic Threat & Enterprise Evaluation Layer) framework assessments
vCISO services and security consulting
Compliance advisory and implementation services

SocialCaution:

Personalized privacy platform
AI-powered persona detection
Privacy exposure index and risk scoring
Service catalog with privacy risk profiles

TechnoSoluce™:

SBOM (Software Bill of Materials) Analyzer
Software supply chain security and vulnerability analysis
Client-side SBOM processing

CyberCertitude™:

CMMC 2.0 Level 1 Implementation Suite
CMMC 2.0 Level 2 Compliance Platform
NIST SP 800-171 assessment and compliance tools
Original Toolkit (localStorage-based compliance management)

VendorSoluce™:

Supply Chain Risk Management Platform
Vendor assessment and monitoring
Third-party risk evaluation

CyberCorrect™:

Privacy Portal (workplace privacy compliance)
Privacy Platform (multi-regulation privacy management)
Data subject rights management

CyberCaution™:

RansomCheck (ransomware readiness assessment)
Security Toolkit (comprehensive cybersecurity assessments)
RiskProfessional (CISA-aligned security assessments)

1.2 Geographic Scope

This Privacy Policy applies to users worldwide and complies with:

General Data Protection Regulation (GDPR) - European Union, United Kingdom, Switzerland
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
Lei Geral de Proteção de Dados (LGPD) - Brazil
Other applicable privacy and data protection laws

2. PRIVACY-FIRST ARCHITECTURE OVERVIEW

2.1 Core Privacy Principles

ERMITS implements Privacy-First Architecture built on five fundamental principles that distinguish our approach:

1. Client-Side Processing

All core computational functions are performed locally within your browser or self-managed environment whenever technically feasible:

Security Assessments: STEEL™, CMMC, cybersecurity assessments processed in your browser
SBOM Analysis: TechnoSoluce processes SBOM files entirely client-side
Risk Scoring: All risk calculations performed locally
Compliance Evaluations: Assessment scoring and gap analysis done in your browser
Privacy Analysis: SocialCaution persona detection runs entirely client-side

Your data remains under your control throughout the analysis process.

2. Data Sovereignty Options

You choose where your data resides:

Local-Only Mode: All data stored exclusively in your browser (IndexedDB, localStorage)
Self-Managed Cloud: Deploy to your own cloud infrastructure with full control (AWS, Azure, GCP)
ERMITS-Managed Cloud: Optional encrypted cloud synchronization with zero-knowledge architecture
Hybrid Deployment: Local processing with selective encrypted cloud backup
On-Premises: Enterprise customers can deploy on their own infrastructure

3. Zero-Knowledge Encryption

When using ERMITS-managed cloud features with encryption enabled:

Data is encrypted client-side using AES-256-GCM before transmission
Encryption keys are derived from your credentials using PBKDF2 and never transmitted to ERMITS
ERMITS cannot decrypt, access, or view your encrypted data
You are solely responsible for maintaining access to encryption keys
Lost keys = permanent data loss (we cannot recover your data)

4. Data Minimization

We collect only the minimum data necessary for service functionality:

Never Collected:

Raw SBOM files, component lists, dependency graphs
Assessment content, responses, or findings
Vulnerability scan results or CVE data
Compliance documentation (SSPs, POA&Ms, evidence)
CUI (Controlled Unclassified Information)
FCI (Federal Contract Information)
PHI (Protected Health Information)
Proprietary business data or trade secrets

Optionally Collected:

Account information (name, email, company) - only when you create an account
Pseudonymized telemetry (anonymous performance metrics) - opt-in only
Encrypted user data (if cloud sync enabled) - we cannot decrypt

5. Transparency and Control

You have complete control over your data:

Export all data at any time in standard formats (JSON, CSV, PDF)
Delete all data permanently with one click
Opt in or opt out of telemetry collection anytime
Choose your deployment and storage model
Review detailed data flow documentation for each product

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

Account Information (Optional):

When you create an account or subscribe to paid features, we collect:

Name: Your full name or preferred name
Email Address: For authentication, communications, and billing
Company Name and Job Title: Optional, for business context
Billing Information: Processed by Stripe, Inc. (our payment processor)
- ERMITS does not store complete payment card information
- We receive only: transaction status, last 4 digits of card, billing address
Password: Cryptographically hashed using bcrypt, never stored in plaintext

User-Generated Content:

Support Requests: Questions, issues, or feedback sent to contact@ermits.com
Survey Responses: Feedback provided through user surveys
Customization Preferences: UI preferences, notification settings, feature preferences

