Legal & Privacy

Business Information: We collect company name, business contact details, industry sector, and organizational structure information necessary to deliver our security assessment services.

Technical Data: During security assessments, we collect system configurations, network architecture details, cryptographic implementations, vulnerability scan results, and related technical data required for comprehensive analysis.

Usage Data: We collect information about how you interact with our platform including IP addresses, browser types, access times, and pages viewed.

Communications: We retain records of emails, support tickets, and other communications between your organization and Qryptonic.

Service Delivery: We use collected information to conduct security assessments, generate reports, provide recommendations, and deliver contracted services.

Security Operations: Technical data is analyzed to identify vulnerabilities, assess cryptographic implementations, and evaluate quantum computing threats to your systems.

Communication: We use contact information to deliver reports, provide updates, respond to inquiries, and communicate about service-related matters.

Legal Compliance: We process data as required to comply with legal obligations, enforce our agreements, and protect our rights.

Assessment Data: Technical findings and assessment results are retained for 7 years to support ongoing security posture tracking and comparative analysis.

Business Records: Contracts, invoices, and business communications are retained according to applicable financial record-keeping requirements, typically 7 years.

Platform Data: User account information and platform usage data are retained for the duration of the business relationship plus 3 years.

Encryption: All data in transit is protected using TLS 1.3 or higher. Data at rest is encrypted using AES-256 or equivalent post-quantum cryptographic standards where implemented.

Access Controls: Access to client data is restricted to authorized personnel on a need-to-know basis. All access is logged and monitored.

Infrastructure Security: Our systems are hosted in SOC 2 Type II certified facilities with multiple layers of physical and digital security controls.

Incident Response: We maintain documented incident response procedures. In the event of a data breach affecting your information, we will notify you within 72 hours of discovery.

Access: You have the right to request copies of the personal information we hold about your organization.

Correction: You may request correction of inaccurate or incomplete information.

Deletion: You may request deletion of your data subject to our legal retention obligations and legitimate business interests.

Data Portability: You may request your data in a structured, machine-readable format.

To exercise these rights, contact legal@qryptonic.com.

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose, and categories of third parties with whom we share it.

Right to Delete: You may request deletion of your personal information, subject to certain exceptions.

Right to Opt-Out: You have the right to opt out of the sale or sharing of your personal information. Qryptonic does not sell personal information.

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Right to Correct: You may request correction of inaccurate personal information.

To exercise these rights, contact legal@qryptonic.com or call +1 (888) 2-QRYPTONIC. We will verify your identity before processing requests.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis: We process your personal data based on: (a) your consent, (b) performance of a contract, (c) compliance with legal obligations, or (d) our legitimate business interests, provided they do not override your fundamental rights.

Right to Access: You may request a copy of your personal data and information about how it is processed.

Right to Rectification: You may request correction of inaccurate or incomplete personal data.

Right to Erasure: You may request deletion of your personal data where there is no compelling reason for continued processing.

Right to Restrict Processing: You may request limitation of processing in certain circumstances.

Right to Data Portability: You may request your personal data in a structured, machine-readable format and have it transferred to another controller.

Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.

Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.

International Transfers: When we transfer data outside the EEA, we use Standard Contractual Clauses approved by the European Commission or other appropriate safeguards.

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

To exercise these rights, contact our Data Protection Officer at dpo@qryptonic.com. We will respond within 30 days.

Scope Definition: Services are delivered according to agreed Statements of Work (SOW) or Master Service Agreements (MSA). The SOW defines specific deliverables, timelines, and acceptance criteria.

Client Responsibilities: You agree to provide timely access to systems, personnel, and documentation necessary for assessment completion.

Assessment Methodologies: We employ industry-standard methodologies including NIST frameworks, OWASP testing protocols, and proprietary quantum threat assessment procedures.

Client Ownership: You retain all rights to your systems, data, and proprietary information. Assessment reports and findings specific to your organization are your property.

Qryptonic IP: Our methodologies, tools, frameworks, templates, and proprietary analysis techniques remain our intellectual property.

Assessment Scope: Our assessments are point-in-time evaluations based on the agreed scope. We do not guarantee identification of all vulnerabilities or that your systems are completely secure.

Limitation of Damages: Our total liability for any claims arising from services is limited to the fees paid for the specific engagement giving rise to the claim, not to exceed $1,000,000 in aggregate.

Governing Law: These terms are governed by the laws of the State of Florida, USA.

Jurisdiction: Disputes will be resolved in state or federal courts located in Miami-Dade County, Florida.

Cloud Architecture: Our platform operates on AWS and Azure infrastructure with multi-region redundancy, automated failover, and continuous monitoring.

Network Security: All network traffic is encrypted in transit using TLS 1.3. Internal networks employ microsegmentation and zero-trust architecture principles.

Access Management: We enforce multi-factor authentication, role-based access controls, and least-privilege principles.

Encryption at Rest: Client data is encrypted using AES-256-GCM with key management through AWS KMS and Azure Key Vault.

Encryption in Transit: All data transmission uses TLS 1.3 with perfect forward secrecy.

Key Management: Cryptographic keys are generated using hardware security modules (HSMs), rotated regularly, and never stored in plaintext.

Post-Quantum Cryptography: We actively monitor NIST post-quantum cryptography standardization and are implementing quantum-resistant algorithms as they are ratified.

Crypto-Agility: Our systems are designed for crypto-agility, enabling rapid algorithm replacement as threats evolve.

Harvest Now, Decrypt Later: We assume adversaries are collecting encrypted data for future decryption with quantum computers and implement mitigations accordingly.