Secure.com (the "Company", "we", "us", or "our") is an online cybersecurity platform operated by GZ Systems Ltd. This Privacy Policy explains how we collect, use, protect, and share your personal information when you use our website and services. It also describes the rights you have under applicable privacy laws (such as the GDPR and CPRA) and how to exercise them.
This Privacy Policy explains how we collect, use, and protect your personal data when you (a) visit our website, (b) use our platform and related services, and/or (c) submit information to us (including via lead-capture forms, support channels, or in-product interfaces).
We ingest data from the third-party systems you choose to connect to the platform. This includes Cloud Providers (AWS, Azure, GCP), Identity Providers (Okta, Entra ID, Google Workspace), HRMS (Workday, BambooHR), Ticketing Systems (Jira, ServiceNow), and various security tools (EDR, SIEM, and Vulnerability Scanners).
From Third-Party Data Providers: We utilize external threat intelligence feeds (e.g., VirusTotal, CISA KEV) and potential dark web feeds to enrich security alerts and vulnerability data.
From Public Sources: We may access public organizational data (e.g., corporate filings, websites) to determine sector-specific compliance frameworks and context.
Categories include:
Information collected from users of the Secure.com platform, including name, work email, organization/company, role or job function (e.g., CISO, SOC Analyst), team/department, timezone preferences, and profile images/avatars.
Data ingested via integrations with HR Management Systems (HRMS) or Identity Providers (IdP), such as employee names, work emails, Employee IDs/HRMS IDs, reporting lines (manager), department, and employment status (active/terminated/contractor).
Information required to integrate with collaboration tools, including Slack or Microsoft Teams user IDs, display names, and specific channels configured for alerts (e.g., #soc-alerts).
Data required for access control, including email/usernames, hashed passwords (where local login is used), session tokens, and Single Sign-On (SSO) or IdP-related data (such as subject IDs, group memberships, and MFA status) derived from integrations with providers like Okta, Azure AD, or Google Workspace.
Information provided during support interactions, including messages sent via in-product chat, feedback on AI actions (e.g., thumbs up/down), and phone numbers collected for billing or support purposes.
Technical log data collected when you interact with the Secure.com application, such as your IP address, browser type, device information, page views, and timestamps.
To provide our security services, we ingest a broad set of security and operations data from your integrated systems:
If you interact with any AI-powered features (e.g. security chatbots, threat analysis tools), we may collect related inputs, outputs, approval events and human-review annotations. Any AI processing is done with human oversight (see Automated Processing and AI below).
Any personal information you provide in communications with us (such as email or support tickets).
We use cookies and similar tracking technologies (session cookies, persistent cookies, beacons, tags) to remember your preferences, enable core functionality, and analyze site usage. You can disable cookies via your browser settings, but some features may then be unavailable.
We collect and process Personal Data only to the extent reasonably necessary to (i) deliver and secure the Services, (ii) provide customer support, (iii) administer accounts and billing, (iv) operate compliance and audit features, and (v) meet Applicable Law requirements. We do not collect or retain Personal Data for unrelated purposes.
We do not intentionally request or require Special Category Data (as defined under GDPR) or other sensitive personal information for our own purposes. Customers and users should avoid uploading or inputting such data into the Services unless strictly necessary. To the extent Customer telemetry or logs incidentally contain such data, Secure.com processes it only to provide the Services, does not use it to intentionally profile individuals, and applies appropriate technical and organizational safeguards.
Secure.com is not designed to collect consumer behavioral data for targeted advertising. We do not sell personal information or "share" it for cross-context behavioral advertising (as described further in "Sharing Your Information").
Secure.com is a B2B enterprise platform designed for organizations, not consumers or children. We do not knowingly collect personal data directly from minors for our own purposes (e.g., as account holders).
However, customer telemetry (e.g., logs, user IDs) ingested into our platform may incidentally include data regarding your end users, which could include minors depending on your industry (e.g., education or gaming). In such instances, Secure.com acts solely as a data processor. Customers are responsible for ensuring they have a lawful basis to collect and ingest this data.
We use your personal information to operate and improve our services, communicate with you, and comply with legal requirements. Common uses include:
To send you service-related communications (e.g. account updates, security alerts) and, with your consent, promotional messages or newsletters. If you opt in, we may email you about new features or offers; you can opt out of marketing at any time.
To operate the Digital Security Teammate, execute security workflows (detection, triage, correlation), model attack paths, and automate risk management and vulnerability remediation processes.
