Privacy Policy

How SignumCyber collects, uses, and protects your information across our Website and Platforms.

Effective February 12, 2026

This Privacy Policy describes how SignumCyber (“Company,” “we,” “us,” or “our”) collects, uses, and shares personal information when you visit our marketing website at www.signumcyber.com (the “Website”), use our SaaS cybersecurity risk assessment platforms at essentials.signumcyber.com and/or vantage.signumcyber.com (the “Platform” or “Platforms”), or use any of our related products or services (collectively, the “Services”). By accessing or using our Services, you agree to the collection and use of your information in accordance with this Privacy Policy.

This policy distinguishes between two primary properties: (1) the Website (www.signumcyber.com), a publicly accessible marketing site that does not require user accounts or login, and (2) the Platforms (essentials.signumcyber.com and/or vantage.signumcyber.com), our authenticated SaaS application used by customers for cybersecurity risk assessment and consulting services.

1. Information We Collect

1.1 Website (www.signumcyber.com)

Our marketing website is a publicly accessible informational site. It does not require user accounts, login credentials, or authentication of any kind. The information we collect from website visitors is limited to:

Contact Form Submissions

When you voluntarily submit our contact form, we collect:

  • Personal and professional identifiers: Name, work email address, job title, and company information
  • Inquiry details: Your reason for contacting us and any additional context you choose to provide
  • Optional information: Phone number and marketing communication preferences

This information is stored in a secure database solely for the purpose of responding to your inquiry and is not used for any other purpose without your consent.

Server & Security Data

Our website hosting infrastructure automatically collects standard server data:

  • Server logs: IP addresses, access times, requested pages, referring URLs, and HTTP status codes
  • Browser information: User agent strings (browser type, version, operating system)

Our website does not use cookies for tracking, does not use Google Analytics or any third-party analytics services, and does not use any advertising networks or tracking pixels. We use custom, privacy-respecting analytics built in-house that do not track individual users or share data with third parties.

1.2 Platforms (essentials.signumcyber.com and/or vantage.signumcyber.com)

Our SaaS platform requires authenticated access and collects additional information necessary to deliver our cybersecurity risk assessment services.

Account & Contact Information

When you create an account or your organization provisions access, we collect:

  • Personal identifiers: Full name (first and last), email address
  • Account credentials: Username, encrypted passwords, security preferences
  • Contact information: Phone number (optional for customer support)
  • Service access data: User roles, subscription status, access permissions, feature-level permissions

Billing & Tax Compliance Information

For invoicing and tax compliance requirements, we collect:

  • Complete billing address: Street address, apartment/suite, city, state, ZIP/postal code
  • Geographic data: Country/region selection for tax calculation purposes
  • Tax jurisdiction data: Location-based information required by tax authorities
  • Contract details: Service packages selected, pricing tier, engagement terms
  • Optional order notes: Any special instructions or requirements you provide

This information is required for invoicing, tax calculation, and compliance with applicable tax regulations.

Payment & Invoicing

All payments are processed through traditional banking channels (wire transfers, ACH, or similar bank-to-bank methods). We do not collect, process, or store credit card numbers, debit card numbers, or any payment card data. Invoicing and billing information (company name, billing address, and banking details for remittance) are handled directly between SignumCyber and the customer outside of our Platform.

Security & System Data

To protect our platform and users, we collect:

  • IP addresses and network information for security monitoring
  • Device fingerprinting data: Browser type, version, operating system, screen resolution
  • Security logs: Failed login attempts, suspicious activity alerts
  • Session data: Login times, activity patterns, geographic location
  • Web Application Firewall (WAF) logs: Request metadata inspected by AWS WAF for threat detection; WAF does not access or store client business data

Usage Analytics (Anonymous)

We collect anonymized usage data to improve our Services and develop industry insights:

  • Feature usage statistics: Which assessments are completed, time spent
  • Performance metrics: Page load times, error rates
  • Aggregated industry trends: Derived from anonymized client data
  • Product improvement metrics: User interface interactions, feature adoption

This data is anonymized and cannot be linked back to individual users or specific organizations.

