Proud to be featured in the OWASP GenAI Security Solutions Landscape – Test & Evaluation category. View Report

VeriGenAI Security Platform Privacy Policy

Effective Date: January 1st, 2025

1. Introduction

VeriGenAI ("VeriGenAI," "we," "us," or "our") operates an advanced security intelligence platform that provides automated GenAI security assessments, vulnerability testing, and OWASP LLM Top 10 compliance monitoring. As a security-first organization, we understand the critical importance of data protection and privacy in the cybersecurity industry.

This Privacy Policy describes how we collect, use, process, and protect information when you use our security assessment platform, website, APIs, and related services (collectively, the "Platform"). By using our Platform, you acknowledge that you have read and understood this Privacy Policy.

Security Notice: This Privacy Policy is designed to meet the stringent privacy and security requirements expected of enterprise security platforms.

2. Information We Collect

2.1. Enterprise Account Information

  • Business Contact Data: Company name, business email addresses, phone numbers, job titles, and organizational information
  • Account Credentials: Usernames, encrypted passwords, multi-factor authentication tokens, and API keys
  • Billing Information: Corporate payment details, billing addresses, and subscription information (processed through secure payment providers)
  • Security Team Information: Names and contact information of designated security personnel and administrators

2.2. Security Assessment Data

  • Target System Information: GenAI endpoint URLs, model configurations, and system metadata submitted for security assessment
  • Vulnerability Data: Security findings, risk scores, OWASP LLM Top 10 compliance results, and threat intelligence generated by our platform
  • Assessment Configurations: Test parameters, security policies, and assessment preferences configured by your security team
  • Security Reports: Executive summaries, technical findings, remediation recommendations, and compliance documentation
  • Attack Simulation Data: Results from our 31 specialized attack agents, including payload responses and security validation outcomes

2.3. Platform Usage Analytics

  • Security Operations Data: Assessment frequency, platform utilization patterns, and security workflow analytics
  • Performance Metrics: Platform response times, assessment completion rates, and system availability statistics
  • Access Logs: Login timestamps, IP addresses, user agent strings, and access patterns for security monitoring
  • API Usage: API call volumes, endpoint usage, and integration patterns

2.4. Security Monitoring Data

  • Threat Intelligence: Security indicators, attack patterns, and threat landscape data relevant to your industry
  • Compliance Tracking: Historical compliance scores, trend analysis, and regulatory alignment metrics
  • Incident Data: Security event logs, anomaly detection results, and platform security incidents

3. How We Use Your Information

3.1. Security Assessment Services

  • Vulnerability Testing: Execute automated security assessments against your GenAI systems using our specialized attack agents
  • Compliance Monitoring: Evaluate OWASP LLM Top 10 compliance and generate detailed security reports
  • Risk Analysis: Provide actionable threat intelligence and security recommendations tailored to your environment
  • Executive Reporting: Generate compliance dashboards and executive summaries for governance and risk management

3.2. Platform Security and Operations

  • Security Monitoring: Detect and prevent unauthorized access, abuse, and security threats to our platform
  • Incident Response: Investigate security incidents and maintain the integrity of our security assessment services
  • Platform Improvement: Enhance our attack agents, detection capabilities, and security assessment methodologies
  • Customer Support: Provide technical assistance and security consultation to your security teams

3.3. Compliance and Legal Obligations

  • Legal Requests: Respond to lawful requests from law enforcement and regulatory authorities

4. Data Security and Protection

4.1. Enterprise-Grade Security Controls

As a security intelligence platform, we implement military-grade protection for all customer data:

  • Encryption: AES-256 encryption at rest and TLS 1.3 for all data in transit
  • Zero Trust Architecture: All platform access requires authentication and authorization verification

4.2. Data Isolation and Confidentiality

  • Customer Data Isolation: Each customer's security assessment data is logically separated and encrypted
  • Confidential Processing: Security findings and vulnerability data are processed in isolated environments
  • Data Minimization: We collect only the data necessary for security assessment and compliance reporting
  • Secure Deletion: Cryptographic erasure of customer data upon account termination

5. Data Sharing and Disclosure

5.1. No Security Data Sharing

Confidentiality Guarantee: We do not share, sell, or disclose customer security assessment data, vulnerability findings, or compliance results with any third parties except as described below.

