Master Privacy Policy

ERMITS LLC (“ERMITS,” “we,” “our,” or “us”) is committed to protecting your privacy through a Privacy-First Architecture that ensures you maintain control over your data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Services.

By using our Services, you consent to the data practices described in this policy. If you do not agree with this Privacy Policy, please do not use our Services.

1 Privacy-First Architecture Overview

1.1 Core Principles

ERMITS implements Privacy-First Architecture built on five fundamental principles:

1. Client-Side Processing

All core computational functions (security assessments, SBOM analysis, risk scoring, compliance evaluations) are performed locally within your browser or self-managed environment whenever technically feasible. Your data remains under your control throughout the analysis process.

2. Data Sovereignty Options

You choose where your data resides:

• Local-Only Mode: All data stored exclusively in your browser or desktop application
• Self-Managed Cloud: Deploy to your own cloud infrastructure with full control
• ERMITS-Managed Cloud: Optional encrypted cloud synchronization with zero-knowledge architecture
• Hybrid Deployment: Local processing with selective encrypted cloud backup

3. Zero-Knowledge Encryption

When using ERMITS-managed cloud features with encryption enabled:

• Data is encrypted client-side using AES-256-GCM before transmission
• Encryption keys are derived from your credentials and never transmitted to ERMITS
• ERMITS cannot decrypt, access, or view your encrypted data
• You are solely responsible for maintaining access to encryption keys

4. Data Minimization

We collect only the minimum data necessary for service functionality:

• Never Collected: Raw SBOM files, assessment content, CUI, FCI, vulnerability findings, compliance data, or proprietary business information
• Pseudonymized Telemetry: Optional, anonymous performance metrics using irreversible cryptographic hashing
• Account Data: Only when you create an account (name, email, company for authentication and billing)

5. Transparency and Control

You have complete control over your data:

• Export all data at any time in standard formats (JSON, CSV, PDF)
• Delete all data permanently with one click
• Opt in or opt out of telemetry collection
• Choose your deployment and storage model
• Review detailed data flow documentation

1.2 Privacy-First Implementation by Product

Each ERMITS product implements Privacy-First Architecture as follows:

2 Information We Collect

2.1 Information You Provide Directly

Account Information (Optional):

When you create an account or subscribe to paid features, we collect:

• Name
• Email address
• Company name and job title (optional)
• Billing information (processed by Stripe, not stored by ERMITS)
• Password (cryptographically hashed, never stored in plaintext)

User-Generated Content:

• Support requests and communications
• Feedback and survey responses
• Customization preferences and settings

2.2 Information We Do NOT Collect

ERMITS explicitly does NOT collect, access, store, or transmit:

• SBOM Data: Software bill of materials files, component lists, dependency graphs, or package metadata
• Assessment Content: Security assessments, compliance evaluations, risk analyses, or audit findings
• Vulnerability Data: Vulnerability scan results, CVE findings, or remediation plans
• Compliance Data: CMMC documentation, POAMs, SSPs, evidence portfolios, or certification materials
• Proprietary Business Data: Trade secrets, confidential information, or business-sensitive data
• CUI/FCI: Controlled Unclassified Information or Federal Contract Information
• Personal Health Information (PHI): Protected health information under HIPAA
• Financial Records: Detailed financial data or payment card information (except via Stripe)

2.3 Automatically Collected Information

Pseudonymized Telemetry (Optional):

With your consent, we collect anonymous, aggregated performance data:

• Feature usage statistics (which tools are used, how often)
• Performance metrics (page load times, API response times)
• Error reports (crash logs, exceptions) with PII automatically scrubbed by Sentry
• Browser and device information (browser type, OS version, screen resolution)
• Session metadata (session duration, navigation paths)

Telemetry Characteristics:

• Irreversible Pseudonymization: User identifiers are cryptographically hashed and cannot be reverse-engineered
• No Content Data: Telemetry never includes file contents, assessment results, or user inputs
• Opt-Out Available: You can disable telemetry at any time in account settings
• Differential Privacy: PostHog analytics use differential privacy techniques to prevent individual identification

Technical Data:

