Privacy Policy

Account Information: When you create an EchelonGraph account, we collect your name, email address, organization name, and role. If you sign up via SSO (SAML, OIDC, or LDAP), we receive the identity attributes your Identity Provider shares.

Cloud Configuration Data: When you connect cloud accounts (AWS, GCP, Azure), EchelonGraph scans resource configurations, IAM policies, network topology, and security group rules. We do NOT access, read, or store the contents of your databases, S3 objects, storage blobs, or application data.

Vulnerability & Compliance Data: We process CVE metadata, compliance check results, risk scores, and remediation states. This data is derived from your cloud infrastructure configuration and public vulnerability databases (NVD).

Usage Data: We collect information about how you use the platform, including pages visited, features used, API calls made, and performance metrics. This is used to improve the product.

Device & Log Data: IP addresses, browser type, operating system, referrer URLs, and access timestamps are collected for security monitoring and abuse prevention.

Service Delivery: To provide, maintain, and improve EchelonGraph's cloud security platform, including vulnerability scanning, compliance scoring, attack path analysis, and alerting.

Security & Fraud Prevention: To detect and prevent unauthorized access, monitor for abuse, and protect the integrity of our platform and your data.

Communication: To send you service notifications, security alerts, product updates, and (with your consent) marketing communications. You can unsubscribe from marketing emails at any time.

Analytics & Improvement: To understand usage patterns and improve product features, performance, and reliability. We use aggregated, anonymized data for this purpose.

Legal Compliance: To comply with applicable laws, regulations, legal processes, and government requests.

Infrastructure: Your data is stored in Google Cloud Platform (GCP) infrastructure located in the United States (us-central1 region). All data is encrypted at rest using AES-256-GCM and in transit using TLS 1.3.

Tenant Isolation: Every customer's data is logically isolated using PostgreSQL Row-Level Security (RLS), Neo4j label-based isolation, and ClickHouse partition isolation. No customer can access another customer's data.

Retention Periods: Scan data is retained for 60 days by default (configurable per plan). Compliance scores are retained for 2 years. Audit logs are retained for 1 year. Account data is retained for the duration of your subscription plus 30 days.

Deletion: Upon account termination, all customer data is permanently deleted within 30 days. You can request immediate deletion by contacting privacy@echelongraph.io.

We do NOT sell your data. EchelonGraph never sells, rents, or trades personal information or customer cloud configuration data to third parties.

Sub-processors: We use a limited set of sub-processors: Google Cloud Platform (infrastructure), Stripe (payment processing), and SendGrid (transactional email). A full sub-processor list is available upon request.

Legal Requirements: We may disclose data if required by law, subpoena, or court order, or if we believe disclosure is necessary to prevent harm or protect rights.

Business Transfers: In the event of a merger, acquisition, or asset sale, customer data may be transferred. We will provide notice before data is transferred and becomes subject to a different privacy policy.

GDPR (EU/EEA): You have the right to access, rectify, erase, restrict processing, data portability, and object to processing. You may also withdraw consent at any time. Contact our DPO at dpo@echelongraph.io.

CCPA (California): You have the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information. To exercise your rights, contact privacy@echelongraph.io.

DPDP Act (India): As a Data Fiduciary, we process your data based on consent and legitimate purposes. You have the right to access, correct, erase, and nominate. Contact grievance@echelongraph.io.

Response Time: We respond to all data subject requests within 30 days. Complex requests may take up to 60 days with prior notification.

Essential Cookies: We use strictly necessary cookies for authentication, session management, and security (CSRF protection). These cannot be disabled.

Analytics Cookies: We use privacy-respecting analytics (no third-party trackers) to understand aggregate usage patterns. You can opt out via the cookie banner.

No Advertising Cookies: EchelonGraph does NOT use advertising cookies, pixel trackers, or share data with advertising networks.

EchelonGraph implements industry-standard security measures including: AES-256-GCM encryption at rest, TLS 1.3 encryption in transit, RS256 JWT with token rotation, TOTP MFA with recovery codes, RBAC with 5 roles and 18 permissions, audit logging of all administrative actions, and automated vulnerability scanning of our own infrastructure.

We hold SOC 2 Type II certification and are aligned with ISO 27001:2022. See our Security page for details.

EchelonGraph is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

If you are located outside the United States, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and additional technical and organizational measures to ensure adequate protection.

For customers requiring data residency, we offer regional deployment options (EU, APAC) on our Enterprise plan.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our website at least 30 days before the changes take effect.

Your continued use of EchelonGraph after the changes take effect constitutes acceptance of the updated policy.

Data Protection Officer: dpo@echelongraph.io

Privacy Inquiries: privacy@echelongraph.io

General Support: support@echelongraph.io

Mailing Address: EchelonGraph, Inc. • Privacy Team • Susaek, Eunpyeong-gu, Seoul, South Korea