1. Roles & Contact

Controller vs. Processor. For account registration, billing, telemetry, and marketing data, we act as a controller. For customer content in the Service (documents, evidence, logs), we act as your processor/service provider.

Contact:

NtelSec, Inc. d/b/a SectorNet and CUI Vault

12007 Sunrise Valley Drive, Suite 310, Reston, VA 20191, USA

privacy@cuivault.com  |  +1 (703) 555‑0188

2. Information We Collect

• You provide: account/profile details; billing & payment metadata (handled by a PCI‑compliant processor); support tickets; training/webinar inputs; compliance artifacts you upload (e.g., SSPs, POA&Ms, evidence).

• Automatically: device/usage logs, IP, user agent, timestamps, feature interactions, error and security events (auth, MFA status, RBAC changes, audit trails).

• From third parties: identity providers/SSO (e.g., Entra ID/Okta); payment processors (transaction confirmations); partner/affiliate metadata.

3. How We Use Personal Information

1. Provide and secure the Service (authentication, MFA, RBAC, audit logging, abuse detection).

2. Facilitate self‑assessment workflows you initiate (templates, scoring tools, evidence storage).

3. Comply with law and contracts (including cooperating with DoD/DCMA/C3PAO or your prime when required).

4. Improve the Service (troubleshooting, reliability, product analytics).

5. Billing and account administration.

6. Communications (service notices, incidents, product updates, lawful marketing).

We do not sell or share Personal Information as defined by U.S. state privacy laws.

4. Disclosures of Personal Information

We may disclose Personal Information to:

• Subprocessors/service providers (hosting, monitoring, ticketing, payments) under data‑protection terms;

• Prime contractors, C3PAOs, or Government authorities when required by contract or law, or to correct a material misrepresentation regarding use of the Service;

• Professional advisors (lawyers/auditors) under confidentiality; Successors in corporate transactions; and law enforcement/regulators when legally required or to protect rights, safety, and integrity.

5. Data Location & Transfers

The Service is hosted in U.S. cloud regions. If limited cross‑border support occurs, we apply appropriate safeguards (e.g., SCCs/UK Addendum) and restrict access to the minimum necessary.

6. Security

We implement administrative, technical, and physical safeguards appropriate for FCI‑only environments (e.g., MFA, encryption in transit/at rest, role‑based access, audit logging, vulnerability management). CUI may not be uploaded.

If we become aware of a data incident affecting your Personal Information, we will notify you consistent with law and contracts. We may suspend or terminate access if we detect or reasonably suspect prohibited data (e.g., CUI) in the Service.

7. Retention

• Customer content (in‑platform): kept for your subscription term; upon termination we will return and/or delete remaining copies within 90 days unless a longer period is required by law.

• Security & access logs: retained 24 months for security, forensics, and compliance.

• Billing records & contracts: retained 7 years or longer if required by law.

8. Your Responsibilities (GovCon‑specific)

• FCI‑only usage: classify data before ingestion and ensure no CUI/CDI/ITAR is uploaded.

• SPRS: you are responsible for posting SPRS scores and annual affirmations and maintaining evidence; our templates/workbooks are aids only.

• If CUI is suspected: notify us within 24 hours and follow applicable DFARS incident reporting.

9. Post‑Termination & Misrepresentation

After termination or suspension, you must stop claiming reliance on CUI Vault controls and update any SSP/POA&M/SPRS materials accordingly; we may request written confirmation. If we reasonably believe you continue to rely on the Service post‑termination or misrepresent use, we may request documentation and notify primes/contracting authorities/C3PAOs to correct the record.

10. Your Privacy Rights

Depending on your jurisdiction (e.g., CA/VA/CO/CT/UT or GDPR/UK GDPR), you may have rights to access, correct, delete, port, or restrict/opt‑out of certain processing. To exercise rights, email privacy@cuivault.com. If we act as a processor/service provider, we may refer your request to your organization.

11. Cookies

We use strictly necessary cookies (authentication, session security) and optional analytics cookies (opt‑in). Manage preferences in your browser or via our cookie banner. See our Cookie Notice for details.

12. Children’s Data

The Service is not intended for children under 16 and we do not knowingly collect their Personal Information.

13. Changes

We may update this Policy and will post a new “Last updated” date and provide notice where required.

14. Contact

privacy@cuivault.com  |  +1 (703) 555‑0188