Privacy Policy

SaaS — Privacy Policy
Version 2026-03-26

This Privacy Policy describes how DEW Diligence, LLC (“Licensor,” “we,” “us,” or “our”) collects, uses, stores, and discloses personal information in connection with the SaaS platform (“Service”). By using the Service, you acknowledge this Policy.

1. Information We Collect

1.1 Account and Identity Information

When you register for or use the Service, we collect: name and email address (from your identity provider); organization name and identifier; selected governance role and platform role; subscription tier and seat information; session metadata (IP address, browser type, device type, timestamp).

1.2 Customer Data You Submit

The Service processes Customer Data you submit, including: AI system profiles and governance records; risk register entries and risk scenarios; incident records and evidence packs; procurement and vendor contract details; cost and budget records; data subject requests; audit and approval records. We process this data to provide the Service and in accordance with your instructions.

1.3 Usage and Operational Data

We automatically collect operational data about your use of the Service, including: pages and features accessed; API calls and response times; error logs and diagnostic information; governance workflow completion states; copilot interaction metadata (not content, unless you opt into telemetry). This data is used to operate, maintain, and improve the Service.

1.4 PII Detection Data

If you use the copilot feature with PII detection enabled, input text is analyzed by the anonymizer before being transmitted to the AI provider. PII detection results (categories detected, not raw values) may be logged for security audit purposes.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service and its features;
• Authenticate users and enforce access controls and authorization boundaries;
• Process subscription requests and manage billing;
• Send transactional notifications (subscription confirmations, security alerts, service notices);
• Detect, investigate, and respond to security incidents, fraud, and abuse;
• Comply with legal obligations and respond to lawful government requests;
• Improve the Service through aggregated, anonymized analytics (without identifying individual customers);
• Communicate product updates, where you have not opted out.

3. Legal Bases for Processing (EEA/UK)

If you are located in the European Economic Area or United Kingdom, our legal bases for processing personal data are: performance of contract (providing the Service you subscribed to); legitimate interests (security, fraud prevention, service improvement); compliance with legal obligations; and, where required, consent (e.g., optional telemetry).

4. Data Sharing and Disclosure

We do not sell personal information. We may share information with and including, but not limited to:

• Service providers: Infrastructure and hosting providers (AWS), AI model providers (OpenAI), and other vendors necessary to operate the Service, under data processing agreements.
• Within your organization: Authorized Users within your organization can view governance records, role assignments, and workflow history as permitted by your workspace configuration.
• Legal requirements: We may disclose information when required by law, court order, or government request, or when necessary to protect the safety, rights, or property of Licensor, users, or the public.
• Business transfers: In connection with a merger, acquisition, or asset sale, customer data may be transferred as a business asset; you will be notified via the Service or email.

5. Data Retention

We retain Customer Data for the duration of your subscription plus thirty (30) days following termination to allow data export. After that period, Customer Data is deleted or anonymized unless we are required to retain it by applicable law. Account and billing information is retained for seven (7) years for tax and legal compliance. Aggregated, anonymized usage analytics may be retained indefinitely.

6. Security

We implement technical and organizational security measures including: TLS encryption for data in transit; encrypted secrets management; hardened authentication with passkey and MFA support; server-side signed session cookies; WAF-level perimeter controls; relationship and role-based access controls with server-enforced authorization boundaries. We conduct periodic security reviews. No security measure is 100% effective; you should report suspected incidents to [email protected].

7. International Data Transfers

The Service is hosted on AWS infrastructure in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. Where required by applicable law (e.g., GDPR), such transfers are subject to appropriate safeguards, including Standard Contractual Clauses. Contact [email protected] for details.

8. Your Rights

Depending on your jurisdiction, you may have rights to: access the personal data we hold about you; correct inaccurate data; request deletion of your personal data; restrict or object to certain processing; receive a copy of your data in a portable format; withdraw consent (where processing is based on consent). To exercise these rights, contact [email protected]. We will respond within the timeframe required by applicable law.

Data subject requests submitted within your governance workspace (DSR module) are governed by your organization’s privacy configuration and processed in accordance with your instructions as data controller.

9. Cookies and Tracking

The Service uses HttpOnly signed session cookies necessary for authentication and session management. These cookies are required to operate the Service and cannot be opted out of while using the Service. We do not use third-party advertising cookies. If you enable optional telemetry (disabled by default), usage analytics may be collected.

10. Children’s Privacy

The Service is not directed to or intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If you become aware that a minor has provided us with personal information, contact [email protected].

11. Changes to This Policy

We may update this Privacy Policy and will notify you by incrementing the legal bundle version. You will be required to re-acknowledge before continuing to use the Service. Material changes affecting your rights will be communicated with at least thirty (30) days’ notice where practicable.

12. Contact

For privacy questions, data subject requests, or concerns:
Email: [email protected]