Privacy Policy

1. Personal Information

In this Privacy Policy, “Personal Information” means information that identifies, relates to, describes, or could reasonably be linked to an individual. Examples may include name, work email address, phone number, company name, job title, online identifiers, user account information, device-user associations, or information submitted through website forms or processed through the GreyAware platform.

Personal Information does not include aggregated, anonymized, or de-identified information that cannot reasonably be used to identify an individual.

GreyAware’s public website and platform are intended for business users and business contacts, including prospects, customers, design partner candidates, partner representatives, and individuals requesting information about GreyAware.

2. Customer Data

“Customer Data” means data submitted to, uploaded to, connected to, synchronized with, or processed through the GreyAware platform by or on behalf of a customer.

Customer Data may include asset data, device data, software data, user and identity records, group and application records, access data, control coverage data, configuration data, policy data, drift data, migration data, exposure data, integration metadata, source evidence, logs, timestamps, activity history, business unit context, ownership context, and related operational information.

Customer Data may include Personal Information if the customer connects systems or provides records containing information about employees, contractors, users, administrators, or other individuals.

As between GreyAware and the customer, the customer controls Customer Data. GreyAware processes Customer Data to provide, secure, support, maintain, and improve the GreyAware platform and services, as described in this Privacy Policy and any applicable customer agreement.

3. Information We Collect From Website Visitors and Business Contacts

We may collect information you choose to provide through our website, including when you request a demo, ask to become a design partner, contact us, or express interest in partnering with GreyAware.

This information may include:

• First name
• Last name
• Company name
• Job title
• Work email address
• Phone number
• Area of interest, such as seeing a demo, becoming a design partner, or partnering with GreyAware
• How you heard about us
• Any additional information you choose to provide
• Whether you accepted our Privacy Policy or other form notices
• Date and time of submission

We may also collect information from business communications with you, such as email correspondence, meeting scheduling information, call notes, feedback, and related business development or customer engagement records.

4. Information We Collect Automatically From Website Use

When you visit our website, we may automatically collect limited technical information, such as:

• Browser type
• Device type
• Operating system
• Referring URLs
• Pages visited
• Approximate location derived from IP address
• Date and time of visit
• General usage information
• Technical logs used for website functionality, security, and performance

We may use cookies or similar technologies as described in the “Cookies and Similar Technologies” section below.

5. Information Processed Through the GreyAware Platform

When a customer uses the GreyAware platform, we may process Customer Data from systems, integrations, files, APIs, or other sources connected or authorized by the customer.

Depending on the customer’s configuration and enabled modules, Customer Data may include:

• Asset and device records
• Hostnames, device identifiers, IP addresses, serial numbers, operating system details, hardware attributes, and device metadata
• Software inventory, installed applications, software versions, and lifecycle or governance information
• User, identity, group, role, application, and access records
• MFA, authentication, access assignment, or account lifecycle information
• Business unit, department, ownership, location, or organizational context
• Control coverage, control health, control deployment, and telemetry status
• Security tool, IT tool, identity tool, CMDB, MDM, EDR, SIEM, cloud, or infrastructure source data
• Policy, configuration, baseline, drift, and change records
• Migration planning, readiness, progress, blocker, exception, and validation records
• Exposure, service, vulnerability, and mapping records
• Source evidence, timestamps, ingestion metadata, and correlation data
• Logs, activity history, diagnostic data, and support-related information

Customers determine which systems are connected to GreyAware and what data is submitted to or processed by the platform.

6. Sources of Information

We may collect or process information from the following sources:

• Directly from you when you submit a website form, request a demo, contact us, or communicate with us
• Automatically from your browser or device when you visit or interact with our website
• From customers who create accounts, configure the platform, connect integrations, upload data, or authorize data processing
• From third-party systems, integrations, APIs, files, exports, or data sources connected by or on behalf of a customer
• From service providers that help us operate our website, platform, forms, infrastructure, communications, analytics, support, security, or business operations
• From business communications, meetings, calls, or follow-up conversations

We may combine information collected from these sources to provide the website, respond to requests, operate and improve the platform, support customers, and protect GreyAware’s systems and business operations.