Questionnaire & Assessment Data

When using our cybersecurity assessment tools, we collect:

  • Questionnaire responses and assessment results
  • Risk scores and analysis data
  • Implementation tracking and progress metrics
  • Custom configurations and preferences

Technical Data

Our Platform automatically collects:

  • Server logs: Access times, requested pages, error messages
  • Browser information: User agent strings
  • Cookie data: For essential functionality (session management, authentication)
  • API usage logs: For service integration and debugging

2. How We Use Your Information

Responding to Inquiries (Legal Basis: Legitimate Interest)

  • Respond to contact form submissions on our Website
  • Follow up on inquiries about our services

Tax Compliance & Invoicing (Legal Basis: Legal Obligation)

  • Calculate and collect sales tax, VAT, and GST as required by law
  • Determine customer location for tax jurisdiction purposes
  • Maintain evidence of customer location for tax authority requirements
  • Process invoicing and verify billing information
  • Generate tax reports and filings as required by regulation
  • Retain billing information for audit and compliance purposes

Security & Fraud Prevention (Legal Basis: Legitimate Interest)

  • Protect against unauthorized access and cyber threats
  • Detect and prevent fraudulent activity
  • Monitor for suspicious behavior and security breaches
  • Maintain system integrity and availability

Product Improvement (Legal Basis: Legitimate Interest)

  • Analyze usage patterns to enhance user experience
  • Develop new features and services
  • Generate anonymized industry benchmarks and insights
  • Conduct internal research and development

We do not sell individual client data or use it for marketing to competitors.

Legal Compliance (Legal Basis: Legal Obligation)

  • Comply with applicable laws and regulations
  • Respond to legal requests and court orders
  • Meet industry regulatory requirements
  • Maintain audit trails for compliance purposes

Marketing Communications (Legal Basis: Consent/Legitimate Interest)

  • Send service updates and security notices
  • Provide newsletters and product announcements (with opt-out available)
  • Conduct customer satisfaction surveys

3. Information Sharing & Disclosure

Service Providers

We share information with trusted vendors who assist in service delivery:

  • Cloud infrastructure provider: Amazon Web Services (AWS) for hosting, data storage, web application firewall, DNS, and SSL/TLS certificate management
  • Email services: Microsoft Office 365 for communications
  • AI services: Anthropic Claude for platform intelligence features (anonymized data only; no client names, user identities, or proprietary business data transmitted)
  • Identity providers: Azure AD and Okta for optional single sign-on authentication (Platform only)

All service providers are contractually bound to protect your information and use it only for specified purposes.

Legal Requirements

We may disclose information when required by:

  • Legal process, court orders, or government requests
  • Investigation of potential violations of our Terms of Service
  • Protection of our rights, property, or safety, or that of others

Business Transfers

If we undergo a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

Anonymized Data Sharing

We may share anonymized, aggregated industry insights that cannot identify specific organizations:

  • Industry benchmarking reports: Showing sector-wide security trends
  • Research publications: Contributing to cybersecurity best practices
  • Anonymous usage statistics: For product development partnerships

We never sell individual client data or personally identifiable information to third parties.

4. Data Security & Protection

We implement comprehensive security measures across both our Website and Platform:

  • Encryption in transit: Mandatory HTTPS/TLS 1.2+ for all communications across both Website and Platform; weak protocols (SSL, TLS 1.0/1.1) disabled
  • Encryption at rest: All Platform data stored on encrypted AWS volumes and database instances using AES-256 encryption
  • Web Application Firewall: AWS WAF with managed rules protecting the Platform against OWASP Top 10 vulnerabilities including SQL injection and cross-site scripting
  • Multi-factor authentication: Available for Platform accounts with organization-level enforcement options
  • Access controls: Role-based access control limiting data access to authorized personnel
  • Session management: Secure cookies (HttpOnly, Secure, SameSite) with configurable timeouts and idle session enforcement
  • Backup systems: Automated daily backups with point-in-time recovery and tested restoration procedures
  • Network isolation: Database instances deployed in private configuration with no public accessibility

While we use industry-standard security practices, no system is completely secure. We cannot guarantee absolute security of your data.