• IP address (used for security, rate limiting, and geolocation for service delivery; not linked to user accounts)
• Log data (server logs for security monitoring and debugging; retained for 90 days)
• Cookies and similar technologies (see Cookie Policy)

2.4 Information from Third Parties

Authentication Providers:

If you use OAuth (Google, Microsoft, GitHub) for authentication, we receive:

• Name and email address from the provider
• Profile information you choose to share
• Provider’s unique identifier for your account

Payment Processor:

Stripe provides us with:

• Payment success/failure status
• Subscription status and billing cycle
• Last 4 digits of payment method (for your reference)
• Billing address (for tax compliance)

Vulnerability Databases:

When you use SBOM analysis or security assessment tools, your browser makes anonymous, client-side queries to:

• OSV.dev (Google Open Source Vulnerabilities)
• NIST National Vulnerability Database
• CISA Known Exploited Vulnerabilities catalog

These queries are performed client-side and do not transit ERMITS servers. We do not track or log your queries to these services.

3 How We Use Information

3.1 Service Delivery and Operation

• Provide, maintain, and improve the Services
• Process transactions and send transaction confirmations
• Authenticate users and maintain account security
• Enable features like cloud synchronization and multi-device access
• Provide customer support and respond to inquiries

3.2 Service Improvement and Analytics

• Analyze pseudonymized usage patterns to improve features
• Identify and fix bugs, errors, and performance issues
• Develop new features and services
• Conduct research and analysis (using only aggregated, anonymous data)

3.3 Communication

• Send service-related announcements and updates
• Respond to support requests and feedback
• Send security alerts and critical notifications
• Deliver marketing communications (with your consent; opt-out available)
• Conduct user surveys and request feedback

3.4 Security and Fraud Prevention

• Detect and prevent security threats and abuse
• Monitor for unauthorized access or account compromise
• Enforce Terms of Service and Acceptable Use Policy
• Protect ERMITS, users, and third parties from harm

3.5 Legal and Compliance

• Comply with legal obligations and respond to lawful requests
• Enforce our legal rights and agreements
• Protect against legal liability
• Conduct audits and maintain business records

3.6 What We Do NOT Do

ERMITS does NOT:

• Sell or rent your personal information to third parties
• Use your data for advertising or marketing to others
• Share your User Data with third parties (except as disclosed in Section 2.4)
• Train AI models on your User Data
• Analyze your assessment results or SBOM data for any purpose
• Profile users for behavioral targeting

4 Information Sharing and Disclosure

4.1 Service Providers (Sub-Processors)

We share limited data with trusted third-party service providers who assist in delivering the Services:

Sub-Processor Requirements:

All sub-processors are contractually required to:

• Use data only for specified purposes
• Implement appropriate security measures
• Comply with applicable privacy laws
• Not use data for their own purposes
• Delete data when no longer needed

4.2 Legal Requirements

We may disclose information if required by law or in response to:

• Court orders, subpoenas, or legal process
• Government or regulatory investigations
• Law enforcement requests (where legally required)
• National security or public safety threats

When legally permitted, we will:

• Notify affected users of legal requests
• Challenge overly broad or improper requests
• Provide only the minimum information required

4.3 Business Transfers

If ERMITS is involved in a merger, acquisition, asset sale, or bankruptcy:

• User information may be transferred as part of the business assets
• We will provide notice before information is transferred
• The successor entity will be bound by this Privacy Policy
• You will have the option to delete your data before transfer

4.4 Consent-Based Sharing

We may share information with your explicit consent for purposes such as:

• Integration with third-party tools you authorize
• Sharing data with your organization’s administrators
• Public testimonials or case studies (with identifying information only if you approve)

4.5 Aggregated and Anonymous Data

We may share aggregated, anonymous data that cannot identify you:

• Industry benchmarks and statistics
• Research publications and presentations
• Public reports on security trends
• Product improvement insights

This data is derived from pseudonymized telemetry and cannot be reverse-engineered to identify users or organizations.