7. Voluntary Submission

Providing Personal Information through our website is voluntary. If you choose not to provide certain information, we may not be able to respond to your request, schedule a demo, evaluate design partner interest, or discuss a potential partnership.

Please do not submit sensitive personal information through our public website forms, such as government identification numbers, financial account information, health information, precise location data, personal information about children, or other sensitive information. GreyAware does not intentionally collect sensitive personal information through its public website.

Customers should not submit sensitive or regulated data to the GreyAware platform unless permitted by an applicable agreement and supported by the appropriate contractual, technical, and organizational safeguards.

8. How We Use Website and Business Contact Information

We may use website and business contact information to:

• Respond to demo requests, design partner inquiries, partnership interest, and other messages
• Contact you about GreyAware, our platform, and related opportunities
• Evaluate interest in GreyAware’s products, services, integrations, and design partner program
• Route website submissions to the appropriate internal team or workflow
• Schedule meetings, respond to questions, and maintain business communications
• Improve our website, messaging, product direction, and customer engagement process
• Maintain records of inquiries, communications, and business development activity
• Send marketing or business communications, subject to applicable law and your choices
• Protect the security, integrity, and availability of our website and business operations
• Detect, investigate, or prevent fraud, abuse, security incidents, or unauthorized activity
• Comply with legal obligations and enforce our rights
• Carry out any other purpose disclosed to you at the time information is collected or with your consent

9. How We Use Customer Data

We use Customer Data to provide, operate, secure, maintain, support, and improve the GreyAware platform and services.

This may include using Customer Data to:

• Ingest, normalize, correlate, and reconcile records across connected sources
• Create and maintain asset, identity, software, control, migration, drift, and exposure views
• Generate dashboards, findings, reports, alerts, evidence, trends, and operational insights
• Evaluate source freshness, source evidence, data quality, and correlation confidence
• Identify coverage gaps, drift, exposure, software posture, access context, and related operational conditions
• Support customer-configured integrations and workflows
• Provide customer support, troubleshooting, diagnostics, and platform maintenance
• Monitor platform performance, availability, usage, reliability, and security
• Detect, investigate, or prevent fraud, abuse, security incidents, unauthorized access, or technical issues
• Comply with applicable law and enforce agreements
• Perform other activities authorized by the customer or described in an applicable agreement

GreyAware does not sell Customer Data.

10. Customer Responsibilities for Customer Data

Customers are responsible for determining what data is submitted to or processed through the GreyAware platform.

Customers are responsible for:

• Providing any required notices to individuals whose Personal Information may be included in Customer Data
• Obtaining any required consents, permissions, approvals, or legal bases for processing Customer Data
• Ensuring they have the right to connect third-party systems and submit Customer Data to GreyAware
• Configuring integrations, permissions, access scopes, roles, and user access appropriately
• Reviewing platform outputs before taking action
• Complying with applicable laws, regulations, internal policies, and third-party service terms

If Customer Data includes Personal Information, the customer is generally responsible for determining the purposes and means of processing that information, unless otherwise stated in a written agreement.

11. GreyAware as a Service Provider or Processor

For Customer Data processed through the GreyAware platform, GreyAware generally acts as a service provider, contractor, or processor on behalf of the customer, depending on the applicable law and the parties’ agreement.

In that role, GreyAware processes Customer Data to provide the platform and services to the customer, as instructed by the customer, as described in applicable agreements, and as permitted by law.

If required, GreyAware and the customer may enter into a separate Data Processing Addendum or similar agreement. If a Data Processing Addendum applies and conflicts with this Privacy Policy regarding the processing of Customer Data or Personal Information, the Data Processing Addendum will control for that subject matter.

12. Usage Data and Aggregated Data

We may collect technical, diagnostic, telemetry, performance, security, usage, and operational data generated from use of the website or platform.

