Privacy Policy
SecurityPassport
Last updated: May 18, 2026
1. Introduction
This Privacy Policy explains how SecurityPassport collects, uses, processes, protects, and retains personal data when operating the SecurityPassport website, platform, and related trust operations services.
SecurityPassport is a software-as-a-service platform that helps organizations manage security and compliance evidence, operate governance workflows, maintain operational records, and generate audit-ready trust documentation.
This Privacy Policy applies to:
- visitors to the SecurityPassport marketing website
- users invited to or registered for the SecurityPassport platform
- customer administrators and workspace members
- individuals whose personal data may appear in evidence, policies, reports, screenshots, exports, attachments, or other materials uploaded by SecurityPassport customers
- people who contact us for support, sales, procurement, privacy, legal, or security review purposes
SecurityPassport is designed around operational trust workflows. This means that privacy, security, evidence lifecycle management, access control, audit logging, export traceability, and governance accountability are treated as connected parts of the platform.
This Privacy Policy is intended to describe our data practices in a clear and practical way. It does not replace any written agreement, data processing agreement, order form, or other contractual document between SecurityPassport and a customer.
2. Roles and Responsibilities
SecurityPassport may process personal data in different roles depending on the context.
2.1 Website and Business Operations
For personal data collected through our website, sales process, support communications, procurement communications, and business operations, SecurityPassport generally acts as the data controller. This means SecurityPassport determines the purposes and means of processing for that data.
2.2 Customer Workspace Data
For personal data processed inside a customer workspace, SecurityPassport generally acts as a data processor or service provider on behalf of the customer. The customer organization generally acts as the data controller or business because it decides:
- what data is uploaded
- which users are invited
- which evidence, policies, reports, and records are stored
- how workspace data is used
- how long customer-controlled data should be retained
- which outputs, exports, or share links are generated
SecurityPassport processes customer workspace data according to the customer’s instructions, the applicable service agreement, and any applicable data processing terms.
2.3 Customer Responsibility for Uploaded Content
Customers are responsible for ensuring that they have the necessary rights, permissions, notices, and legal bases to upload, process, store, review, export, or share content through SecurityPassport.
Customer-provided content may include personal data about employees, contractors, vendors, customers, auditors, reviewers, or other individuals. SecurityPassport does not control what personal data customers choose to include in uploaded evidence, policy documents, reports, screenshots, attachments, or exports.
3. Categories of Personal Data We Process
Depending on how SecurityPassport is used, we may process the categories of personal data described below.
3.1 Account and Workspace Information
When users create accounts, are invited to a workspace, or access the platform, we may process:
- name
- email address
- organization or tenant affiliation
- workspace role
- user permissions
- account status
- invitation status
- workspace membership information
3.2 Authentication and Security Data
To maintain secure access to the platform, we may process:
- hashed passwords
- login attempts
- session identifiers
- authentication timestamps
- email verification tokens
- password reset tokens
- access events
- security-related request metadata
Passwords are not stored in plain text.
3.3 Operational and Audit Logs
To support security, auditability, platform integrity, and operational accountability, we may process logs and activity records such as:
- user actions
- workspace activity
- evidence review actions
- policy workflow actions
- export generation events
- share link creation events
- access timestamps
- audit log entries
- request identifiers
- IP addresses
- browser user agent strings
- system event metadata
Operational logs help SecurityPassport detect abuse, investigate incidents, maintain platform reliability, preserve review history, and support governance traceability.
3.4 Customer-Provided Content
Customers may upload or generate content in the platform, including:
- compliance evidence
- policy documents
- control records
- framework mappings
- risk records
- vendor records
- privacy system records
- AI governance records
- screenshots
- audit reports
- exports
- attachments
- notes and metadata
- review history and workflow records
This customer-provided content may contain personal data depending on what the customer chooses to upload or create.
3.5 Evidence and Governance Metadata
SecurityPassport may process metadata connected to evidence and governance workflows, including:
- evidence owner
- reviewer
- approval status
- review dates
- expiry dates
- control mappings
- framework mappings
- export status
- remediation status
- workflow state
- timestamps
- operational history
This metadata is used to help customers manage trust operations, review readiness, audit preparation, and export traceability.
