Privacy Policy

Last updated: June 1, 2026

1. Who we are

CisoDeck (“we”, “us”, “our”) provides a virtual CISO (vCISO) delivery platform that helps independent cybersecurity consultants assess, track, and report on their clients’ security posture. This policy explains how we collect, use, and protect personal data when you use the CisoDeck service (“the Service”).

2. Data we collect

2.1 Account data

When you create an account we collect:

  • Email address
  • Full name
  • Practice / firm name
  • Password (hashed, never stored in plaintext)

2.2 Service data

When you use the Service we store:

  • Client organization details you enter (name, industry, contact information)
  • Assessment answers and scores
  • Risk register entries
  • Remediation action items
  • Generated reports and PDF files
  • Branding settings (logo, colors, footer text)
  • Audit logs (actions performed, timestamps)

2.3 Technical data

We automatically collect:

  • IP address (for security and abuse prevention)
  • Browser type and version
  • Authentication session tokens (cookies)

3. How we use your data

  • To provide and improve the Service
  • To authenticate you and protect your account
  • To generate reports you request
  • To maintain audit logs for accountability
  • To communicate with you about the Service (e.g. security notices)

4. Legal basis for processing (GDPR)

  • Contract performance: Processing your data is necessary to provide the Service you signed up for.
  • Legitimate interest: Security logging, abuse prevention, and service improvement.
  • Consent: Where required, e.g. optional marketing communications (not currently sent).

5. Data sharing

We do not sell your data. We share data only with:

  • Supabase (infrastructure provider): Hosts our database and authentication. Data is stored in their EU data centers.
  • Vercel (hosting provider): Hosts the application.
  • Law enforcement: Only when legally required.

6. Data retention

  • Account data is retained while your account is active.
  • When you delete your account, all associated data (clients, assessments, risks, actions, reports, branding, audit logs) is deleted within 30 days.
  • Backups may retain data for up to 30 additional days before being purged.

7. Your rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access your data
  • Rectify inaccurate data
  • Delete your data (right to be forgotten)
  • Export your data in a portable format
  • Object to processing based on legitimate interest
  • Restrict processing in certain circumstances

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Data security

We protect your data using industry-standard measures including encryption in transit (TLS), encryption at rest, row-level security (RLS) for tenant isolation, and strict access controls. See our Security Overview for details.

9. Cookies

We use essential cookies only, required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Children

The Service is designed for professional use by cybersecurity consultants. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, contact us immediately.

11. Data Processing Agreement (DPA)

When you use CisoDeck to manage your clients’ security data, you act as the data controller and CisoDeck acts as the data processor under GDPR Article 28.

  • We process client data only on your documented instructions (i.e. your use of the platform)
  • We do not access, sell, or share your client data with third parties except our sub-processors (Supabase, Vercel)
  • Our team members who may access infrastructure are bound by confidentiality obligations
  • We implement appropriate technical and organizational security measures (see our Security Overview)
  • We will assist you in responding to data subject access requests upon reasonable notice
  • Upon account deletion, all client data is deleted within 30 days (backups within 60 days)
  • We will notify you without undue delay of any personal data breach affecting your client data

If you require a signed DPA for your records, contact [email protected] and we will provide one.

12. Sub-processors

We use the following sub-processors to deliver the Service:

  • Supabase: Database, authentication, and file storage (EU region)
  • Vercel: Application hosting and edge delivery
  • Stripe: Payment processing for consultant subscriptions (no client data shared)

We will notify users before adding new sub-processors. See our Security Overview for details.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. The “last updated” date at the top of this page indicates when the policy was last revised.

14. Contact

For privacy-related questions or data requests:
Email: [email protected]