Privacy Policy

Account Information: When you create an EchelonGraph account, we collect your name, email address, organization name, and role. If you sign up via SSO (SAML, OIDC, or LDAP), we receive the identity attributes your Identity Provider shares.

Cloud Configuration Data: When you connect cloud accounts (AWS, GCP, Azure), EchelonGraph scans resource configurations, IAM policies, network topology, and security group rules. We do NOT access, read, or store the contents of your databases, S3 objects, storage blobs, or application data.

Vulnerability & Compliance Data: We process CVE metadata, compliance check results, risk scores, and remediation states. This data is derived from your cloud infrastructure configuration and public vulnerability databases (NVD).

Usage Data: Within the authenticated product, our own servers record how the platform is used — features used, API calls made, and performance metrics — to operate, secure, and improve the Service. This is first-party, server-side telemetry only; we do not use third-party analytics, advertising, or cross-site trackers (see Section 6).

Device & Log Data: IP addresses, browser type, operating system, referrer URLs, and access timestamps are collected for security monitoring and abuse prevention.

Service Delivery: To provide, maintain, and improve EchelonGraph's cloud security platform, including vulnerability scanning, compliance scoring, attack path analysis, and alerting.

Security & Fraud Prevention: To detect and prevent unauthorized access, monitor for abuse, and protect the integrity of our platform and your data.

Communication: To send you service notifications, security alerts, product updates, and (with your consent) marketing communications. You can unsubscribe from marketing emails at any time.

Analytics & Improvement: To understand usage patterns and improve product features, performance, and reliability. We use aggregated, anonymized data for this purpose.

Legal Compliance: To comply with applicable laws, regulations, legal processes, and government requests.

Infrastructure: Your data is stored in Google Cloud Platform (GCP) infrastructure located in the United States (us-central1 region). All data is encrypted at rest using AES-256-GCM and in transit using TLS 1.3.

Tenant Isolation: Every customer's data is logically isolated using PostgreSQL Row-Level Security (RLS), Neo4j label-based isolation, and ClickHouse partition isolation. No customer can access another customer's data.

Retention Periods: Scan and finding data are retained according to your plan — 90 days (Free), 365 days (Pro), and 730 days (Enterprise). Compliance scores are retained for 2 years, audit logs for 1 year, and encrypted backups for 30 days. Account data is retained for the duration of your subscription plus 30 days.

Deletion: Upon account termination, all customer data is permanently deleted within 30 days. You can request immediate deletion by contacting privacy@echelongraph.io.

We do NOT sell your data. EchelonGraph never sells, rents, or trades personal information or customer cloud configuration data to third parties.

Sub-processors: We use a limited, vetted set of sub-processors: Google Cloud Platform (infrastructure hosting), Cloudflare (DNS, WAF, and DDoS protection), Stripe (payment processing), and SendGrid/Twilio (transactional email). The current list — with each processor's purpose, location, and Standard Contractual Clauses status — is maintained in our [Data Processing Agreement](/dpa), and we notify customers at least 30 days before adding a new sub-processor.

Legal Requirements: We may disclose data if required by law, subpoena, or court order, or if we believe disclosure is necessary to prevent harm or protect rights.

Business Transfers: In the event of a merger, acquisition, or asset sale, customer data may be transferred. We will provide notice before data is transferred and becomes subject to a different privacy policy.

GDPR (EU/EEA): You have the right to access, rectify, erase, restrict processing, data portability, and object to processing. You may also withdraw consent at any time. Contact our DPO at dpo@echelongraph.io.

CCPA (California): You have the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information. To exercise your rights, contact privacy@echelongraph.io.

DPDP Act (India): As a Data Fiduciary, we process your data based on consent and legitimate purposes. You have the right to access, correct, erase, and nominate. Contact grievance@echelongraph.io.

Response Time: We respond to all data subject requests within 30 days. Complex requests may take up to 60 days with prior notification.

Strictly-necessary cookies only. EchelonGraph sets a small number of essential cookies — for authentication, session management, a device fingerprint used to protect your account, and CSRF protection. They are set HttpOnly, Secure, and SameSite=Strict, are required to sign in and use the platform, and cannot be disabled.

Browser local storage. The application stores your session tokens and your own interface preferences (such as theme, language, notification settings, and saved dashboard layouts) in your browser's local storage. This data stays on your device, is used only to make the product work for you, and is never used for cross-site or behavioural tracking.

No analytics, advertising, or third-party tracking. We do NOT use Google Analytics, advertising pixels, marketing fingerprinting, cross-site trackers, or any third-party tracking cookies — and we never sell or share your data with advertising networks. As a security company, choosing not to track you is a deliberate part of how we earn your trust.

Why you won't see a cookie-consent banner. Because we use only strictly-necessary cookies — which are exempt from consent requirements under the EU ePrivacy Directive and GDPR — there is nothing non-essential to consent to. If we ever introduce analytics or marketing cookies, we will publish a genuine consent banner, with prior opt-in and a real reject option, before any such cookie is set.

Global Privacy Control & Do-Not-Track: We honour Global Privacy Control (GPC) and Do-Not-Track browser signals. Because we operate no advertising or cross-site tracking, there is nothing for these signals to switch off — but we will never override them.

EchelonGraph implements industry-standard security measures including: AES-256-GCM encryption at rest, TLS 1.3 encryption in transit, RS256 JWT with token rotation, TOTP MFA with recovery codes, RBAC with 5 roles and 18 permissions, audit logging of all administrative actions, and automated vulnerability scanning of our own infrastructure.

We are actively working toward SOC 2 Type II certification (Security and Confidentiality trust-service criteria) and align our information-security practices with ISO 27001:2022, with formal certification planned. See our Security page for our current certification status and live platform posture.

EchelonGraph is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

If you are located outside the United States, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and additional technical and organizational measures to ensure adequate protection.

For customers requiring data residency, we offer regional deployment options (EU, APAC) on our Enterprise plan.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our website at least 30 days before the changes take effect.

Your continued use of EchelonGraph after the changes take effect constitutes acceptance of the updated policy.

Data Protection Officer: dpo@echelongraph.io

Privacy Inquiries: privacy@echelongraph.io

General Support: support@echelongraph.io

Mailing Address: EchelonGraph, Inc. • Privacy Team • Susaek, Eunpyeong-gu, Seoul, South Korea