3.6 Support, Sales, and Procurement Communications
When people contact us, we may process:
- name
- email address
- company name
- role or job title
- message content
- support request details
- procurement or security review questions
- scheduling and communication metadata
3.7 Technical Data
When users visit the website or access the platform, we may process:
- IP address
- device information
- browser type
- operating system
- approximate location derived from IP address
- request logs
- performance metrics
- error logs
- cookie or similar technology information, where applicable
4. How We Use Personal Data
We process personal data for the purposes described below.
4.1 Providing and Operating the Platform
We use personal data to:
- create and manage user accounts
- authenticate users
- manage tenants and workspaces
- provide access to platform features
- store customer-controlled evidence and records
- support evidence lifecycle workflows
- support control, policy, risk, vendor, privacy, and AI governance workflows
- generate exports, reports, trust packets, and documentation packages
- provide customer support
- maintain service availability and reliability
4.2 Security, Integrity, and Abuse Prevention
We use personal data to:
- detect unauthorized access attempts
- monitor platform activity
- investigate suspicious activity
- prevent fraud, abuse, or misuse
- maintain audit trails
- protect tenant and workspace integrity
- enforce access controls
- secure platform operations
4.3 Governance, Auditability, and Traceability
SecurityPassport is designed to help customers preserve operational context. We may process personal data and metadata to support:
- evidence review history
- ownership attribution
- policy approval workflows
- export traceability
- audit log generation
- workflow accountability
- operational timelines
- governance reporting
4.4 Customer Support and Service Communications
We use personal data to:
- respond to support requests
- troubleshoot technical issues
- investigate errors
- communicate service updates
- assist with onboarding or implementation
- respond to procurement, privacy, legal, or security questions
4.5 Platform Improvement
We may use technical, usage, and operational information to:
- diagnose errors
- monitor performance
- improve usability
- improve reliability
- understand feature usage
- prioritize platform improvements
Where possible, we use aggregated or de-identified information for analytics and improvement.
4.6 Legal, Compliance, and Contractual Purposes
We may process personal data to:
- comply with legal obligations
- enforce agreements
- respond to lawful requests
- maintain business records
- protect our rights, users, customers, and services
5. Legal Bases for Processing
Where the General Data Protection Regulation or similar laws apply, we rely on one or more of the following legal bases.
5.1 Performance of a Contract
We process personal data when necessary to provide SecurityPassport services, manage user accounts, operate customer workspaces, provide support, and fulfill contractual obligations.
5.2 Legitimate Interests
We process personal data where necessary for legitimate interests such as:
- securing the platform
- preventing abuse
- maintaining auditability
- improving reliability
- supporting customer operations
- responding to inquiries
- monitoring service performance
We consider and balance these interests against the rights and freedoms of individuals.
5.3 Legal Obligations
We may process personal data where necessary to comply with legal, regulatory, tax, accounting, reporting, or law enforcement obligations.
5.4 Consent
Where required, we may rely on consent for certain activities, such as optional communications or certain cookie-related processing. Where processing is based on consent, individuals may withdraw consent as permitted by applicable law.
6. Workspace and Tenant Isolation
SecurityPassport is designed to support tenant-scoped workspaces. Customer workspace data is logically separated so that users access data only within authorized workspaces and roles.
Customers control:
- which users are invited
- which roles and permissions users receive
- what evidence or records are uploaded
- what workflows are operated
- what exports are generated
- which share links or outputs are created
SecurityPassport uses access control, authentication, workspace boundaries, and audit logging to support tenant isolation and operational accountability.
7. Evidence and Governance Lifecycle
SecurityPassport processes customer-controlled records throughout an operational lifecycle.
A typical lifecycle may include:
- evidence or policy material is uploaded or created
- metadata such as owner, category, review state, expiry date, or control mapping is assigned
- reviewers verify or update the record
- gaps, stale evidence, or missing approvals are identified
- records may be included in reports, trust packets, exports, or share links
- audit logs and workflow history record relevant actions
- records are retained, updated, exported, or deleted according to customer configuration, contract terms, and applicable law
This lifecycle is intended to help customers maintain evidence freshness, operational accountability, and audit-ready review history.
8. Exports, Share Links, and Traceability
SecurityPassport may allow customers to generate exports, reports, documentation packages, share links, or other trust outputs.
These outputs may include customer-controlled content and metadata. Depending on customer configuration and platform functionality, export-related records may include:
- export creator
- generation timestamp
- included evidence or records
- related controls or frameworks
- share link status
- expiration or revocation state
- audit history
- workspace context
Customers are responsible for deciding which outputs to generate and with whom they are shared.
9. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law, contract, security requirements, or legitimate business needs.
9.1 Customer Workspace Data
Customer-controlled workspace data is generally retained until:
- deleted by the customer
- removed according to customer configuration
- exported and then deleted by customer action
- the applicable service agreement ends
- contractual retention periods expire
- retention is required for legal, security, or compliance reasons
Customers control much of the lifecycle of data in their workspaces.
9.2 Account Data
User account information may be retained while an account remains active and for a limited period after deactivation or termination to support:
- security records
- auditability
- account recovery
- legal obligations
- dispute resolution
- service administration
9.3 Security and Audit Logs
Security logs, audit logs, and operational records may be retained for longer periods where necessary to:
- investigate incidents
- maintain platform security
- preserve auditability
- support compliance requirements
- prevent abuse
- resolve disputes
9.4 Backups
Deleted data may remain in backups for a limited period before being overwritten or deleted according to backup lifecycle practices. Backup data is generally not used for ordinary business purposes unless restoration is necessary.
10. Subprocessors and Service Providers
We may use trusted third-party service providers to operate, secure, support, and improve SecurityPassport. These providers may process personal data only as necessary to provide services to us.
Categories of service providers may include:
- cloud infrastructure providers
- object storage providers
- database hosting providers
- monitoring and logging providers
- email delivery providers
- payment processors
- analytics or error monitoring providers
- customer support or communication tools
We require service providers that process personal data to maintain appropriate confidentiality, security, and data protection commitments.
A current list of subprocessors may be provided upon request or made available through a dedicated subprocessor page in the future.
11. International Data Transfers
SecurityPassport may serve customers and users in multiple regions. Personal data may be processed in countries other than the country where the data was originally collected.
Where personal data is transferred outside the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions with transfer restrictions, we use appropriate safeguards where required. These may include:
- Standard Contractual Clauses
- adequacy decisions
- contractual data protection commitments
- technical and organizational safeguards
- supplementary transfer measures where appropriate
12. Security Measures
We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, loss, misuse, or destruction.
These measures may include:
- encrypted connections using TLS
- secure password hashing
- role-based access control
- tenant-scoped workspace access
- audit logging of platform activity
- export and workflow traceability
- infrastructure monitoring
- security patching and software updates
- restricted operational access to production systems
- least-privilege access practices
- backup and recovery practices
- logging and alerting for security-relevant activity
No system can guarantee absolute security. We continuously work to maintain and improve safeguards appropriate to the nature of the platform and the data processed.
13. Customer Responsibilities
Customers are responsible for:
- deciding what personal data is uploaded to SecurityPassport
- ensuring they have appropriate legal bases and notices for uploaded content
- managing workspace users and permissions
- configuring roles and access controls appropriately
- reviewing evidence before sharing or exporting it
- ensuring exports and share links are shared with appropriate recipients
- responding to requests from individuals where the customer is the data controller
- complying with applicable laws and internal policies
Where SecurityPassport acts as a processor, we assist customers as described in the applicable agreement.
14. Data Subject Rights
Depending on where individuals are located and which laws apply, individuals may have rights such as:
- right of access
- right to correction or rectification
- right to deletion or erasure
- right to restrict processing
- right to data portability
- right to object to processing
- right to withdraw consent where processing is based on consent
- right to lodge a complaint with a data protection authority
Requests may be submitted to:
If the request relates to personal data inside a customer workspace, we may direct the individual to the relevant customer organization. In many cases, the customer is the data controller for workspace content.
We may need to verify identity before fulfilling a request.
15. Cookies and Similar Technologies
SecurityPassport may use cookies or similar technologies on its website and platform for purposes such as:
- maintaining sessions
- improving website functionality
- measuring site performance
- supporting security
- remembering preferences
For more information, please review our Cookie Policy.
16. Children’s Data
SecurityPassport is not intended for use by children or individuals under the age of 16.
We do not knowingly collect personal data from children. If we become aware that personal data from a child has been collected in a way that violates applicable law, we will take appropriate steps to delete it.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
- changes to our services
- changes to our data practices
- legal or regulatory developments
- improvements to our security, privacy, or governance practices
The updated version will be posted on our website with an updated “Last updated” date.
18. Contact
Questions about this Privacy Policy or our data practices may be directed to:
SecurityPassport
Email: hello@securitypassports.com
For security, procurement, or legal review questions, please use the contact page or email the appropriate contact listed on the SecurityPassport website.