3.2 Information We Do NOT Collect

ERMITS explicitly does NOT collect, access, store, or transmit:

Assessment and Analysis Data:

Security assessment responses or scores
CMMC compliance assessments or documentation
STEEL™ assessment responses or risk scores
Cybersecurity evaluation results
Privacy assessments or persona analysis results

Technical Data:

SBOM (Software Bill of Materials) files or contents
Software component lists or dependency graphs
Vulnerability scan results or CVE findings
Package metadata or software inventories

Compliance and Regulatory Data:

System Security Plans (SSPs)
Plans of Action and Milestones (POA&Ms)
Compliance evidence or audit documentation
Certification materials or assessment reports

Controlled Information:

CUI (Controlled Unclassified Information)
FCI (Federal Contract Information)
PHI (Protected Health Information) under HIPAA
PCI data (payment card information) except via Stripe

Business Data:

Trade secrets or proprietary information
Confidential business strategies
Financial records (except billing data)
Customer lists or business relationships

3.3 Automatically Collected Information

Pseudonymized Telemetry (Optional - Opt-In Required):

With your explicit consent, we collect anonymous, aggregated performance data:

What We Collect:

Feature usage statistics (which tools are used, how often)
Performance metrics (page load times, API response times)
Error reports (crash logs, exceptions) with PII automatically scrubbed by Sentry
Browser and device information (browser type/version, OS, screen resolution)
Session metadata (session duration, navigation paths, timestamps)

Privacy Protections:

Irreversible Pseudonymization: User identifiers are cryptographically hashed (SHA-256) and cannot be reverse-engineered
No Content Data: Telemetry never includes file contents, assessment results, or user inputs
Differential Privacy: PostHog analytics use differential privacy techniques to prevent individual identification
Opt-Out Available: You can disable telemetry at any time in account settings with retroactive deletion
Aggregate Only: Data used only in aggregate; individual user behavior cannot be identified

Technical and Security Data:

IP Addresses:

Collected for: Security monitoring, rate limiting, geolocation for service delivery
Not linked to: User accounts or identifiable information
Retention: 90 days in server logs, then automatically deleted
Use: Fraud prevention, DDoS protection, regional service optimization

Server Logs:

Standard web server access logs (timestamp, HTTP method, endpoint, status code, IP)
Error logs for debugging and system monitoring
Retention: 90 days, then automatically deleted
Access: Restricted to security and engineering teams only

3.4 Information from Third Parties

Authentication Providers (OAuth):

If you use OAuth for authentication (Google, Microsoft, GitHub), we receive:

Name and email address from the provider
Profile information you choose to share with the provider's permission
Provider's unique identifier for your account (for account linking)

We do not:

Access your contacts, files, or other data from these providers
Request more permissions than necessary for authentication
Share your ERMITS data back to these providers

Payment Processor (Stripe):

Stripe provides us with:

Payment success/failure status
Subscription status and billing cycle information
Last 4 digits of payment method (for your reference)
Billing address (for tax compliance)

We do not:

Receive or store complete payment card numbers
Process payments directly (all payment processing via Stripe)
Have access to your full financial information

4. HOW WE USE INFORMATION

4.1 Service Delivery and Operation

We use collected information to:

Provide Services: Deliver ERMITS Advisory, SocialCaution, TechnoSoluce, CyberCertitude, VendorSoluce, CyberCorrect, and CyberCaution services
Process Transactions: Handle subscriptions, billing, and payment confirmations
Authenticate Users: Verify identity and maintain account security
Enable Features: Provide cloud synchronization, multi-device access, collaboration features (when opted-in)
Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance

4.2 Service Improvement and Analytics

We use pseudonymized, aggregate data to:

Analyze Usage Patterns: Understand which features are used and how often (aggregate only)
Identify Issues: Detect and fix bugs, errors, and performance problems
Develop Features: Plan and build new features based on anonymized usage trends
Conduct Research: Perform security and privacy research using aggregated, anonymous data
Benchmark Performance: Measure and improve service performance and reliability

We do NOT:

Analyze your individual assessment results or SBOM data
Use your data to train AI models or machine learning systems
Profile users for behavioral targeting or marketing
Sell or monetize your data in any way

4.3 Communication

We use your contact information to:

Service Announcements: Notify you of system updates, maintenance, or service changes
Security Alerts: Send critical security notifications or breach notifications
Support Responses: Reply to your support requests and feedback
Transactional Emails: Send receipts, invoices, account confirmations
Product Updates: Inform you of new features or product launches (opt-in only)
Marketing Communications: Send promotional content only with your explicit consent (easy opt-out)

