Privacy Policy

1. Introduction

DIT4E, LLC DBA ConfidentCompliance.ai (“Company”) provides an AI-powered CMMC compliance management platform, iATTEST (“Service”).

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using the Service, you consent to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

This Privacy Policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws.

2. Information We Collect

2.1 Information You Provide

Account Information

• Name and email address
• Company name and job title
• Authentication credentials
• Contact preferences

Company Profile Information

• Organization details relevant to compliance (industry, employee count, CMMC level sought)
• Types of government contracts or information handled (FCI, CUI designation)
• System boundary descriptions

Compliance Program Information

• Descriptions of your security controls and implementation status
• Policy and procedure documents
• System Security Plan (SSP) narratives
• Plan of Action and Milestones (POA&M) descriptions
• Evidence descriptions and compliance tracking information
• Network diagrams and system descriptions (sanitized)
• Gap analysis responses and remediation plans

Support Communications

• Messages and inquiries sent to our support team
• Feedback and feature requests

2.2 Information We DO NOT Collect

2.3 Payment Information

• Billing name and address
• Payment method information
• Transaction and subscription history

The Company does not store full payment card numbers, CVVs, or complete card details on our systems. Payment is processed by a secure third party (sub processor). The Company has the right to change or modify agreements with third party vendors at any time without notice. If any vendor changes require updates to the Privacy Policy, Company will inform users of the privacy changes.

2.4 Automatically Collected Information

Usage Information

• Features accessed and frequency of use
• Compliance workflows completed
• Service performance metrics

Technical Information

• Browser type and version
• Operating system
• Device identifiers
• IP address
• Access times and dates
• Pages and features viewed

Cookies and Similar Technologies

• Essential cookies for site functionality
• Preference cookies for your settings
• Analytics cookies for service improvement

3. How We Use Information

3.1 Service Provision

• Provide CMMC compliance management tools and gap analysis
• Generate AI-assisted compliance documentation
• Calculate and track compliance scores and SPRS estimates
• Store your compliance program information for your access
• Process your subscription and manage your account
• Provide customer support

3.2 AI Processing

Your compliance program descriptions and documentation content are processed by AI systems to:

• Generate policy and procedure templates
• Provide gap analysis against CMMC and NIST SP 800-171 requirements
• Suggest control implementation language
• Answer compliance-related questions
• Create SSP and POA&M content

Important: AI-generated outputs require your review and validation before use. You are responsible for the accuracy of any documentation submitted to the government or assessors. This is why the iATTEST CMMC application was built as a human-in-the-loop solution. It increases efficiency but does not replace the need for your review prior to attestation.

3.3 Service Improvement

• Analyze usage patterns to improve compliance guidance and features
• Develop new compliance tools and templates
• Monitor service performance, reliability, and security
• Improve AI model accuracy and helpfulness
• Conduct aggregated, anonymized analytics

We may use anonymized and/or aggregated data that cannot identify you or your organization for research, benchmarking, and service improvement purposes.

3.4 Communication

• Send service-related notifications (maintenance, updates, security alerts)
• Respond to your inquiries and support requests
• Notify you of changes to our Service, Terms, or Privacy Policy
• Send product updates and compliance news (with your consent, where required)

3.5 Legal and Security

• Comply with legal obligations and valid legal process
• Take precautions to reduce the risk of fraud, abuse, and security threats
• Enforce our Terms of Service
• Investigate potential violations
• Respond to spillage incidents if prohibited data is uploaded
• Cooperate with government audit or investigation requests as legally required

4. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties.