We may use this data to:

• Operate, secure, support, and improve the website and platform
• Monitor performance, reliability, and availability
• Troubleshoot issues
• Understand feature usage and customer needs
• Develop and improve products and services
• Detect and prevent security incidents, abuse, and unauthorized activity

We may create aggregated, anonymized, or de-identified data from information processed by GreyAware, provided that such data does not identify a customer or individual and cannot reasonably be used to reconstruct Customer Data or Personal Information.

We may use aggregated, anonymized, or de-identified data for analytics, benchmarking, product development, security research, reporting, and business purposes.

13. How We Share Information

We may share information with service providers and vendors that help us operate our website, process form submissions, route notifications, manage communications, host and operate the platform, support customers, monitor performance, and protect our systems.

These service providers may include companies that provide:

• Website hosting and infrastructure
• Cloud hosting and storage
• Database and platform infrastructure
• Form processing
• Workflow automation
• Internal notifications
• Email and business communications
• Analytics and website performance tools
• Security monitoring and logging
• Customer support and ticketing
• Customer relationship management or business development tools
• Error tracking, diagnostics, and observability
• Legal, accounting, compliance, or business advisory services

When service providers process information on our behalf, they are authorized to use it only as needed to provide services to GreyAware or as otherwise permitted by applicable law and agreement.

We may also disclose information:

• To comply with applicable law, regulation, legal process, or government request
• To protect the rights, property, or safety of GreyAware, our users, prospects, customers, or others
• To investigate, prevent, or respond to suspected fraud, security incidents, misuse, or unlawful activity
• In connection with a business transaction, such as a merger, acquisition, financing, reorganization, sale of assets, or similar transaction
• With your consent or at your direction
• As described in an applicable customer agreement

14. Subprocessors and Platform Service Providers

GreyAware may use subprocessors and service providers to help provide the GreyAware platform and services.

These subprocessors and service providers may process Customer Data for purposes such as hosting, storage, database operations, monitoring, logging, support, communications, security, backups, and infrastructure operations.

If required by an applicable agreement, GreyAware will provide information about subprocessors and any available notice or objection rights through the applicable contract, Data Processing Addendum, or other customer-facing process.

15. Cookies and Similar Technologies

We may use cookies or similar technologies that are necessary for website functionality, security, and performance.

We may also use limited analytics or performance tools to understand how visitors interact with our website, improve website functionality, and evaluate interest in GreyAware. These tools may collect information such as pages visited, browser type, device type, referring URLs, and general usage information.

If we later use advertising, retargeting, or cross-site tracking technologies, we may update this Privacy Policy and provide any notices or choices required by applicable law.

You can typically manage cookies through your browser settings. If you disable certain cookies, some website features may not function properly.

16. Marketing Communications

If you provide your contact information, we may contact you about GreyAware, including product information, demo scheduling, design partner opportunities, partnership discussions, or related business communications. You may opt out of marketing emails at any time by following the unsubscribe instructions in the message or by contacting us directly.

Even if you opt out of marketing communications, we may still send non-marketing messages related to your request, business relationship, platform use, security, legal obligations, or administrative matters.

17. Data Retention

We retain information for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, including responding to inquiries, maintaining business records, improving our services, supporting business development, resolving disputes, enforcing agreements, and complying with legal, accounting, or reporting obligations.

For Customer Data, retention may depend on the applicable customer agreement, subscription term, platform configuration, backup practices, legal requirements, and customer instructions.

Unless otherwise stated in an applicable agreement, GreyAware may retain Customer Data during the applicable subscription term and for a limited period afterward to support account administration, data export, legal compliance, backup, disaster recovery, security, dispute resolution, and standard business operations.

When information is no longer needed, we may delete, de-identify, or aggregate it in accordance with applicable law, agreements, and standard retention practices.

18. Customer Data Return and Deletion

Upon expiration or termination of a customer agreement, GreyAware may make Customer Data available for export for a limited period, if requested and where reasonably practicable, unless prohibited by law or agreement.

