Privacy Policy
Effective and last updated: July 1, 2026
1. Introduction
This Privacy Policy explains how SentinelSSP LLC ("SentinelSSP", "we", "us", or "our") collects, uses, and protects information when you use the SentinelSSP platform and related services (the "Service"). SentinelSSP is a CMMC compliance readiness platform for defense contractors.
By using the Service, you agree to the practices described in this policy.
2. Information We Collect
- Account information - your name, email address, and organization name, provided when you register.
- Compliance preparation data - the high-level pointers, locations, notes, and metadata you choose to enter (for example, where an evidence artifact is stored, control status, and scoping answers). This is not CUI and is not your underlying evidence files. See Section 3.
- Payment information - if you subscribe to Pro, billing is handled by Stripe. We do not collect or store your full payment card details; Stripe processes them and provides us limited information such as your subscription status and the last four digits of your card.
- Authentication data - credentials managed through our authentication provider, including whether you have enrolled in multi-factor authentication (MFA).
- Analytics data - aggregate, anonymized data collected by Vercel Web Analytics and Speed Insights, such as page views, referring sites, general location by country, and device type. This data is not linked to your account and does not include personally identifiable information.
- Usage and technical data - basic information necessary to operate and secure the Service, such as log and request data and your subscription state.
3. Our Data-Blind Posture
SentinelSSP is built around a no-CUI, minimum-necessary design. We do not collect or store CUI, classified information, network diagrams, vulnerability data, or your underlying evidence files. By design, you keep your actual artifacts in your own systems and enter only high-level pointers and locations into the Service.
The Sentinel AI assistant also detects common categories of sensitive input - such as IP addresses, credentials, and vulnerability identifiers - and blocks them in your browser before they are transmitted. You are responsible for ensuring that anything you enter is sanitized and free of prohibited content.
4. How We Use Information
We use the information we collect to:
- provide, operate, and maintain the Service;
- process subscriptions and billing;
- provide customer support and respond to your requests;
- maintain security, prevent abuse, and enforce our Terms;
- improve and develop the Service;
- comply with our legal obligations.
We do not sell your personal information, and we do not use the content you enter to train our own or third parties' AI models.
5. Service Providers and Subprocessors
We rely on the following third-party providers to deliver the Service:
- Supabase - database, authentication, and storage.
- Vercel - application hosting, delivery, and analytics/performance monitoring.
- OpenAI - Sentinel AI assistant processing.
- Anthropic - AI processing for evidence suggestions and policy generation.
- Stripe - payment processing.
- Resend - transactional email delivery.
These providers are located in the United States, and your information is processed in the United States. We share information with them only as needed for them to perform their function, and they are obligated to protect it.
6. Data Retention and Deletion
We retain your information for as long as your account exists, whether free or paid, so that you can resume where you left off. If you cancel a paid subscription, your account reverts to the free tier: you keep full access to Level 1 features and your data is retained. Content and features that require a paid subscription (Level 2) become inaccessible until you resubscribe, but your data is not deleted.
We do not automatically delete cancelled accounts. You may request permanent deletion of your account and data at any time by contacting privacy@sentinelssp.com.
7. Security
We protect your information using row-level security that isolates each account's data at the database level, encryption in transit (TLS) and at rest, and standard application hardening. Multi-factor authentication (TOTP) is available and recommended for all accounts.
No method of transmission or storage is completely secure, but we work to protect your information using reasonable safeguards. For more detail, see our Security page.
8. Your Rights and Choices
You may access, update, or correct your account information from your account settings. You may request a copy or deletion of your data, or ask questions about how it is handled, by contacting privacy@sentinelssp.com. Depending on where you live, you may have additional rights under applicable privacy laws, and we will honor those rights as required.
10. Children's Privacy
The Service is intended for businesses and is not directed to anyone under 18 years of age. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of the Service after the changes take effect constitutes your acceptance of the updated policy.
12. Contact
Questions about this Privacy Policy or our data practices can be sent to privacy@sentinelssp.com.