Privacy Policy

Last updated: January 1, 2026  ·  Cyber Risk Architecture LLC

1. Introduction

Cyber Risk Architecture LLC ("we", "our", or "the Company") operates the CyberRisk Architecture OS platform (CRAM OS). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our services.

2. Information We Collect

• Account Information — Name, email address, job title, company name, and billing information provided at registration.
• Security & Asset Data — Asset inventories, vulnerability scan results, risk scores, and compliance data you provide or that are ingested via integrations. This data is processed solely to deliver the service to your organization.
• Usage Data — Log entries, page views, feature interactions, API calls, and error reports collected automatically to improve platform performance.
• Device & Browser Data — IP address, browser type, operating system, and device identifiers for security and session management purposes.

3. How We Use Your Information

• Provide, operate, and maintain the CRAM OS platform
• Process payments and manage subscriptions
• Send service notifications, security alerts, and support communications
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Improve platform features and user experience (aggregated, anonymized analytics only)

We do not sell, rent, or share your security data or asset inventory with third parties for advertising or commercial profiling purposes.

4. Data Security

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Access to customer data is restricted to authorized personnel on a need-to-know basis. The platform is designed with controls aligned to SOC 2 Type II requirements.

5. Data Retention

Account data is retained for the duration of your subscription plus 90 days after termination (to support data export requests). Anonymized usage logs may be retained for up to 2 years. You may request deletion of your data at any time by contacting privacy@cyberriskarchitecture.com.

6. Third-Party Services

We use the following sub-processors to deliver the service:

• Amazon Web Services (AWS) — Cloud infrastructure and database hosting (us-east-1; EU region available on request)
• Stripe — Payment processing (PCI DSS Level 1 certified)
• AWS Cognito — Authentication and identity management

7. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, port, or delete your personal data, and to object to or restrict certain processing. To exercise these rights, contact privacy@cyberriskarchitecture.com. Requests will be processed within 30 days.

8. GDPR (EU/EEA Users)

For users in the European Union or EEA, the legal basis for processing is your contract with us (Art. 6(1)(b) GDPR), our legitimate interests (Art. 6(1)(f)), and, where required, your consent. You may lodge a complaint with your local Data Protection Authority.

9. CCPA (California Users)

California residents have the right to know what personal information we collect, to request deletion, and to opt out of sale. We do not sell personal information. To submit a request, contact privacy@cyberriskarchitecture.com.

10. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance.

11. Contact

Privacy inquiries: privacy@cyberriskarchitecture.com
General contact: contact@cyberriskarchitecture.com
Cyber Risk Architecture LLC · United States