Legal
Privacy Policy
Effective 2026-05-19.
Resolute Security ("Resolute," "we," "us") provides the Resolute Security platform ("Service"). This Policy explains what data we collect, why, how we use it, and the choices you have.
1. What we collect
- Account data: email address, name (if you provide one), organization name, hashed password (if password sign-in is enabled), MFA secret (if you enroll), OAuth account identifiers when you sign in via Google or Microsoft.
- Subscription data: Stripe customer and subscription identifiers, plan tier, billing status. Card details are stored with Stripe, not us.
- Scan and monitoring data: domain names you submit, DNS query results, scoring metadata. We deliberately do not store SMTP message contents, mailbox contents, or any personally identifiable mail data.
- Compliance content: the answers, notes, and evidence you upload while completing CMMC / SOC 2 / NIST CSF assessments and vendor questionnaires.
- Operational data: IP addresses, user-agent strings, audit-log events (sign-in, configuration changes), session metadata. Used for security forensics and rate limiting.
- Email-deliverability signals:bounce / complaint events forwarded to us by Resend for the addresses we've sent transactional email to.
2. How we use it
- Provide the Service and the features your plan includes.
- Send you transactional email (sign-in links, scan reports, drift alerts, billing receipts, weekly digests when you opt in).
- Detect, prevent, and respond to abuse, fraud, and security incidents.
- Improve the product. We don't train AI models on your data.
- Comply with legal obligations.
3. Sub-processors
We rely on a small set of third-party providers to operate the Service — managed Postgres, transactional email, payments, error monitoring, etc. Each is bound by their own privacy and security commitments and a data-processing agreement with us. See the full, regularly-updated list at /sub-processors.
4. How long we keep your data
- Account and compliance content: as long as your account is active. You can delete your account at any time, which removes your data within 30 days (backups age out per schedule).
- Scan results: retained for plan-tier-dependent windows so historical diffs work; see your plan's details.
- Audit logs: 12 months. Sign-in / configuration history is kept for security forensics.
- Magic-link tokens and expired sessions: pruned by a daily cleanup job.
5. Your rights
Depending on where you live you may have the right to access, correct, port, or delete your personal data, restrict or object to processing, and withdraw consent. Most of these are self-serve via your account settings; for anything else, file a request at /your-rights and we'll respond within 30 days.
6. International transfers
We host the Service in the United States. If you access the Service from outside the US, your data is transferred to and processed in the US. For EEA/UK residents we rely on Standard Contractual Clauses and equivalent transfer mechanisms with our sub-processors where required.
7. Security
We use TLS everywhere, hash sensitive credentials, isolate customer data at the database level, and audit-log every configuration change. We can't guarantee absolute security, but if we have a breach affecting your data we will notify you and any regulators as the law requires.
8. Children
The Service is not directed at children under 13 and we do not knowingly collect their personal information.
9. Cookies
We only set strictly-necessary cookies (session, security, impersonation, current-org). See our Cookie Policy for details.
10. Changes
We'll post updates here and update the effective date. Material changes will be announced by email when we have one on file.
11. For business customers — DPA
If you're evaluating Resolute for your organization, our Data Processing Addendum is published in full and applies automatically to every paid subscription. Need a countersigned PDF for your procurement file? Email privacy@resolute-security.com.
12. Contact
Privacy questions or rights requests: privacy@resolute-security.com. Or file a request directly via /your-rights.