After that period, GreyAware may delete or de-identify Customer Data in accordance with applicable agreements and standard retention practices.

Some information may remain in backups, logs, audit records, or legal and business records for a limited period where deletion is not immediately practicable or where retention is required for security, legal, compliance, or operational reasons.

19. Security

We use reasonable administrative, technical, and organizational measures designed to protect information from unauthorized access, disclosure, alteration, or destruction.

These measures may include access controls, authentication, logging, monitoring, encryption where appropriate, backup practices, vendor review, and internal security procedures.

However, no website, platform, transmission, integration, or storage system is completely secure. We cannot guarantee absolute security of information submitted to or processed by GreyAware.

Customers are responsible for securely configuring their use of the platform, managing Authorized Users, protecting credentials, configuring integrations appropriately, and maintaining the security of their own systems and third-party tools.

20. Security Incidents

If GreyAware becomes aware of unauthorized access to Customer Data in GreyAware-controlled systems, we will notify affected customers as required by applicable law or the applicable customer agreement.

Our notice may include information reasonably available to us about the nature of the incident, the information involved, steps we have taken, and steps customers may consider taking.

GreyAware’s notification of or response to a security incident is not an admission of fault or liability.

21. Your Privacy Choices and Requests

Depending on where you live and the laws that apply, you may have rights to request access to, correction of, or deletion of certain Personal Information. You may also request that we stop sending you marketing communications.

To submit a privacy request relating to information GreyAware collected directly from you through our website or business communications, contact us using the information listed in the “Contact Us” section below.

Before responding to a request, we may ask for information reasonably necessary to verify your identity and process the request. We may deny or limit a request where permitted by law, including where we need to retain information for legal, security, business, recordkeeping, or operational reasons.

22. Privacy Requests Related to Customer Data

If your Personal Information is included in Customer Data processed by GreyAware on behalf of a customer, please direct privacy requests to that customer.

Because customers determine what Customer Data is submitted to the GreyAware platform and how it is used, GreyAware may not be able to directly fulfill requests relating to Customer Data without the customer’s instruction.

We will assist customers with privacy requests relating to Customer Data as required by applicable law or agreement.

23. Children’s Privacy

GreyAware’s website and platform are intended for business use and are not directed to children. We do not knowingly collect Personal Information from children under 13 through our public website.

Customers may not knowingly submit children’s Personal Information to the GreyAware platform unless expressly permitted by an applicable agreement and supported by all required legal permissions and safeguards.

If we learn that we have collected Personal Information from a child under 13 through our public website, we will take appropriate steps to delete that information.

24. Third-Party Websites and Services

Our website or platform may contain links to or integrations with third-party websites, systems, services, APIs, or platforms.

We are not responsible for the privacy practices, security, availability, accuracy, or content of third-party websites or services. Your use of third-party websites and services is subject to their own privacy policies and terms.

Customers are responsible for reviewing and complying with the privacy policies and terms of third-party systems they choose to connect to GreyAware.

25. International Visitors and Data Transfers

GreyAware is based in the United States. If you access our website or use our platform from outside the United States, you understand that your information may be processed in the United States or other jurisdictions where GreyAware or its service providers operate.

Privacy laws may differ from those in your jurisdiction. By using our website, submitting information to us, or using the platform, you acknowledge that information may be transferred to and processed in the United States.

Where required by applicable law or agreement, GreyAware may use appropriate contractual or legal mechanisms to support cross-border transfers of Personal Information or Customer Data.

26. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a revised “Effective Date” at the top of this page.

For website visitors, continued use of the website after the updated Privacy Policy is posted means you acknowledge the updated policy.

For customers with active platform subscriptions, changes may also be addressed through applicable customer agreements, Data Processing Addenda, or other contractual terms.

27. Contact Us

If you have questions about this Privacy Policy, our privacy practices, or your privacy choices, you may contact us at:

GREYAWARE LLC
Email: privacy@greyaware.com