4.1 Service Providers (Subprocessors)

We use third-party service providers to help deliver the Service, including providers of:

• Cloud infrastructure and hosting
• Artificial intelligence and machine learning services
• Payment processing
• Email and communication services
• Analytics and monitoring tools
• Customer support systems

We require Subprocessors to:

• Maintain commercially reasonable security measures
• Use your data only to provide services to us
• Comply with applicable data protection laws
• Delete or return data upon termination of services

4.2 AI Model Providers

Your compliance program descriptions are processed by third-party AI providers to generate responses and documentation. These providers:

• Process data to generate outputs only
• Are contractually restricted in their use of your data
• Maintain their own privacy policies

4.3 Legal Requirements

We may disclose your information if required by law or in good faith belief that such disclosure is necessary to:

• Comply with legal processes, subpoenas, or government requests
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Investigate potential violations of our Terms of Service
• Respond to emergency situations

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction.

4.5 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5. Defense Industry and Government Contractor Considerations

5.1 No CUI Processing

You must maintain CUI in your own appropriately secured environment. The Service helps you document and manage your compliance program — it does not serve as a repository for the sensitive government data you are protecting.

5.2 FCI Considerations

While the Service assists with CMMC Level 1 compliance (which addresses FCI protection), do not upload actual FCI documents. Instead, describe your systems and controls rather than uploading source documents.

5.3 Spillage Response

If you inadvertently upload CUI, classified information, or other prohibited data:

• Delete the content immediately and notify us at security@confidentcompliance.ai requesting that the information is deleted promptly from any potential backup files.
• Company maintains standard incident response procedures but is not equipped or authorized to handle classified, FCI, or CUI spillage remediation. In the event of a data spillage involving Prohibited Data, Client must follow its own organization’s spillage procedures and all applicable government requirements. While Company will provide commercially reasonable assistance as technically feasible and does not jeopardize the security of Company’s infrastructure, such spillage constitutes a material breach of these Terms. Consequently, Client shall reimburse Company for all costs and expenses (including internal personnel time at standard hourly rates) incurred in connection with such cooperation.
• We may suspend access to prevent further spillage while the incident is addressed or upon your request.

5.4 Government Requests

We may receive requests from government agencies related to your use of the Service. Our policy is to:

• Notify you of such requests unless legally prohibited from doing so
• Require valid legal process before disclosing your information
• Limit disclosure to the minimum information required
• Provide you the opportunity to challenge requests where legally permissible

5.5 Flow-Down Requirements

Your government contracts may impose flow-down requirements on service providers. If you require specific contractual provisions, please contact us at legal@confidentcompliance.ai to discuss your requirements before subscribing.

6. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

Exceptions:

• Data may be retained longer if required by law or legal proceedings
• Data subject to a legal hold will be preserved until the hold is lifted
• Anonymized, aggregated data that cannot identify you may be retained indefinitely

Your Rights:

• Request data export at any time through Account Settings
• Request immediate deletion by contacting support@confidentcompliance.ai
• Upon deletion request, data is removed within 30 days (subject to legal retention requirements)

7. Data Security

We implement security measures appropriate for business data and compliance program information:

Technical Measures

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest using AES-256 or equivalent
• SOC 2 compliant cloud hosting infrastructure
• Regular security assessments and vulnerability scanning
• Intrusion detection and monitoring
• Secure software development practices

Administrative Measures

• Role-based access controls limiting employee access
• Multi-factor authentication for administrative access
• Background checks for personnel with data access
• Security awareness training for all staff
• Incident response procedures

Breach Notification

• We will notify affected users within 72 hours of confirming a data breach (or sooner if required by law)
• Notification will include the nature of the breach, data affected, and steps we are taking
• We will cooperate with any required regulatory notifications

No security measures are 100% effective. While we strive to protect your information, we cannot guarantee absolute security against all threats.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access — Request access to personal information we hold about you
• Correction — Request correction of inaccurate or incomplete information
• Deletion — Request deletion of your personal information
• Portability — Request a copy of your data in a portable, machine-readable format
• Restriction — Request restriction of processing in certain circumstances
• Objection — Object to processing based on legitimate interests
• Withdraw Consent — Withdraw consent where consent is the legal basis for processing

To exercise any of these rights, contact us at privacy@confidentcompliance.ai. We will respond within 30 days (or sooner if required by applicable law).