To generate compliance reports (e.g., ISO 27001, SOC 2, PCI DSS), collect evidence of control execution, and maintain audit trails for your audit readiness.
To administer subscriptions, invoicing, and manage account entitlements (e.g., workflow run limits, data retention tiers).
To measure feature adoption and efficiency metrics (such as improvements in Mean Time to Detect/Respond) and to refine our algorithms and user experience.
To respond to your support tickets, troubleshoot technical issues, and investigate unexpected behavior or bugs in your specific deployment.
To protect our services and users. We may analyze logs and security data (such as IP addresses and activity patterns) to detect abuse or cyber threats, enforce our terms, and enhance system security.
To comply with laws and contractual duties. For example, we use your data to fulfill contractual obligations (such as delivering a paid service), to respond to lawful requests (e.g. court orders), and to comply with regulatory requirements.
We will only use your Personal Data for the purposes disclosed in this section or communicated at the time of collection; if we intend to use it for any new, incompatible purpose, we will provide appropriate notice and, where required by law, obtain your consent.
If you are in the European Economic Area, United Kingdom, or other region with similar laws, we will identify a lawful basis for each processing activity in accordance with GDPR Article 6. These bases may include:
Processing that is necessary to perform or manage our contract with you (e.g. account creation, service delivery).
Processing based on your explicit permission. For example, we rely on consent for marketing emails or optional features you opt into. You may withdraw consent at any time.
Processing that is necessary for our legitimate interests and not outweighed by your privacy rights. Our legitimate interests include:
Processing required to comply with laws or regulations (e.g. record-keeping to satisfy legal obligations).
We identify and record a lawful basis for each processing operation in accordance with GDPR Article 6. Where we rely on legitimate interests, we carry out a documented necessity and balancing assessment and implement safeguards consistent with that assessment. When relying on consent, we obtain clear, granular, and freely given consent that can be withdrawn at any time without detriment to unrelated processing. For contractual necessity and legal obligation, we limit processing to what is strictly required.
Our infrastructure is multi-regional, with primary deployment regions in North America (US) and the Gulf Cooperation Council (GCC). For our EU and UK customers, data is primarily stored and processed within EU data centers.
To ensure resilience and provide shared AI infrastructure, data may be replicated or processed in the United States.
When personal data is transferred outside of the EEA or UK to jurisdictions not deemed "adequate" by the European Commission or UK Government, we implement the following safeguards:
Where required under GDPR/UK GDPR, we rely on mechanisms such as the European Commission's Standard Contractual Clauses (Art. 46 GDPR) and, for the UK, the International Data Transfer Agreement (IDTA) / UK Addendum and we apply supplementary measures proportionate to the risk of the transfer. Where available, we also rely on adequacy decisions issued by the relevant authority. We use encryption and contractual commitments with our providers to protect your data in transit and at rest. No matter where your data is processed, we treat it in accordance with this Privacy Policy.
We adhere to the following retention schedule for different categories of data:
Retention is determined by your service tier: Essentials (6 months), Advanced (1 year), or Strategic (2 years). This includes alerts, workflows, audit trails, and AI activity logs (including, where stored, associated prompt/response content and/or interaction metadata).
We retain this for the life of the contract plus a period of 3 to 7 years following termination to comply with legal, tax, and accounting obligations.
These are kept for the duration of the account plus 1 to 3 years to maintain audit trails for business continuity.
Data stored in backups is held for a separate window of 30 to 90 days before being securely overwritten or destroyed.
When personal data is no longer required for its original purpose, we may continue to use it in an aggregated and de-identified format. This allows us to improve our security algorithms and platform performance without identifying specific individuals. We do not attempt to re-identify de-identified data, except where required to validate the effectiveness of our de-identification process.
Example: We may retain basic account data for a period after account termination to comply with financial or legal obligations, and we may keep user activity logs for several months for security monitoring (or as otherwise required by law). You can ask us for more details about our retention times for specific categories of data.
We take the security of your personal data seriously and implement appropriate technical and organizational measures, appropriate to the risk, to protect it against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Our security measures include:
We enforce internal security policies, provide regular training to our employees, and require all team members to follow data protection principles.
Our platform and internal modules are designed to align with the controls required for ISO 27001 and SOC 2 Type II. We are currently in the process of formalizing our independent audits and will update this Policy as our certification status evolves. We also provide features within the platform to help you maintain your own compliance and evidence collection for these frameworks.
We protect data in transit using TLS 1.2 or higher. Data at rest is secured using AES-256 encryption.
