Bonterms-derivative. This Privacy Notice substantially follows the Bonterms Privacy Notice framework with adaptations for ElasticD3M, LLC's services, U.S. operations, GDPR for EU/UK/Swiss data subjects, CCPA/CPRA and other comprehensive U.S. state privacy laws, and the technical scope of the Aegis AI™ platform (configuration metadata, not regulated payloads).
1. Scope
This Privacy Notice describes how ElasticD3M, LLC ("we", "us") collects, uses, and discloses Personal Information when you visit ai4ciso.ai, purchase a Multi-Framework Readiness Snapshot, subscribe to an Aegis AI™ tier, or otherwise interact with our Services. For data we process on Customer's behalf as a Processor under enterprise agreements, the Data Processing Addendum governs.
This Notice applies to all visitors and customers. EU, UK, and Swiss data subjects have additional rights under GDPR / UK GDPR / Swiss FADP described in Section 5. California and other U.S. state residents have additional rights under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and analogous comprehensive privacy laws described in Section 6.
2. Controller and Processor Roles
For Personal Information processed when you interact with our marketing site, purchase a subscription, or correspond with us, ElasticD3M, LLC is the Controller (or "Business" under CCPA/CPRA).
For Personal Data processed on Customer's behalf when the Aegis AI™ Services ingest configuration metadata from Customer's connected clouds and generate compliance deliverables, ElasticD3M, LLC is the Processor (or "Service Provider"). Customer is the Controller. The DPA governs those processing activities.
3. Information We Collect
We collect the following categories of Personal Information:
- Identity and contact information: name, business email address, phone number, company name, business address, job title — provided at intake, checkout, or via direct correspondence.
- Account information: organization details, framework scope (which of SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST CSF, GDPR apply), audit calendar, contractual posture — provided at intake.
- Configuration metadata from connected cloud services (AWS, Azure, Microsoft 365, Okta, CrowdStrike) — read via Customer-authorized read-only connectors and used to generate compliance deliverables. We do not read, store, or transmit regulated payload contents (PHI, cardholder data, GDPR Article 9 special categories) — only configuration metadata.
- Billing information: limited payment metadata (last 4 of card, billing zip, expiration) provided to us by Stripe. We do not store full payment card numbers; Stripe is our payment processor and is PCI-DSS Level 1 compliant.
- Technical information: IP address, browser type, device type, referrer, pages visited, timestamps — collected automatically via server logs and Cloudflare Web Analytics. Cloudflare Web Analytics does not use cookies and does not track users across sites.
- Communications: emails you send to [email protected] or other ai4ciso.ai addresses, including the content and attachments.
We do not use behavioral tracking pixels in outbound emails, cross-site advertising cookies, or session-replay tools. We do not sell Personal Information.
4. How We Use Information
We use Personal Information to:
- Provide, maintain, and improve the Services, including generating Multi-Framework Readiness Snapshot reports and ongoing subscription deliverables.
- Process payments, manage subscriptions, and send transactional emails (welcome emails, deliverable notifications, billing receipts).
- Respond to support requests and other communications.
- Comply with legal obligations, enforce our Terms of Service, and protect against fraud or misuse.
- Send service updates and infrequent product communications. You may opt out of non-essential communications at any time by clicking the unsubscribe link in any such message or emailing [email protected].
5. GDPR Rights (EU, UK, Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your Personal Data:
- Access — you may request a copy of the Personal Data we hold about you.
- Rectification — you may request correction of inaccurate or incomplete Personal Data.
- Erasure ("right to be forgotten") — you may request deletion subject to legal-retention obligations.
- Restriction — you may request that we limit Processing in specified circumstances.
- Portability — you may request export of your Personal Data in a structured, commonly used, machine-readable format.
- Objection — you may object to Processing based on legitimate interests, including direct marketing.
- Withdrawal of consent — where Processing is based on consent, you may withdraw consent at any time without affecting prior lawful Processing.
- Right to lodge a complaint — with your local Supervisory Authority.