You control communications:

Opt out of marketing emails anytime via unsubscribe link
Cannot opt out of critical service/security notifications
Manage preferences in Account Settings → Notifications

4.4 Security and Fraud Prevention

We use technical data to:

Detect Threats: Identify and prevent security threats, attacks, and abuse
Monitor Security: Track unauthorized access attempts or account compromise
Enforce Policies: Ensure compliance with Terms of Service and Acceptable Use Policy
Prevent Fraud: Detect fraudulent transactions, account creation, or service abuse
Protect Users: Safeguard ERMITS, our users, and third parties from harm

4.5 Legal and Compliance

We process information as required to:

Comply with Laws: Fulfill legal obligations and respond to lawful requests
Enforce Rights: Protect ERMITS' legal rights and enforce agreements
Liability Protection: Defend against legal claims or liability
Audits: Conduct internal audits and maintain business records
Regulatory Compliance: Meet requirements under GDPR, CCPA, HIPAA, and other laws

4.6 What We Do NOT Do

ERMITS does NOT:

Sell or rent your personal information to third parties
Use your data for advertising or marketing to others
Share your User Data with third parties except as disclosed in Section 5
Train AI models on your User Data or assessment content
Analyze your results for any purpose (we cannot access encrypted data)
Profile users for behavioral targeting or manipulation
Monitor your activity beyond aggregate, anonymous metrics

5. INFORMATION SHARING AND DISCLOSURE

5.1 Service Providers (Sub-Processors)

We share limited data with trusted third-party service providers who assist in delivering the Services. All sub-processors are contractually required to use data only for specified purposes, implement appropriate security measures, comply with applicable privacy laws, and delete data when no longer needed.

Key Service Providers:

Supabase, Inc.: Database and authentication (United States / EU - customer choice)
Stripe, Inc.: Payment processing (United States)
Sentry (Functional Software): Error monitoring (United States)
PostHog, Inc.: Analytics with differential privacy (United States / EU)
Vercel, Inc.: Hosting and CDN (Global CDN)

5.2 Legal Requirements

We may disclose information if required by law or in response to:

Court orders, subpoenas, search warrants, or judicial orders
Government requests from law enforcement or regulatory investigations
Lawful requests under applicable legal authority
National security threats (where legally required)

Our Commitments When Legally Required to Disclose:

Notify affected users of legal requests before disclosure (when legally permitted)
Challenge requests that are overly broad, improper, or unlawful
Provide only minimum information required by law
Seek confidentiality for user information disclosed

5.3 Business Transfers

If ERMITS is involved in a merger, acquisition, asset sale, or bankruptcy:

User information may be transferred as part of business assets
We will provide notice before information is transferred to a new entity
The successor entity will be bound by this Privacy Policy
You will have the option to delete your data before transfer (minimum 30 days notice)

5.4 Consent-Based Sharing

We may share information with your explicit consent for purposes such as:

Third-party integrations you authorize (HRIS, GRC platforms, etc.)
Organization administrators (Enterprise accounts)
Testimonials (with your approval)
Case studies (with explicit written permission)
Research participation (with explicit opt-in consent)

5.5 Aggregated and Anonymous Data

We may share aggregated, anonymous data that cannot identify you:

Industry benchmarks and comparative statistics
Research publications on cybersecurity trends
Public reports and trend analysis
Product insights and feature adoption rates

Data is irreversibly anonymized using differential privacy techniques and cannot be reverse-engineered to identify individuals or organizations.

6. DATA SECURITY MEASURES

6.1 Encryption

Data in Transit:

TLS 1.3 encryption for all data transmission (minimum TLS 1.2 for legacy systems)
HTTPS required for all web traffic
Certificate Pinning for critical connections
Perfect Forward Secrecy (PFS) enabled to protect past sessions
Strong Cipher Suites only (AES-256-GCM, ChaCha20-Poly1305)

Data at Rest:

AES-256-GCM encryption for cloud-stored data
Client-Side Encryption with user-controlled keys (zero-knowledge architecture)
Encrypted Database Backups with separate encryption keys
Secure Key Management using industry-standard HSMs and key rotation

6.2 Access Controls

Authentication:

Multi-Factor Authentication (MFA) available for all accounts, required for administrators
Strong Password Requirements: Minimum 12 characters, complexity requirements
Password Breach Detection: Checking against known compromised password databases
Session Management: Automatic timeout after 4 hours idle, 12 hours maximum
OAuth 2.0 Integration with trusted providers (Google, Microsoft, GitHub)