We employ a multi-tenant architecture with strict data-layer isolation to ensure your data is never accessible by other customers. Access is governed by Role-Based and Attribute-Based Access Control (RBAC/ABAC), requiring MFA for all critical administrative accounts.
We maintain immutable audit trails for all platform actions, including connector configurations, workflow executions, and Digital Teammate interactions.
Our development process is aligned with ISO 27001 and SOC 2 frameworks. We integrate automated security scanning (SAST/DAST/SCA) directly into our CI/CD pipelines to identify vulnerabilities before code is deployed.
Our core infrastructure is designed for 99.9% uptime, featuring automatic failover, retries, and state persistence to ensure service availability.
We maintain a dedicated Incident Response (IR) playbook led by our Chief Information Security Officer (CISO) as the incident commander. This process includes systematic detection, triage, containment, and recovery phases.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities without undue delay and, where applicable, within 72 hours of becoming aware of the incident.
We will communicate such incidents via email to your account administrators and, where appropriate, provide updates through our official status page.
You have certain rights regarding your personal data under GDPR, CPRA, and other laws. These include:
You can request a copy of the personal data we hold about you.
You can ask us to correct or update any inaccurate or incomplete information we have about you.
You can ask us to delete your personal data when it is no longer needed, or if you withdraw consent or object to processing.
You can object to certain processing (e.g. for direct marketing or our legitimate interests) at any time.
In some cases, you can ask us to suspend the processing of your data (for example, if you contest its accuracy).
You can request a machine-readable copy of your data to transfer to another service provider, where technically feasible.
If we rely on your consent for any processing, you may withdraw that consent at any time.
If we ever use automated processing or AI that significantly affects you, you have the right to request human review of that decision.
California residents have additional rights, including the right to opt out of any sale or sharing of personal information (Cal. Civ. Code 1798.120), and the right to limit the use of their sensitive personal information (Cal. Civ. Code 1798.121). We do not discriminate against individuals for exercising these rights.
You can complain to a data protection authority or regulator in your jurisdiction if you believe your rights have been violated.
These rights may vary by jurisdiction. We will not retaliate or discriminate against you for exercising any rights.
You may submit a request through our in-product privacy portal (available to workspace admins) or by emailing [email protected].
To protect your data, we must verify your identity before processing a request. We primarily rely on logged-in requests for the highest level of assurance. For non-logged-in individuals, we require verification via your registered work email address.
In jurisdictions where permitted (such as under the CCPA), you may use an authorized agent to submit requests. We will require written authorization and may contact you directly to verify your identity and the agent's authority.
Secure.com acts as a controller for your account and profile data. However, for security logs and telemetry ingested into the platform, we act as a processor on behalf of our customers. If your request relates to data held within a customer's environment, we will refer your request to that customer and assist them as required by law.
If you disagree with our decision regarding a rights request, you may appeal by contacting our legal team at [email protected]. We will provide a written response to your appeal within the timeframe required by your local law.
We utilize AI and automation deeply across the platform to deliver core security capabilities, including:
When we use AI, we ensure that meaningful human oversight and controls are in place. We will inform you when you are interacting with an AI system instead of a human. Our automated workflows are primarily designed to act on technical assets and configurations (e.g., isolating a compromised endpoint, patching a server, or revoking a session token) rather than to make qualitative decisions about individuals. High-impact remediation actions (such as revoking access or modifying critical systems) are governed by customer-defined playbooks and typically require human approval before execution. You have the right to opt out of automated decisions and request a human explanation or review at any time. In short, we do not make fully automated decisions with legal or similarly significant effects without human intervention.
We do not use your personal information, security logs, or AI prompts to train or fine-tune our shared/global AI models.
Customer data is used solely at runtime to provide context for your specific organization (e.g., your specific asset names and security policies) to power the "Digital Teammate" experience within your own isolated environment.
Your content remains isolated to your tenant and is never leaked into the AI responses of other customers.
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.
We will notify you of any material changes to this Privacy Policy by:
Every update will include a "Last Updated" date at the top of the policy.
If a change significantly expands how we use your personal data for new, incompatible purposes, we will seek your consent or provide an opt-out mechanism where required by law.
If you have questions or requests regarding this Privacy Policy or your personal data, please contact us at:
Please include sufficient detail and a description of your request. We will respond in accordance with applicable law. We value your privacy and will address your inquiries as promptly as possible.
Thank you for trusting Secure.com with your personal information.