8.1 GDPR Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have additional rights under the GDPR:

Legal Basis for Processing

• Contract performance (providing the Service you subscribed to)
• Legitimate interests (service improvement, security, fraud prevention)
• Consent (marketing communications, where applicable)
• Legal obligation (compliance with laws)

Data Protection Officer — Contact our DPO at privacy@confidentcompliance.ai

Supervisory Authority — You have the right to lodge a complaint with your local data protection authority

Automated Decision-Making — We do not engage in solely automated decision-making that produces legal or similarly significant effects on you

8.2 CCPA Rights (California Users)

If you are a California resident, you have specific rights under the CCPA:

• Right to Know — Request disclosure of personal information collected, used, or shared in the past 12 months
• Right to Delete — Request deletion of personal information (subject to exceptions)
• Right to Opt-Out — Opt-out of the sale of personal information. We do not sell personal information.
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, contact privacy@confidentcompliance.ai or use the privacy controls in your Account Settings.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

• Essential Cookies — Required for basic site functionality, security, and authentication. Cannot be disabled.
• Preference Cookies — Remember your settings, preferences, and choices. Can be disabled but may affect functionality.
• Analytics Cookies — Help us understand how you use the Service to improve features and performance. Can be disabled.

How to Control Cookies:

• Browser settings allow you to block or delete cookies
• Account Settings may provide cookie preference controls
• Disabling certain cookies may affect Service functionality

We do not use cookies for third-party advertising. We do not honor “Do Not Track” browser signals as there is no industry standard for compliance, but you may use cookie controls described above.

10. International Data Transfers

Your data is stored and processed in the United States on infrastructure located within US regions.

If you access the Service from outside the United States, your information will be transferred to and processed in the US. By using the Service, you consent to this transfer.

For EU/EEA Users:

• We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for transferred personal data
• You may request a copy of our SCCs by contacting privacy@confidentcompliance.ai

For Defense Contractors:

Keeping compliance data on US-based infrastructure may be preferable or required for certain contract requirements. Our infrastructure is located in the continental United States.

11. Children's Privacy

The Service is designed for business use by defense contractors and related organizations. It is not intended for individuals under 18 years of age.

We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe a minor has provided us with personal information, please contact us at privacy@confidentcompliance.ai. We will take steps to remove such information promptly.

12. Third-Party Links

The Service may contain links to third-party websites, services, or resources not operated by us. These may include:

• Government websites (DoD, NIST, Cyber AB)
• Compliance resource providers
• Training and certification bodies

We are not responsible for the privacy practices of third-party sites. We encourage you to review their privacy policies before providing any personal information. Inclusion of a link does not imply endorsement.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

What Constitutes a Material Change:

A “Material Change” is any modification that significantly affects your rights or how we handle your Personal Data, including but not limited to: changes in the categories of Personal Data collected, new purposes for data processing, alterations to data sharing practices with third parties, changes to your data subject rights, or modifications to our security practices that could impact data protection.

How We Notify You:

• Posting the updated policy on our website with a new “Last Updated” date
• Email notification to your registered email address for Material Changes
• Prominent notice within the Service for significant updates

Your Continued Use:

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with changes, you should discontinue use and may request account deletion.

We encourage you to review this Privacy Policy periodically.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

We will respond to privacy requests within 30 days, or sooner if required by applicable law. Complex requests may require additional time, in which case we will notify you of the expected timeline.

15. Additional Disclosures

15.1 California “Shine the Light” Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

15.2 Nevada Privacy Rights

Nevada residents may submit requests to opt out of the sale of personal information. We do not sell personal information. To submit a request, contact privacy@confidentcompliance.ai.

15.3 Virginia, Colorado, Connecticut, and Other State Privacy Laws

Residents of states with comprehensive privacy laws have rights similar to those described in Section 8. Contact privacy@confidentcompliance.ai to exercise your rights.