5.2. Limited Service Providers

We may share data with vetted security service providers who assist in platform operations:

  • Cloud Infrastructure: Secure cloud hosting providers with SOC 2 compliance
  • Security Monitoring: SIEM and security monitoring service providers
  • Payment Processing: PCI-compliant payment processors (billing data only)

All service providers are bound by strict confidentiality agreements and security requirements.

5.3. Legal and Regulatory Disclosure

We may disclose information only when legally required:

  • Law Enforcement: In response to valid court orders or subpoenas
  • National Security: When required by applicable national security laws
  • Platform Security: To prevent harm to our platform or other customers' security

6. Data Retention and Deletion

6.1. Security Assessment Data

  • Active Assessments: Security findings retained for the duration of your subscription
  • Historical Compliance: Compliance reports retained for 7 years to support audit requirements
  • Vulnerability Data: Specific vulnerability findings retained for 3 years for trend analysis
  • Attack Simulation Data: Raw attack simulation data retained for 1 year

6.2. Account and Business Data

  • Account Information: Retained until account deletion or 2 years after subscription termination
  • Billing Records: Retained for 7 years to meet financial compliance requirements
  • Audit Logs: Security and access logs retained for 1 year

6.3. Secure Data Deletion

Upon data retention expiry or customer request:

  • Deletion Certification: Written confirmation of secure data destruction upon request

7. International Data Transfers

7.1. Data Residency Options

  • Regional Hosting: Customer data can be processed and stored in specific geographic regions
  • US Processing: Default processing in SOC 2 compliant US data centers
  • EU Processing: GDPR-compliant processing available for European customers

8. Your Rights and Controls

8.1. Security Data Access

  • Platform Access: Full access to your security assessments, reports, and compliance data through the platform
  • Data Export: Ability to export security findings, reports, and assessment data in standard formats
  • API Access: Programmatic access to retrieve your security and compliance data

8.2. Privacy Rights

  • Data Rectification: Correct inaccurate account or business information
  • Data Deletion: Request deletion of your account and associated data
  • Processing Restriction: Limit processing of your personal information
  • Data Portability: Receive your data in a structured, machine-readable format

8.3. Enterprise Controls

  • Data Processing Agreements: Enterprise customers receive comprehensive DPAs
  • Custom Retention: Negotiate custom data retention periods for compliance needs
  • Audit Rights: Enterprise customers may audit our data handling practices
  • Incident Notification: Immediate notification of any security incidents affecting your data

9. Cookie and Tracking Technologies

9.1. Platform Cookies

  • Essential Cookies: Required for platform authentication and security functions
  • Security Cookies: Session management and fraud prevention
  • Analytics Cookies: Platform usage and performance monitoring (optional)

9.2. Cookie Management

You can control cookie preferences through:

  • Platform Settings: Configure cookie preferences in your account settings
  • Browser Controls: Manage cookies through your browser settings
  • Opt-Out Options: Disable non-essential cookies while maintaining platform functionality

10. Incident Response and Breach Notification

10.1. Security Incident Response

  • Monitoring: Security monitoring and threat detection
  • Rapid Response: Immediate incident response team activation for security events
  • Containment: Automated systems to isolate and contain security incidents
  • Forensic Analysis: Detailed investigation and root cause analysis

10.2. Customer Notification

  • Immediate Alert: Notification within 4 hours of confirmed security incident
  • Regular Updates: Ongoing communication throughout incident response
  • Final Report: Comprehensive incident report within 30 days
  • Regulatory Notification: Assistance with regulatory breach notification requirements

11. Third-Party Security Integrations

12. Compliance and Regulatory Alignment

13. Contact Information

13.1. Privacy and Security Contacts

14. Updates to This Privacy Policy

14.1. Policy Updates

We may update this Privacy Policy to reflect:

  • Platform Enhancements: New security features and assessment capabilities
  • Regulatory Changes: Updates to privacy and security regulations
  • Security Improvements: Enhanced data protection and security measures

15. Effective Date and Acceptance

This Privacy Policy is effective as of January 1st, 2025. By using the VeriGenAI security platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our commitment to protecting your security data and maintaining the confidentiality of your vulnerability assessments.

For Enterprise Customers: This Privacy Policy is supplemented by your Master Service Agreement and Data Processing Agreement, which provide additional protections and controls specific to enterprise security requirements.

16. Manage Your Privacy Preferences

Control how your data is processed by our security platform. These settings apply to non-essential data processing only - core security assessment functionality is not affected.