1. Who we are
REREM Data Security, LLC is a Texas limited liability company headquartered at 62591 Dallas Parkway, Suite 300 #203, Frisco, TX 75034, USA. We operate the Service at platform.reremrdsgosoc.com, the marketing website, and the public Field Notes blog at /blog. For any privacy-related question, contact us at support@reremrdsgosoc.com.
2. What this policy covers
This policy applies to:
- The RDS GoSOC AI platform — tenant accounts, the in-app User Guide, the AI assistant (Sage), and all platform features (SOC, compliance, EDR orchestration, AI vCISO, Cyber Insurance Hub, DoD STIG agent).
- Our marketing website and the public Field Notes blog at /blog.
- Our outbound business-to-business marketing outreach (cold email, LinkedIn-matched audiences when enabled).
- Inbound communications you send to us (support email, replies to outreach, contact forms).
3. Information we collect
a. From platform tenants and their users
- Account information: name, work email, password (hashed with bcrypt), organization, role, plan tier, recovery email, time zone.
- Telemetry the customer authorises us to ingest: security findings, EDR/scan results, STIG-scan output, network-scan output, cloud-asset inventories (AWS / Azure / GCP), risk-register entries, evidence files attached for compliance frameworks.
- Service usage: log-in timestamps, audit events (USER_REGISTERED, USER_EMAIL_VERIFIED, password changes, role changes), AI-investigation usage counts.
- Billing data: processed by Stripe; we receive the result of the transaction (succeeded / failed / amount) but not raw card numbers.
b. From prospects in our marketing system
Our marketing system maintains a list of business prospects we believe match our ideal customer profile (mid-market CISOs / vCISOs, EU NIS2-scope organisations, MSPs / MSSPs, U.S. DoD contractors, AI Act & ISO 42001 customers, healthcare HIPAA-scope orgs, EU DORA-scope financial-services orgs). For each prospect we may hold:
- Company name, domain, country, industry, employee-band estimate, NIS2 classification estimate.
- Publicly visible decision-maker name, job title, and corporate email address.
- Source of the lead (operator-imported CSV, manual entry, autonomous discovery from public regulatory / security news feeds).
- Outreach activity (drafts written, sends, opens, replies, classification of replies, unsubscribe events).
- AI-computed fit-score (0–100), persona category, recommended outreach hook.
We do not ingest personal home addresses, personal phone numbers, biometric data, government identifiers, or special-category data (GDPR Article 9).
c. From your interaction with our outreach
- Whether you opened the email (via standard tracking pixel; you can disable images in your mail client to suppress this).
- Whether and how you replied (reply content + AI classification of intent).
- Whether you clicked the one-click unsubscribe link.
d. From visits to our public website and blog
- Standard web-server logs (IP, user-agent, referrer, page-URL, timestamp) retained for security and performance monitoring.
- First-party session cookies for authenticated areas (the operator console and tenant dashboards).
- No third-party advertising trackers are loaded on the public blog or the operator dashboard.
4. How we use information
We use the information described above to:
- Operate, maintain, and improve the Service for tenants (security analytics, compliance evidence generation, reporting).
- Authenticate users, audit access, and detect abuse or fraud.
- Send transactional emails (account verification, password reset, billing notifications, scan-completed notifications) — these are required to operate the Service and cannot be unsubscribed from while the account is active.
- Send product-update emails ("what's new") with a one-click opt-out in every footer.
- Conduct business-to-business outbound marketing outreach (cold email, content syndication, LinkedIn-matched audiences when enabled) targeted at organisations matching our ideal-customer profile.
- Comply with applicable laws (CAN-SPAM § 7704, GDPR & UK GDPR, CCPA / CPRA, applicable state breach-notification laws).
- Train, evaluate, and improve our internal AI prompts; we do not share customer-tenant content with model vendors for vendor-side training, and our agreements with Anthropic restrict training on customer prompts and outputs.
5. Cold-outreach & CAN-SPAM compliance
Our outbound email is targeted at corporate decision-makers at organisations that match our ideal-customer profile. Every outbound message includes:
- Sender identification — sender name and the legal entity ("REREM Data Security").
- Physical postal address — 62591 Dallas Parkway, Suite 300 #203, Frisco, TX 75034 (CAN-SPAM § 7704(a)(5)).
- One-click unsubscribe link — clicking the link immediately and permanently removes you from our outreach list; we also honour the RFC 8058
List-Unsubscribe-Postheader that Gmail and Outlook expose as a native "Unsubscribe" button.