Data Retention

We retain personal information as long as necessary for:

  • Website contact form submissions: Duration necessary to respond to inquiry, then deleted unless an ongoing business relationship is established
  • Account and contact data: Duration of your subscription plus 3 years for business records
  • Billing and tax information: 7–10 years after final transaction per tax authority requirements
  • Location evidence for tax purposes: 10 years as required by VAT and sales tax regulations
  • Assessment data: 7 years or as required by industry compliance standards
  • Security logs: 90 days in active storage, then archived; incident evidence retained for 3 years
  • Anonymous analytics: Indefinitely for research and product improvement
  • Legal obligations: As required by applicable law and regulations

Tax-related information has extended retention periods mandated by law and cannot be deleted early.

5. Your Privacy Rights

Depending on your location, you may have rights including:

Access & Portability

  • Request copies of your personal data
  • Export your data in a machine-readable format

Correction & Updates

  • Update account information through your user profile (Platform users)
  • Request correction of inaccurate data

Deletion

  • Request deletion of your account and associated data
  • Request deletion of contact form submissions
  • Right to erasure under GDPR (subject to legal exceptions)

Data Processing Control

  • Opt-out of non-essential data collection
  • Withdraw consent for marketing communications
  • Object to processing based on legitimate interest

Notification Preferences

Platform users can customize email notifications through account settings or contact legal@signumcyber.com.

6. Cookies & Tracking

Website (www.signumcyber.com)

Our marketing website does not use cookies for tracking purposes. The website does not use Google Analytics, advertising networks, third-party tracking pixels, or any other third-party analytics services. We use custom, privacy-respecting analytics built in-house.

Platforms (essentials.signumcyber.com and/or vantage.signumcyber.com)

Our Platforms uses cookies strictly for:

  • Essential functionality: User authentication, session management, security (CSRF protection)
  • Performance monitoring: Error tracking, load time measurement
  • User preferences: Interface settings, language choices

You can control cookies through browser settings, though disabling essential cookies may limit Platform functionality. We do not use any third-party tracking cookies on the Platform.

7. International Data Transfers

All SignumCyber infrastructure, data storage, and processing occurs exclusively within the United States (AWS US-West-2, Oregon). No customer data is stored, processed, or transferred outside the United States.

8. Children's Privacy

Our Services are not intended for individuals under 18. We do not knowingly collect personal information from minors. If you believe we have collected data from someone under 18, please contact us immediately.

9. Changes to This Privacy Policy

We may update this policy to reflect service changes or legal requirements. Material changes will be communicated via:

  • Email notification to active Platform users
  • Prominent notice on our Website
  • In-app notifications for significant changes

Continued use after changes indicates acceptance of the updated policy.

10. Contact Information

For privacy questions, data requests, or concerns:

Email: legal@signumcyber.com

Data Protection Officer: privacy@signumcyber.com

11. Regulatory Compliance

This policy addresses requirements under:

  • General Data Protection Regulation (GDPR): European Union residents
  • Preparation for US State Laws: California, Utah, Virginia, and other states as we grow

Current Compliance Status

As an early-stage company, we currently fall below the revenue and data processing thresholds that trigger most US state privacy law requirements. However, we have designed our privacy practices to meet high standards from day one.

Future Compliance Commitment

As our business grows, we will ensure compliance with applicable state privacy laws including:

  • California Consumer Privacy Act (CCPA/CPRA) when we reach $25M annual revenue or process 100K+ CA residents' data
  • Utah Consumer Privacy Act (UCPA) when we reach $25M annual revenue and process 100K+ consumers' data
  • Other state privacy laws as thresholds are met

International Users

European Users: If you are located in the European Union, you have rights under GDPR including access, rectification, erasure, and data portability. Contact privacy@signumcyber.com to exercise these rights.

All Users: Regardless of legal requirements, we respect your privacy and will honor reasonable requests for data access, correction, or deletion.