5 Data Security Measures

5.1 Encryption

Data in Transit:

• TLS 1.3 encryption for all data transmission
• HTTPS required for all web traffic
• Certificate pinning for critical connections
• Perfect Forward Secrecy (PFS) enabled

Data at Rest:

• AES-256-GCM encryption for cloud-stored data
• Client-side encryption with user-controlled keys (zero-knowledge architecture)
• Encrypted database backups
• Secure key management practices

Data in Use:

• Local processing minimizes data exposure
• Memory encryption where supported by browser
• Secure coding practices to prevent data leakage

5.2 Access Controls

• Multi-Factor Authentication (MFA): Available for all accounts, required for administrators
• Role-Based Access Control (RBAC): Granular permissions based on user roles
• Row-Level Security (RLS): Database-level isolation ensuring users can only access their own data
• Principle of Least Privilege: Internal access limited to minimum necessary
• Access Logging: All data access logged for audit and security monitoring

5.3 Infrastructure Security

• Secure Cloud Hosting: Enterprise-grade infrastructure (Supabase, Vercel)
• Network Segmentation: Isolated production, staging, and development environments
• DDoS Protection: Distributed denial-of-service attack mitigation
• Intrusion Detection: 24/7 monitoring for suspicious activity
• Regular Security Audits: Penetration testing and vulnerability assessments
• Incident Response Plan: Documented procedures for security incidents

5.4 Application Security

• Secure Coding Practices: Following OWASP Top 10 guidelines
• Input Validation: Comprehensive sanitization of all user inputs
• SQL Injection Prevention: Parameterized queries and prepared statements
• XSS Protection: Content Security Policy (CSP) and output encoding
• CSRF Protection: Anti-CSRF tokens for state-changing operations
• Dependency Management: Regular updates and vulnerability scanning

5.5 Employee and Contractor Access

• Background checks for employees with data access
• Confidentiality agreements and security training
• Access granted only on need-to-know basis
• Regular access reviews and revocations
• Monitoring and logging of all employee data access

5.6 Security Incident Response

In the event of a data breach or security incident:

• Detection: 24/7 monitoring and alerting systems
• Containment: Immediate action to isolate affected systems
• Investigation: Forensic analysis to determine scope and impact
• Notification: Timely notification to affected users and regulators as required by law
• Remediation: Fixes to prevent recurrence
• Documentation: Comprehensive incident reporting and lessons learned

6 Data Retention

6.1 Active Accounts

We retain your data for as long as your account is active or as needed to provide Services:

6.2 Deleted Accounts

When you delete your account or request data deletion:

• Immediate: Account access disabled, data marked for deletion
• Within 30 days: User Data permanently deleted from production systems
• Within 90 days: Backup copies permanently deleted
• Exceptions: Data retained longer only where legally required

6.3 Legal and Regulatory Retention

Certain data must be retained for legal, regulatory, or tax purposes:

• Financial Records: 7 years (IRS requirements)
• Audit Logs: 3 years (security and compliance)
• Legal Hold Data: Retained as required by litigation or investigation
• Pseudonymized Analytics: Indefinite (anonymous, cannot be reverse-engineered)

6.4 Inactive Accounts

• Free Accounts: May be deleted after 12 months of inactivity (with 30 days’ notice)
• Paid Accounts: Retained for duration of subscription plus 30 days
• Data Export: Users notified before deletion and given opportunity to export data

7 Your Privacy Rights

7.1 Universal Rights

All users have the following rights regardless of location:

Right to Access:

• Request a copy of all personal data we hold about you
• Receive information about how your data is processed
• Request access within the Services (Account Settings → Export Data)

Right to Rectification:

• Correct inaccurate or incomplete personal data
• Update information directly in Account Settings
• Contact support for assistance: contact@ermits.com

Right to Deletion (Right to be Forgotten):

• Request deletion of your personal data
• Delete account and all data via Account Settings → Delete Account
• Data deleted within 30 days (90 days for backups)

Right to Data Portability:

• Export your data in machine-readable formats (JSON, CSV)
• Transfer data to another service provider
• Export available anytime via Account Settings → Export Data

Right to Restriction of Processing:

• Request limitation of processing in certain circumstances
• Temporarily suspend processing while disputes are resolved

