Privacy Policy

1. Information We Collect

We collect information you provide directly, information generated by your use of the platform, and limited technical information necessary to operate the service.

Account and Identity Information

When you register for or access a Proofyx application, we collect your name, email address, and organizational affiliation. For organizations using single sign-on (SSO) via Microsoft Entra ID or similar identity providers, we receive a token-based identifier, display name, and email — we do not receive or store your SSO credentials.

Compliance and Policy Data

The core function of Proofyx involves storing compliance evidence, policy documents, version history, approval records, and acknowledgement logs on your behalf. This data is your data — we act as a data processor, not a data controller, with respect to the content you upload and manage.

Usage and Technical Data

We collect standard server logs including IP addresses, browser type, timestamps, and pages visited. This data is used for system monitoring, debugging, and security purposes. We do not sell this data or use it for advertising.

Contact Form Submissions

If you submit a message via our contact form, we receive and store your name, email address, and message content for the purpose of responding to your inquiry.

2. How We Use Information

We use the information we collect to:

• Provide, operate, and maintain the Proofyx platform and its features
• Authenticate users and enforce role-based access controls
• Generate and maintain audit logs that are core to the platform's compliance functionality
• Respond to support and contact inquiries
• Diagnose technical issues and monitor system health
• Communicate service updates, security notices, or changes to this policy

We do not use your data to train machine learning models, sell to third parties, or serve advertising.

3. Data Storage and Security

Proofyx is hosted on Microsoft Azure infrastructure. Data is stored in Azure-managed services with the following protections in place:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS (HTTPS). We do not support unencrypted HTTP connections.
• Encryption at rest: Database storage and file blob storage are encrypted at rest using AES-256 or equivalent standards managed by Azure.
• Access controls: Access to production systems is restricted to authorized personnel. We follow least-privilege principles for internal access.
• Audit logging: Internal access to customer data is logged and auditable.

Despite these measures, no system is completely immune to security incidents. If a breach occurs that affects your data, we will notify you in accordance with applicable law and our contractual obligations.

4. Data Retention

We retain your data for as long as your account is active and as needed to provide the service. We do not impose a single rigid retention timeline across all data types — the appropriate retention period depends on the type of data and the regulatory context your organization operates in.

For compliance evidence and policy records, we recognize that your own regulatory obligations (such as CMMC, NIST, or internal audit requirements) may require you to retain records for multi-year periods. Organization administrators can configure retention settings within the platform to match their compliance requirements. We will retain this data for as long as your account is active or as configured.

For account and usage data, we retain it for the life of your account and for a reasonable period thereafter for audit, legal, and operational purposes.

If you close your account and have no active contractual agreement requiring retention, we will begin a deletion or anonymization process for your personal data. Given the compliance nature of the platform, we may retain certain records in a de-identified form for system integrity and audit purposes. If you have specific retention requirements, please contact us to discuss your options before closing your account.

5. Third-Party Services

Proofyx uses third-party services in two categories: core infrastructure required to operate the platform, and optional analytics and monitoring tools that help us understand how the platform is used. These are described separately below.

Core Infrastructure

• Microsoft Azure: Hosting, database, and blob storage infrastructure. All customer data resides in Azure-managed services.
• Microsoft Entra ID: Enterprise SSO authentication and identity management.
• Email delivery providers: Used for system notifications, policy acknowledgement reminders, and transactional emails. We do not use email providers for marketing without explicit opt-in.

Analytics and Product Monitoring

We may use third-party analytics tools to understand how users interact with the Proofyx website and platform. The purpose is to improve usability, identify friction in workflows, and make informed product decisions — not to build advertising profiles or sell data.

Analytics tools we may use include services such as Google Analytics, PostHog, or similar platforms. When active, these tools may collect:

• Pages visited and navigation paths within the website
• Feature usage patterns within the platform (e.g., which modules are used and how frequently)
• General technical information such as browser type, device type, and approximate geographic region
• Session duration and engagement metrics

Analytics tools do not have access to your compliance evidence, policy documents, or any content you manage within Proofyx. They operate at the interaction and session level only.

Where required by applicable law, we will surface a cookie consent mechanism that allows you to opt out of analytics tracking before it begins. You may also opt out at any time via browser-level privacy controls or by contacting us.

We do not use social media pixels, behavioral advertising trackers, or third-party tools that transmit your data to external parties for advertising targeting purposes.

6. Cookies

Proofyx uses cookies in two categories:

• Strictly necessary cookies: Session and authentication cookies that are required for you to log in and use the platform. These cannot be disabled without breaking core functionality.
• Analytics cookies (optional): If analytics tools are active, they may set cookies to distinguish unique sessions and track navigation. Where required by law, you will be given the opportunity to accept or decline these before they are set.

We do not use advertising cookies or allow third parties to set tracking cookies on proofyx.com or our application domains for advertising purposes.

7. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Portability: Request an export of your data in a structured, machine-readable format
• Objection: Object to processing in certain circumstances

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

8. Children's Privacy

Proofyx is designed for enterprise and professional use. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy as our services evolve or as legal requirements change. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify active users by email. Continued use of the platform after a policy update constitutes acceptance of the revised terms.

10. Contact

If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, please contact us: