Privacy Policy
Contents
01Who we are
This Privacy Policy describes how ctOS:BLADE ("ctOS:BLADE", "we", "us", "our") handles personal data collected through ctosblade.com, its subdomains, and the ctOS:BLADE platform (collectively, the "Services").
For the purposes of the EU and UK General Data Protection Regulation, ctOS:BLADE acts as the data controller for website-visitor and prospect data. When customers use the platform to manage security findings, ctOS:BLADE acts as a data processor on the customer's behalf — that relationship is governed by our Data Processing Agreement.
02Scope
This policy covers:
- Visitors to our marketing website
- People who contact us by email or through the site
- Account holders using the ctOS:BLADE platform
- Individuals whose data may appear in security findings ingested by the platform, to the extent processed by us as a processor
This policy does not cover third-party websites we link to. Those sites have their own privacy practices.
03Data we collect
From you, directly
When you email us or request access, we receive whatever you include: name, work email, company, role, team size, compliance context, deployment preference, and the body of your message.
Automatically, via our infrastructure
Our website is served via Cloudflare. We receive standard server-log data including IP address, user agent, referrer, page visited, and timestamp. This is used for security, abuse prevention, and aggregate traffic analysis.
Platform data (customers only)
For paying customers, we process the data you configure the platform to ingest — typically vulnerability findings, asset metadata, user identities within your tenant, and audit logs of actions taken inside the platform. Processing terms are in the DPA.
What we do not collect
- We do not run third-party advertising trackers
- We do not buy or enrich data from data brokers
- We do not collect special category data (health, political opinions, biometrics) through our website
04How we use data
| Purpose | Description |
|---|---|
| Respond to inquiries | Replying to access requests, demo requests, and support emails sent to our addresses. |
| Deliver the Services | Operating the platform for paying customers, including authentication, tenant isolation, and feature functionality. |
| Security and abuse prevention | Detecting bots, credential stuffing, and unauthorized access attempts against our infrastructure. |
| Service improvement | Analysing aggregate, de-identified usage patterns to improve the product. |
| Legal compliance | Meeting our obligations under applicable law, including responding to lawful requests from authorities. |
We do not use your data to train third-party machine-learning models, and we do not sell, rent, or trade personal data.
05Legal bases (for EEA / UK / similar regimes)
- Contract — where processing is necessary to provide the Services you or your employer contracted for.
- Legitimate interests — for responding to unsolicited inquiries, securing our infrastructure, and improving the product. These interests are balanced against your rights and freedoms.
- Consent — where we rely on consent, you may withdraw it at any time (e.g. marketing emails).
- Legal obligation — where we must retain or disclose data to comply with law.
06Sub-processors and sharing
We rely on a small, vetted set of sub-processors to deliver the Services. Current sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Edge network, DNS, email routing, DDoS protection, web analytics | Global edge; US-headquartered |
| Google LLC | Inbound email delivery to our administrative inbox | US / EU, depending on routing |
For the platform, a customer-specific sub-processor list is provided in the DPA. We notify customers of changes with a reasonable period to object.
We do not share personal data with third parties for their own marketing purposes. We may disclose data if legally compelled, in which case we will seek to notify the affected person unless prohibited.
07International transfers
Depending on where our customers and sub-processors operate, personal data may be processed outside the country in which it was collected. Where this involves an international transfer from the EEA, UK, or another jurisdiction with transfer rules, we rely on appropriate safeguards — typically the EU Standard Contractual Clauses (2021), supplemented by technical measures such as encryption in transit and at rest.
Customers choosing our Sovereign deployment tier can restrict processing to a specific geography, including fully air-gapped environments.
08Security
We apply technical and organisational measures proportionate to the sensitivity of the data we handle. These include, at minimum:
- TLS 1.2+ for all data in transit
- Encryption at rest for customer tenant data
- Role-based access control with least privilege
- Logging of administrative and data-access actions
- Separation of production, staging, and development environments
- Regular vulnerability scanning and periodic penetration testing by independent third parties
- Incident response procedures aligned with industry standards
A more detailed description of our technical and organisational measures is available to customers under NDA.
Security researchers can report vulnerabilities via our security.txt policy.
09Your rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access — confirmation of whether we hold your data and a copy of it
- Rectification — correction of inaccurate data
- Erasure — deletion, where a legal basis for retention no longer exists
- Restriction — limiting how we process your data in certain cases
- Portability — receiving your data in a machine-readable format
- Objection — to processing based on legitimate interests
- Withdraw consent — where processing was consent-based
- Complain to a supervisory authority — in your country of residence
To exercise any of these rights, email support@ctosblade.com. We will respond within 30 days, or sooner where required by law. We may need to verify your identity before acting on a request.
Where the request concerns platform data processed on behalf of a customer, we will forward it to the relevant customer, who is responsible for responding as the controller.
10Retention
| Data | Retention |
|---|---|
| Marketing inquiries / demo requests | 24 months from last contact, then deleted unless an active relationship exists |
| Customer account data | Duration of the subscription + 90 days, then deleted or returned per the DPA |
| Server and security logs | 90 days, rolling |
| Audit logs (platform) | 13 months minimum, or as required by customer's regulatory regime |
| Financial and tax records | As required by applicable law (typically 7 years) |
11Cookies and analytics
Our marketing website uses Cloudflare Web Analytics, which is cookie-less and does not track users across sites. We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or similar.
Our hosting layer (Cloudflare) may set strictly necessary cookies for security, performance, and bot mitigation. These are exempt from consent requirements under most privacy laws because they are required to deliver the service you requested.
We do not set marketing cookies. If this changes, we will update this policy and add a consent banner compliant with the jurisdictions we serve.
12Children
Our Services are not directed to individuals under 18. We do not knowingly collect personal data from minors. If we learn we have inadvertently collected such data, we will delete it promptly.
13Changes to this policy
We may update this policy to reflect changes in our practices, law, or sub-processors. Material changes will be communicated via the website and, where we have a direct relationship, by email. The "Effective" date at the top of this document indicates when the current version took effect.
14Contact
Privacy inquiries and rights requests:
- Email: support@ctosblade.com
- Security vulnerabilities: security@ctosblade.com
If you are not satisfied with our response, you may lodge a complaint with your local data protection authority.