Authorization:

Row-Level Security (RLS): Database-level policies ensure users can only access their own data
Role-Based Access Control (RBAC): Granular permissions (Admin, Editor, Viewer, etc.)
Principle of Least Privilege: Users and systems granted minimum necessary permissions

6.3 Infrastructure Security

Cloud Security:

Secure Hosting: Enterprise-grade infrastructure (Supabase on AWS, Vercel on AWS/GCP)
Network Segmentation: Isolated production, staging, and development environments
DDoS Protection: Distributed denial-of-service attack mitigation
Web Application Firewall (WAF): Protection against common web attacks
Intrusion Detection/Prevention (IDS/IPS): 24/7 monitoring for suspicious activity
Regular Vulnerability Scanning: Automated and manual security assessments
Penetration Testing: Annual third-party security audits

6.4 Security Incident Response

In the event of a data breach or security incident:

Detection: 24/7 security monitoring and alerting systems
Containment: Immediate action to isolate affected systems
Investigation: Forensic analysis to determine scope and impact
Notification: Users notified within 72 hours of breach discovery (GDPR requirement)
Remediation: Implement fixes to prevent recurrence

7. DATA RETENTION

7.1 Active Account Data

We retain your data for as long as your account is active or as needed to provide Services. Account information is retained for the duration of the account plus 30 days after termination. User-generated content is user-controlled and can be deleted anytime; deleted 30 days after account termination (90 days for backups).

7.2 Deleted Accounts

When you delete your account or request data deletion:

Immediate (within 24 hours): Account access disabled, data marked for deletion, stop all processing
Within 30 days: User Data permanently deleted from production systems
Within 90 days: Backup copies permanently deleted

Exceptions (data retained longer):

Financial Records: 7 years (tax and audit requirements - IRS, SOX)
Legal Hold Data: Retained as required by litigation or investigation
Pseudonymized Analytics: Indefinite (anonymous, cannot identify individuals)
Aggregated Statistics: Indefinite (cannot be reverse-engineered to identify you)

8. YOUR PRIVACY RIGHTS

8.1 Universal Rights (All Users)

All users have the following rights regardless of location:

Right to Access: Request a copy of all personal data we hold about you
Right to Rectification: Correct inaccurate or incomplete personal data
Right to Deletion (Right to be Forgotten): Request deletion of your personal data
Right to Data Portability: Export your data in machine-readable formats (JSON, CSV, PDF)
Right to Restriction of Processing: Request limitation of processing in certain circumstances
Right to Object: Object to processing based on legitimate interests

8.2 Additional Rights for EU/UK/Swiss Users (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights:

Right to Withdraw Consent: Withdraw consent at any time (does not affect prior processing)
Right to Lodge a Complaint: File complaint with your local data protection authority (DPA)
Right to Data Protection Impact Assessment (DPIA): Request information about DPIAs conducted for high-risk processing
Right to Human Review: Right not to be subject to automated decision-making with legal/significant effects

8.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under CCPA and CPRA:

Right to Know: Request information about categories and specific pieces of personal information collected
Right to Delete: Request deletion of personal information (subject to legal exceptions)
Right to Opt-Out of Sale: ERMITS does not sell personal information
Right to Correct: Request correction of inaccurate personal information
Right to Non-Discrimination: Equal service and pricing regardless of privacy rights exercise

8.4 Exercising Your Rights

How to Submit Requests:

Email: privacy@ermits.com (Subject: "Privacy Rights Request - [Type]")
Online Form: www.ermits.com/privacy-request
In-App: Navigate to Account Settings → Privacy Rights

Response Timeline:

Initial Response: Within 10 business days acknowledging receipt of request
Complete Response: Within 45 days (may extend 45 days with notice for complex requests)
GDPR Requests: Within 30 days (may extend 60 days with justification)
Free of Charge: First two requests per year are free

9. INTERNATIONAL DATA TRANSFERS

9.1 Data Processing Locations

ERMITS is based in the United States. If you access Services from outside the U.S., your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

Primary Data Locations:

United States: Primary data processing and storage (Supabase US, Vercel US)
European Union: Optional data residency for EU customers (Supabase EU region - Frankfurt)
Global CDN: Content delivery network nodes worldwide (Vercel Edge Network)

9.2 Safeguards for International Transfers

For data transfers from the EEA, UK, or Switzerland to the United States:

Standard Contractual Clauses (SCCs): European Commission-approved Standard Contractual Clauses (Decision 2021/914)
UK International Data Transfer Addendum: UK Addendum to EU SCCs for UK data transfers
Swiss Data Transfer Mechanisms: Swiss-adapted Standard Contractual Clauses
Additional Safeguards: Encryption in transit and at rest, access controls, regular security assessments

9.3 Data Residency Options

EU Data Residency (Available Now):

Supabase EU region (Frankfurt, Germany)
All data stored and processed within EU
EU-based backups and disaster recovery
Request at signup or contact: privacy@ermits.com

Self-Managed Infrastructure (Enterprise):

Deploy to your own cloud environment (AWS, Azure, GCP)
Choose any geographic region
Complete control over data location

10. CHILDREN'S PRIVACY

10.1 Age Restrictions

The Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

10.2 Parental Rights

If we learn that we have collected personal information from a child under 18 without verified parental consent:

We will delete the information as quickly as possible
Parents may contact us to request deletion: privacy@ermits.com
Parents have the right to review, request deletion, refuse further collection, and receive information about our data practices

11. PRODUCT-SPECIFIC PRIVACY CONSIDERATIONS

Each ERMITS product has specific privacy considerations. Key highlights:

TechnoSoluce™ (SBOM Analyzer):

SBOM files or contents are NOT collected (processed 100% client-side)
Only component identifiers (public package names, versions) sent to vulnerability databases
Results stored locally in your browser only

SocialCaution:

Privacy assessment responses processed 100% client-side
No persona data or assessment responses transmitted to ERMITS servers
All assessment data stored locally in your browser (IndexedDB, localStorage)

CyberCertitude™ (CMMC Compliance):

Toolkit: 100% local storage in browser, no data collected
Level 1 & Level 2 Platform: Encrypted compliance data (if cloud sync enabled) with zero-knowledge E2EE
ERMITS cannot decrypt your compliance data

12. SPECIAL CONSIDERATIONS

12.1 Federal Contractor Privacy

For users handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI):

CUI/FCI processed client-side; never transmitted to ERMITS
Zero-knowledge encryption ensures ERMITS cannot access CUI/FCI
You are solely responsible for detecting and reporting cyber incidents involving CUI/FCI
Report to DoD via dibnet.dod.mil within 72 hours

12.2 Healthcare Privacy (HIPAA)

For healthcare organizations subject to HIPAA:

Business Associate Agreement (BAA) Available: Required for healthcare customers processing PHI
Contact: privacy@ermits.com to execute BAA
Unencrypted PHI is processed client-side; ERMITS cannot access encrypted PHI
Recommended: Use local-only storage for all PHI

12.3 Financial Services Privacy

For financial institutions subject to GLBA, SOX, or PCI-DSS:

SOC 2 Type II certification (in progress)
Encryption and access controls exceed industry standards
Do not process payment card information (PCI data) through Services
Use Stripe integration for payment processing only

13. UPDATES TO THIS PRIVACY POLICY

13.1 Policy Updates

We may update this Privacy Policy periodically to reflect changes in data practices, new product launches, legal or regulatory developments, technological improvements, and user feedback.

13.2 Notification of Changes

Material Changes:

30 Days' Advance Notice: Email notification and in-app announcement
Prominent Display: Notice displayed on website and in Services
Opt-Out Option: Option to export data and close account before changes take effect
Continued Use: Continued use after effective date constitutes acceptance

Non-Material Changes:

Update "Last Updated" date at top of policy
Changes effective immediately upon posting
No advance notice required

14. CONTACT INFORMATION

14.1 Privacy Inquiries

General Privacy Questions:

Email: privacy@ermits.com
Subject: "Privacy Inquiry"
Website: www.ermits.com/privacy

Data Rights Requests:

Email: privacy@ermits.com
Subject: "Privacy Rights Request - [Type]"
Online Form: www.ermits.com/privacy-request

14.2 Jurisdiction-Specific Contacts

Data Protection Officer (EU/UK/Swiss):

Email: privacy@ermits.com
Subject: "GDPR Inquiry - DPO"
Handles: GDPR, UK GDPR, Swiss FADP matters

California Privacy Requests (CCPA/CPRA):

Email: privacy@ermits.com
Subject: "CCPA Request"
Handles: California consumer privacy rights

15. EFFECTIVE DATE AND ACCEPTANCE

Effective Date: October 31, 2025

Last Updated: November 19, 2025

By using ERMITS Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you do not agree with this Privacy Policy, you must discontinue use of all ERMITS Services immediately.

MASTER PRIVACY POLICY