Privacy Policy

1. Introduction

Vuldoo LLC ("Vuldoo", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our vulnerability assessment platform and services.

2. Information We Collect

2.1 Account Information: When you create an account, we collect your email address, name, and authentication credentials. We use AWS Cognito for secure authentication and user management.

2.2 Domain Information: We collect and store information about domains you add to our platform, including domain names, subdomains, and associated metadata. This information is necessary to perform vulnerability assessments.

2.3 Scan Results: We collect and store the results of security scans, including identified vulnerabilities, network information, and technical findings. This data is used to generate your security reports.

2.4 Generated Reports: We store copies of generated vulnerability assessment reports in secure cloud storage (AWS S3) with time-limited access via presigned URLs.

2.5 Usage Data: We may collect information about how you interact with our services, including access logs, feature usage, and error reports.

2.6 Payment Information: Payment processing is handled by Stripe. We do not store full credit card numbers or payment details. We only store payment transaction records necessary for billing and accounting.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our vulnerability assessment services
• Process transactions and manage your account
• Generate and deliver security reports
• Communicate with you about your account and our services
• Ensure security and prevent unauthorized access
• Comply with legal obligations
• Analyze usage patterns to improve our services

4. Data Storage and Security

4.1 Storage: Your data is stored in secure AWS cloud infrastructure, including DynamoDB for structured data and S3 for reports and files. All data is encrypted at rest and in transit.

4.2 Security Controls: We implement industry-standard security measures, including encryption, access controls, authentication requirements, and regular security audits. Access to your data is restricted to authorized personnel and systems.

4.3 Project-Based Access: Data is organized by projects, and access is controlled at the project level. Users can only access domains and data within projects where they are members.

5. Data Retention

We retain your account information, domain data, scan results, and reports for as long as your account is active or as needed to provide our services. You may request deletion of your data by contacting us or deleting your account. Some data may be retained for legal or regulatory compliance purposes.

6. Third-Party Services

6.1 AWS Services: We use AWS services (Cognito, DynamoDB, S3, Lambda, AppSync, CloudFront) for authentication, data storage, and service delivery. AWS is responsible for the security of their infrastructure.

6.2 Stripe: Payment processing is handled by Stripe. Stripe's privacy policy applies to payment transactions. We do not have access to your full payment card information.

6.3 Other Processors: We may use other third-party services for analytics, email delivery, and service monitoring. These services are bound by confidentiality agreements and only process data as necessary to provide their services.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

• With your explicit consent
• To comply with legal obligations or court orders
• To protect our rights, property, or safety, or that of our users
• With service providers who assist us in operating our platform (under strict confidentiality agreements)
• In connection with a business transfer or merger (with notice to users)

8. Your Rights

Depending on your location, you may have certain rights regarding your personal information, including:

• Right to access your personal data
• Right to correct inaccurate data
• Right to delete your data
• Right to restrict processing
• Right to data portability
• Right to object to processing

To exercise these rights, please contact us through our website or application.

9. Cookies and Tracking

We use cookies and similar technologies to maintain your session, remember your preferences, and analyze usage. You can control cookies through your browser settings, though this may affect functionality of our services.

10. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete such information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us through our website or application.