Our lawful bases for Processing include: (i) performance of a contract; (ii) compliance with legal obligations; (iii) legitimate interests in operating, securing, and improving our Services; and (iv) consent where required. For international transfers, see Section 9. To exercise any GDPR right, email [email protected]; we respond within thirty (30) days.
6. CCPA/CPRA Rights (California) and Other U.S. State Rights
California residents have the right to: (i) know what Personal Information we collect, (ii) request deletion of Personal Information, (iii) request correction of inaccurate information, (iv) opt out of sale or sharing of Personal Information (we do not sell or share), and (v) limit use of "sensitive Personal Information" (we do not knowingly process sensitive PI as defined under CPRA). To exercise any right, email [email protected]. We respond within forty-five (45) days. We will not retaliate against you for exercising these rights.
If you are a resident of another U.S. state with comprehensive privacy law (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as enacted), you have substantially similar rights and may submit a request through the same channel.
7. Disclosure to Third Parties
We disclose Personal Information to:
- Subprocessors — third-party service providers acting on our instructions. The full list with each provider's purpose, data scope, and location is published at /subprocessors and updated at least quarterly.
- Legal authorities when required by valid subpoena, court order, or other legal process. We notify Customer of the request unless legally prohibited.
- Successors in connection with a merger, acquisition, or sale of substantially all assets, subject to confidentiality protections consistent with this Notice.
We do not disclose Personal Information to advertising networks, data brokers, or other parties for marketing purposes. We do not engage in "cross-context behavioral advertising" as defined by CCPA/CPRA.
8. Data Retention
Active account data is retained for the duration of the customer relationship. Following termination, we retain account data for ninety (90) days to allow Customer to retrieve deliverables and configuration, then delete or anonymize unless: (a) retention is required by law (tax records: seven years; communication archives for compliance: as required); or (b) data is part of routine database backups that are overwritten on a documented rotation (typically within 180 days). Configuration metadata read from connected clouds is retained only as long as needed to generate the deliverable; it is not used for any other purpose.
| Category | Retention period |
|---|---|
| Active-account identity and contact | Duration of relationship |
| Configuration metadata (from connected clouds) | Cycle duration + 30 days |
| Deliverables (control matrix, evidence binder, etc.) | 13 months rolling (longer on Fortress/Sovereign per tier terms) |
| Billing and tax records | 7 years (legal obligation) |
| Email correspondence | 3 years |
| Server logs and analytics | 13 months |
| Backups | Up to 180 days, overwritten on rotation |
9. International Data Transfers
Our Services are operated from the United States. Subprocessors are predominantly located in the United States with some in the European Union; the Subprocessors List identifies each provider's primary location. For EU/UK/Swiss data subjects, transfers to the United States are made pursuant to Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum, available on request to [email protected]. Where applicable, we conduct transfer-impact assessments consistent with EDPB guidance.
10. Security
We maintain industry-standard administrative, physical, and technical safeguards to protect Personal Information. Specifics include: AES-GCM encryption at rest for sensitive data, TLS 1.2+ in transit, role-based access control with least-privilege defaults, isolated production credentials encrypted with a dedicated key management service, signed audit logs for material database actions, and a documented incident-response plan. We notify Customer of any confirmed Personal Data Breach within seventy-two (72) hours.
11. Children's Data
The Services are intended for business use by adults representing organizations. We do not knowingly collect Personal Information from anyone under the age of eighteen (18). If we discover we have collected such information, we will delete it promptly.
12. Changes to This Notice
We may update this Privacy Notice from time to time. For material changes, we will give at least thirty (30) days' advance notice via email or platform notice before the change becomes effective. The "Effective Date" at the bottom of this page indicates when the most recent version took effect.
13. Contact
Privacy questions, data subject requests, or general inquiries: [email protected]
Postal address:
ElasticD3M, LLC
Attn: Privacy
7700 Broadway St, Ste 104 PMB1083
San Antonio, TX 78209, United States
Effective Date: May 12, 2026 · Version: 2.0 (Bonterms-derivative)
Replaces all prior versions of the Privacy Policy published at ai4ciso.ai before this date.