Right to Object:

• Object to processing based on legitimate interests
• Opt out of marketing communications
• Disable telemetry collection

7.2 Additional Rights for EU/UK/Swiss Users (GDPR/UK GDPR/Swiss DPA)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights:

Legal Basis for Processing:

We process your data based on:

• Consent: When you provide explicit consent (e.g., marketing communications, telemetry)
• Contract: To perform our contract with you (provide Services)
• Legitimate Interests: For service improvement, security, and fraud prevention (balanced against your rights)
• Legal Obligation: To comply with applicable laws

Right to Withdraw Consent:

• Withdraw consent at any time (does not affect prior processing)
• Disable telemetry in Account Settings
• Unsubscribe from marketing emails via opt-out link

Right to Lodge a Complaint:

• File complaint with your local data protection authority
• EU: Find your DPA at https://edpb.europa.eu/about-edpb/board/members_en
• UK: Information Commissioner’s Office (ICO) at https://ico.org.uk/
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC)

Right to Automated Decision-Making:

• ERMITS does not engage in automated decision-making with legal or significant effects
• Risk scores and assessments are informational only and require human judgment

Data Protection Officer:

For GDPR-related inquiries, contact: contact@ermits.com (Subject: “GDPR Inquiry”)

7.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know:

• Categories of personal information collected
• Categories of sources of personal information
• Business or commercial purposes for collecting or selling personal information
• Categories of third parties with whom we share personal information
• Specific pieces of personal information collected

Right to Delete:

• Request deletion of personal information (subject to legal exceptions)

Right to Opt-Out of Sale:

• ERMITS does not sell personal information and has not sold personal information in the past 12 months
• We do not sell personal information of minors under 16

Right to Non-Discrimination:

• Equal service and pricing regardless of privacy rights exercise
• No denial of goods or services for exercising privacy rights

Right to Limit Use of Sensitive Personal Information:

• ERMITS does not use or disclose sensitive personal information for purposes other than providing Services

Authorized Agent:

• You may designate an authorized agent to make requests on your behalf
• Authorized agent must provide written authorization and verify identity

California Consumer Privacy Request:

Submit requests via email: contact@ermits.com (Subject: “CCPA Request”)

7.4 Exercising Your Rights

How to Submit Requests:

• Email: contact@ermits.com (Subject: “Privacy Rights Request”)
• In-App: Account Settings → Privacy Rights
• Mail: ERMITS LLC, [Physical Address], Attn: Privacy Rights

Verification Process:

To protect your privacy, we must verify your identity before fulfilling requests:

• Account-based verification (log in to verify identity)
• Email verification (confirmation link sent to registered email)
• Additional verification for sensitive requests (government-issued ID may be required)

Response Timeline:

• Initial Response: Within 10 business days acknowledging receipt
• Complete Response: Within 45 days (may extend 45 days with notice for complex requests)
• Free of Charge: First two requests per year are free; reasonable fee may apply for excessive requests

Authorized Agent Requests:

If submitting through an authorized agent:

• Provide written authorization signed by you
• Verify your identity and the agent’s authority
• California residents: Agent must be registered with California Secretary of State

8 International Data Transfers

8.1 Data Processing Locations

ERMITS is based in the United States. If you access Services from outside the U.S., your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

Primary Data Locations:

• United States: Primary data processing and storage (Supabase, Vercel, Stripe)
• European Union: Optional data residency for EU customers (Supabase EU region)
• Global CDN: Content delivery network nodes worldwide (Vercel)

8.2 Safeguards for International Transfers

For data transfers from the EEA, UK, or Switzerland to the United States:

Standard Contractual Clauses (SCCs):

• ERMITS uses European Commission-approved Standard Contractual Clauses
• SCCs incorporated into agreements with sub-processors
• Full text available in Standard Contractual Clauses addendum (Enterprise Policies)

Additional Safeguards:

• Encryption in transit and at rest
• Access controls and authentication
• Regular security assessments
• Incident response procedures
• Transparency about government access requests

Data Residency Options:

Enterprise customers can request:

• EU-only data storage (Supabase EU region)
• Self-managed infrastructure in preferred jurisdiction
• On-premises deployment for complete data control

8.3 UK and Swiss Transfers

UK Transfers:

• UK Addendum to Standard Contractual Clauses applied
• Compliance with UK GDPR requirements
• UK International Data Transfer Agreement (IDTA) available upon request

Swiss Transfers:

• Swiss-EU data transfer mechanisms applied
• Compliance with Swiss Federal Data Protection Act (FADP)
• Swiss data protection requirements met

9 Children’s Privacy

9.1 Age Restrictions

The Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

If You Are Under 18:

• Do not use the Services
• Do not provide any information to ERMITS
• Have a parent or guardian contact us if you have provided information

9.2 Parental Rights

If we learn that we have collected personal information from a child under 18:

• We will delete the information as quickly as possible
• Parents may contact us to request deletion: contact@ermits.com
• Parents have the right to review, delete, and refuse further collection of their child’s information

9.3 Educational Use

For educational institutions using Services for students:

• Institution must obtain appropriate parental consent
• Institution acts as agent for parents
• FERPA and COPPA compliance is institution’s responsibility
• Student data is processed under institution’s direction

10 Federal Contractor Privacy Considerations

10.1 CUI and FCI Handling

For users handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI):

Privacy-First Architecture Benefits:

• CUI/FCI is processed client-side and never transmitted to ERMITS
• Zero-knowledge encryption ensures ERMITS cannot access CUI/FCI
• Local storage options eliminate cloud transmission of sensitive data
• Users maintain complete control over CUI/FCI data

User Responsibilities:

• Properly mark and handle CUI/FCI according to NIST SP 800-171
• Use encryption features and self-managed deployment options
• Implement appropriate access controls
• Maintain audit logs for CUI/FCI access

10.2 NIST SP 800-171 Privacy Controls

ERMITS Services support implementation of NIST SP 800-171 privacy controls:

• 3.13.1: Monitor, control, and protect organizational communications
• 3.13.2: Employ architectural designs, software development techniques, and systems engineering principles
• 3.13.3: Separate user functionality from information system management functionality
• 3.13.5: Implement subnetworks for publicly accessible system components

User Implementation:

• Services provide tools and templates for privacy control implementation
• Users must configure and implement controls according to their requirements
• ERMITS does not implement controls on behalf of users

10.3 Incident Reporting

Federal contractors must report cyber incidents involving CUI to DoD within 72 hours (DFARS 252.204-7012). Because ERMITS does not access CUI due to Privacy-First Architecture:

• Users are solely responsible for incident detection and reporting
• ERMITS will cooperate with authorized incident investigations
• ERMITS maintains audit logs that may assist incident investigations

11 Updates to This Privacy Policy

11.1 Policy Updates

We may update this Privacy Policy periodically to reflect:

• Changes in data practices or Services
• Legal or regulatory developments
• Technological improvements
• User feedback and industry best practices

11.2 Notification of Changes

Material Changes:

For significant changes affecting your rights:

• 30 Days’ Notice: Advance notice via email and in-app notification
• Prominent Display: Notice displayed on website and in Services
• Opt-Out Option: Option to export data and close account before changes take effect
• Continued Use: Continued use after effective date constitutes acceptance

Non-Material Changes:

For clarifications, formatting, or minor updates:

• Update “Last Updated” date at top of policy
• Changes effective immediately upon posting
• No advance notice required

11.3 Version History

Previous versions of this Privacy Policy are available upon request: contact@ermits.com

12 Contact Information

Privacy Inquiries:

Email: contact@ermits.com  Subject: “Privacy Inquiry”

Data Rights Requests:

Email: contact@ermits.com  Subject: “Privacy Rights Request”

Data Protection Officer (EU/UK/Swiss):

Email: contact@ermits.com  Subject: “GDPR Inquiry”

California Privacy Requests:

Email: contact@ermits.com  Subject: “CCPA Request”

Security Concerns:

Email: contact@ermits.com  Subject: “Security Issue”

General Inquiries:

Email: contact@ermits.com  Website: www.ermits.com