Privacy Policy.

We collect three categories of information, each tied to a specific business purpose.

a. Information you submit through the consultation form

When you book a consultation through the booking form on our homepage, we collect the fields you fill in: full name, company name, business email, business phone, your preferred consultation date and time, and the optional message field. This data is the minimum we need to return a scoping summary or schedule a call.

b. Information you submit through the client portal

If you create a free account or are added as a contact on an engagement, we collect your email address (for magic-link authentication), the company name, optional company logo, your role on the engagement, and any data you choose to upload — System Security Plan drafts, policies, evidence artifacts, system inventories, and similar.

c. Technical information collected automatically

Our hosting platform (Vercel) records standard access logs: IP address, user agent string, request timestamps, and HTTP status codes. These logs are retained for a rolling 30 days for security and abuse-prevention purposes. We do not run third-party analytics, advertising pixels, or session-replay tools on this site.

We use the information described above only for the following purposes:

• To respond to your consultation request — usually by email or phone within two business days.
• To deliver the CMMC readiness work you have engaged us to perform.
• To authenticate you in the client portal (Supabase Auth, magic-link OTP).
• To send transactional emails related to your account or engagement (Resend, our SMTP provider).
• To improve the service and diagnose errors, using aggregate access logs only.

We do not use your information for behavioral advertising. We do not sell, rent, or trade personal information to data brokers, advertisers, or any other third party.

Production data is stored in the following services, all located in United States regions:

• Supabase — Postgres database, authentication, and file storage for the client portal.
• Vercel — application hosting and CDN. Access logs retained 30 days.
• Resend — transactional email delivery (magic links, account notifications).
• Anthropic — only when you click "Generate with AI" inside the client portal templates. The contents of those prompts are sent to the Anthropic API for inference; we log the request id and a token count internally but do not retain the prompt text beyond what is necessary to render your result.

Public photographs displayed on the site are hot-linked from Wikimedia Commons via the Special:FilePath redirect. Wikimedia receives standard HTTP requests when your browser loads those images.

We use the smallest possible set of cookies. Specifically:

• Supabase authentication cookies — set only after you sign in to the client portal. These are strictly necessary functional cookies; without them the portal cannot recognize that you are signed in.
• Local storage — used by the client portal to remember your command-palette preferences and onboarding-wizard state. Local to your browser; never transmitted to us.

We do not set any advertising, retargeting, or analytics cookies. Because we use only strictly necessary cookies, we do not display a cookie banner; nothing requires your consent to operate the site, and there is nothing to opt out of.

• Consultation form submissions — retained for the life of the engagement, plus 24 months. Older entries are reviewed for deletion quarterly.
• Client portal accounts — retained while the account is active. Inactive accounts (no sign-in for 18 months) are subject to deletion after notice.
• Engagement artifacts (SSP drafts, policies, evidence) — retained for the duration of the engagement and for 36 months thereafter for assessment-defense purposes, or longer if required by your contract with us.
• Hosting access logs — 30 days rolling.
• AI generation logs — request id, token count, and timestamp retained 90 days for billing reconciliation; prompt contents are not retained.

You may exercise the following rights at any time by emailing privacy@dbitdefense.com:

• Access — request a copy of personal information we hold about you.
• Correction — request that we correct inaccurate information.
• Deletion — request that we delete personal information we no longer need for a legal, contractual, or assessment-defense purpose.
• Portability — receive a copy of your account data in a machine-readable format.
• Restriction — ask us to pause processing of your information while a request is being investigated.

We respond to verified requests within 30 days. We may need to verify your identity before acting on a request — typically by sending a one-time code to the email address on file.

We treat the security of client information the same way we treat the security of our own — because in many cases the artifacts you share with us would meet the definition of Controlled Unclassified Information (CUI). At a minimum:

• All data in transit is encrypted (TLS 1.2 or higher).
• Database, storage, and email service connections use credential-scoped service keys.
• Client portal access is enforced by row-level security policies in Postgres; clients see only their own engagement records.
• Admin access is restricted to a named allowlist of DBIT Defense employees.
• Secrets and credentials are stored only in our hosting platform's environment variable store, never in source code.

No security program is perfect. If you believe you have found a vulnerability, please email security@dbitdefense.com with a description and we will respond within two business days.

DBIT Defense is a business-to-business service. We do not knowingly collect personal information from anyone under 16 years of age. If you believe a minor has submitted information through our site, please contact us and we will delete it.

We may update this Privacy Policy when our practices change. Material changes will be announced on this page at least 30 days before they take effect; the "Effective" date at the top of the page will be updated to reflect the new version. Prior versions are retained in our source-control history and available on request.

For any privacy question or request, write to privacy@dbitdefense.com or contact us through the form on the homepage. For general inquiries, see our contact section.

DBIT Defense · South Florida (Palm Beach, Broward, Miami-Dade counties) · (561) 887-5470