1. Information We Collect

We collect information you provide when creating an account (name, email, organization), compliance assessment data (NIST SP 800-171 control statuses, evidence files, implementation notes), and company details (CAGE code, DUNS number, contract numbers).

We also collect usage analytics via PostHog with autocapture disabled. We do not capture page URLs, form inputs, or CUI-related content. All analytics data is anonymized.

2. How We Use Your Data

Your data is used solely to provide the CMMC compliance assessment service: generating compliance scores, gap analysis reports, System Security Plans, and team collaboration features. We do not sell, share, or monetize your compliance data.

3. Data Storage & Security

All data is stored in Convex (real-time database) with encryption at rest and in transit. Authentication is handled by Clerk with SOC 2 Type II compliance. Evidence files are stored in Convex Storage with time-limited signed URLs — no permanent file URLs are persisted.

4. Third-Party Services

Clerk — authentication and user management
Convex — database and file storage
Stripe — payment processing (PCI DSS compliant)
Anthropic / OpenAI — AI-powered compliance analysis (Professional plan only; only control metadata and company name are sent — never user documents or CUI)
Sentry — error monitoring (all user text masked, page URLs stripped)
PostHog — anonymized product analytics (autocapture disabled)
Resend — transactional email delivery
Inngest — scheduled job orchestration (deadline alerts, drift checks)
Upstash — rate limiting (no user data stored)

5. Data Retention & Deletion

Your data is retained as long as your account is active. You may request full data deletion at any time by contacting support. Upon deletion, all compliance data, evidence files, and account information are permanently removed within 30 days.

6. Contact

For privacy inquiries, contact privacy@cmmccommand.org.