Privacy Policy

InsureAudit, Inc. ("InsureAudit", "We", "Us", or "Our") operates the automated cyber risk evidence harvesting platform and multi-tenant workspace available via insureaudit.ai (the "Service"). This Privacy Policy outlines our strict protocols regarding the collection, use, and safeguarding of data when you utilize our platform.

1. Scope and Relationship of Parties

This Policy governs two distinct classifications of data:

• Account Information: Information for which InsureAudit acts as a Data Controller, including names, corporate emails, firm registration parameters, and system settings of the vCISO operators.
• Customer Evidence Data: Information for which InsureAudit acts strictly as a Data Processor, consisting of automated request logs, firewall telemetry, MFA screenshots, active directory structures, and compliance files uploaded asynchronously by end-user SMB clients through the secure portals.

2. Information We Collect and Process

A. vCISO Operator Data (Controller Context)

• Identity and Contact Data: Professional legal names, corporate email addresses, authorized firm names, user names, and designated operational preferences.
• Telemetry and Logs: IP addresses, browser profile footprints, access timestamps, and cryptographic session token activities captured to maintain system health, audit logs, and single-tenant account verification.

B. Client Evidence Payload Data (Processor Context)

• Metadata directories: Client organizational names, assigned evidence categories, and historical target dates.
• Evidence Payloads: Structural text documents, systems configurations, patch metrics, policy files, and images uploaded natively into individual client dropzones to document technical infrastructure readiness for cyber insurance underwriters.

3. Financial Transaction Processing and Merchant of Record Disclosure

To support zero-overhead international invoicing, localized sales tax calculations, and global compliance administration, InsureAudit utilizes a managed Merchant of Record (MoR) architecture powered by Paddle and Stripe. When executing a subscription checkout or tier upgrade, your transaction and billing data are collected directly by the designated MoR. This data includes billing names, corporate locations, and valid credit/debit card numbers. Processing is executed in full alignment with the PCI-DSS Level 1 security standard, and data handling is governed directly by the Paddle Buyer Terms and Stripe Privacy Policy. InsureAudit does not view or store unencrypted credit card numbers within our core databases.

4. How Information Is Used

We process data strictly under lawful bases to fulfill contractual obligations and preserve infrastructure integrity:

• To maintain, secure, isolate, and authenticate the multi-tenant vCISO console.
• To execute automated email notification loops and evidence tracking routines on behalf of the managing vCISO.
• To generate unique cryptographic SHA-256 validation hashes for compliance artifacts, allowing verified underwriters to confirm report integrity without requiring active system access.
• To isolate system environments and verify that no tenant can inspect, alter, or intersect data rows outside their auth.uid() database scope.

5. Security Architecture and Data Hardening

InsureAudit treats data confidentiality as a fundamental core metric. Our production environments utilize the following security measures:

• In-Transit Security: Universal enforcement of TLS 1.3 encryption across all public routers and api parameters.
• At-Rest Security: High-performance database encryption using AES-256-GCM algorithms across all text tables and physical file storage blocks.
• Access Control: Implementation of granular Row-Level Security (RLS) constraints within the database engine, ensuring that unauthenticated or external actors cannot bypass workspace boundaries.
• Operational Isolation: Explicit revocation of general execution rights across system helper functions, combined with strict principle-of-least-privilege access rules.

6. Sub-processors

We use a small pool of top-tier cloud sub-processors to maintain core system stability, including Supabase (for managed PostgreSQL database clustering), AWS/Vercel (for high-availability container hosting), and transactional email relay systems. A current register of active sub-processors is available to corporate accounts upon formal request via our Data Processing Addendum (DPA).

7. Data Retention and Deletion

• Evidence Payloads: Client documentation is retained securely for the length of your active subscription plus an extended firm-level configuration period (default: 7 years) to provide historical evidence support for underwriter reviews.
• Account Data: Following a formal request to terminate a subscription, personal account details and primary organization tokens are permanently scrubbed from our active production clusters within ninety (90) calendar days.

8. International Rights and Contact Information

Depending on your operational jurisdiction (including the EU under GDPR, and California under the CCPA/CPRA), you retain the right to inspect, edit, restrict, or request the permanent deletion of your personal account files.

For direct inquiries concerning data protection parameters or to submit an operational request, please use our secure support form.