PREVIEWCISO360AI is offered as-is while in preview. Features and data may change. Learn more.
Preview← Back to home

Privacy Policy

Last updated: 2026-05-02 — Version: 2026-05-02

1. Who we are

The CISO360AI service (the "Service") is operated by alterSec Limited (NZBN 9429047827035), trading as CISO360AI, a company incorporated in New Zealand. For the purposes of applicable data-protection law we are the controller of personal data we collect about account holders and the processor of data you upload into the Service. You can reach us at privacy@ciso360.ai.

2. What we collect

  • Account data: name, corporate email address, organisation name, password (hashed and stored by our identity provider), preferred language, and authentication tokens.
  • Service data: organisations, projects, assets, scan targets, vulnerabilities, findings, controls, evidence, AI-assisted outputs, and any other content you create or upload while using the Service.
  • Usage telemetry: IP address, browser and device information, referring URL, pages and features visited, error logs, and audit trails of significant actions.
  • Cookies and session data: required to keep you signed in and to remember preferences. See §9 below.

3. Why we collect it

We process personal data to:

  • provide, operate, maintain, and improve the Service;
  • authenticate users and protect accounts;
  • provide customer support and communicate service notices;
  • monitor for abuse, fraud, and security incidents;
  • generate aggregated, anonymised analytics about how the Service is used;
  • meet legal, regulatory, and audit obligations;
  • process payments (when paid tiers are available).

4. Legal basis (GDPR / similar regimes)

Where the GDPR or equivalent law applies, our lawful bases are: performance of the contract with you (provision of the Service), our legitimate interests (security, abuse prevention, service improvement), your consent (optional cookies and marketing communications), and compliance with legal obligations.

5. Sub-processors and sharing

We rely on a small number of trusted sub-processors to deliver the Service. These currently include:

  • cloud hosting and storage (Amazon Web Services);
  • identity and authentication;
  • large-language-model providers used by the AI Sidekick (such as Amazon Bedrock);
  • transactional email delivery for verification and notifications;
  • payment processing (when paid tiers are available).

We require sub-processors to handle personal data with appropriate safeguards. We do not sell your personal data. We will only disclose data outside this list when legally required (for example, in response to a valid court order) or to protect the safety of users.

6. Data location and transfers

The Service is primarily hosted in AWS regions selected for performance and data-residency. Some sub-processors may operate outside your region; in those cases we rely on appropriate cross-border transfer mechanisms (such as Standard Contractual Clauses) to protect your data.

7. Retention

Account data is retained for as long as your account is active, plus a reasonable period afterwards to meet legal, audit, and dispute-resolution obligations. Service data is retained according to the project retention policy you configure. On account closure, we delete or anonymise personal data within 30 days, subject to backups and legal-retention requirements.

8. Your rights

Depending on your jurisdiction, you have rights to:

  • access the personal data we hold about you;
  • request correction of inaccurate or incomplete data;
  • request deletion of your data ("right to be forgotten");
  • obtain a portable copy of your data;
  • object to or restrict certain processing;
  • withdraw consent (where consent is the legal basis);
  • lodge a complaint with your local data-protection authority.

To exercise these rights, email privacy@ciso360.ai. We may need to verify your identity before acting on a request.

9. Cookies

We use strictly-necessary cookies to keep you signed in and to remember essential preferences. We may also use limited analytics cookies to understand product usage in aggregate. You can control cookies via your browser, but disabling required cookies will impair the Service.

10. Security

We protect your data through multi-tenant isolation, encryption in transit (TLS) and at rest, JWT-based authentication with PKCE, role-based access control, audit logging, and ongoing security testing. No system is perfectly secure; we cannot guarantee absolute security and you should evaluate the Service's suitability for your sensitivity profile during preview.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to the address on file for your account. Your continued use of the Service after such notice constitutes acceptance of the updated policy.

12. Contact

Privacy questions and requests can be sent to privacy@ciso360.ai.

alterSec Limited · NZBN 9429047827035 · Auckland, New Zealand