When you unsubscribe, your email address is added to a permanent suppression list. Even if your address re-appears in a future imported list, our marketing system will refuse to email it.
If you would prefer to remove yourself before receiving a message, email support@reremrdsgosoc.com with the email address you would like suppressed.
6. EU/UK recipients & GDPR
For prospects and tenants located in the European Economic Area, the United Kingdom, or Switzerland, REREM Data Security acts as data controller for our marketing activities and as data processor for tenant-uploaded telemetry.
Lawful basis for B2B cold outreach. We rely on Article 6(1)(f) GDPR (legitimate interests — growing a B2B business through targeted, opt-out-respecting outreach to corporate decision-makers). We perform a balancing test in line with EDPB guidance; the corporate email address of a named role-holder at a corporate domain is processed only for the purpose of contacting that role-holder about a B2B service that may benefit their organisation.
Right to object. Click the unsubscribe link in any message or email support@reremrdsgosoc.com. We will remove your address from active outreach within five business days and add it to the permanent suppression list.
Article 33 breach notification. If we suffer a personal-data breach that is likely to result in risk to your rights, we will notify our supervisory authority within 72 hours and notify affected individuals without undue delay where required.
International transfers. Data may be processed in the United States. Where required, we rely on the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) with our sub-processors. Our hosting provider (Render) and AI provider (Anthropic) are both U.S.-based; both publish SCC-backed Data Processing Addenda.
7. Sub-processors
We use the following sub-processors. Each one is bound by a written data-processing agreement that restricts use to the specific purpose described.
| Sub-processor | Purpose | Region |
|---|---|---|
| Anthropic, PBC | AI model inference (Claude Haiku / Sonnet) for SOC analysis, compliance, Sage, marketing outreach drafting | USA |
| Render, Inc. | Application hosting, PostgreSQL database, log storage | USA (Oregon) |
| Microsoft Corporation | Outbound SMTP and inbound IMAP for support@ mailbox (Microsoft 365) | USA |
| Apollo.io (when configured) | B2B contact data lookup (publicly available role-holder information) | USA |
| Hunter, SAS (when configured) | B2B contact data lookup (fallback to Apollo) | France (EU) |
| HubSpot, Inc. (when configured) | CRM sync for tenant-account records | USA |
| LinkedIn Corporation (when configured) | LinkedIn Matched Audiences sync for paid retargeting (company name + domain only) | USA |
| Stripe, Inc. | Subscription and one-time payment processing for tenant billing | USA |
| Amazon Web Services, Inc. | Cloud-asset discovery API access for tenant accounts that connect AWS | USA (us-east-1) |
Our active list of sub-processors is updated when we add a new vendor. For the current list at any point in time, email support@reremrdsgosoc.com.
8. Retention
- Tenant account data — retained for the life of the account plus 90 days; after deletion request, removed within 30 days from primary systems and within 90 days from off-line backups.
- Security findings and audit logs — retained per tenant plan (default 90 days; longer on Business / Enterprise per plan documentation).
- Marketing prospect data — retained for up to five years from last activity, or until unsubscribe / deletion request, whichever is sooner.
- Unsubscribe suppression list — retained permanently (so that we honour the opt-out indefinitely).
- Web-server logs — retained 90 days for security investigation, then aggregated or deleted.
- Billing records — retained for seven years to satisfy U.S. tax and IRS substantiation requirements.
9. Your rights
Depending on where you live, you may have the following rights with respect to the personal information we hold about you:
- Access — a copy of the personal data we hold about you.
- Correction — ask us to fix inaccurate or incomplete data.
- Deletion — ask us to delete your personal data ("right to be forgotten").
- Portability — an export in a structured, commonly used format.
- Objection — object to processing based on legitimate interests, including direct marketing.
- Restriction — ask us to limit processing in certain circumstances.
- Complaint — lodge a complaint with your local supervisory authority (in the EEA / UK) or your state attorney general (in the U.S.).
California residents (CCPA / CPRA): you have the rights above plus the right to know what categories of personal information we collect, the right to opt out of "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioural advertising), and the right to non-discrimination for exercising these rights. To exercise any right, email support@reremrdsgosoc.com — we will verify your identity and respond within 45 days (with one 45-day extension if required).
11. Security
We implement administrative, technical, and physical safeguards designed to protect personal information, including:
- TLS 1.2+ for all data in transit (HTTPS-only).
- Bcrypt password hashing with per-user salts.
- Encryption at rest for the production PostgreSQL database via the hosting provider's standard volume encryption.
- Least-privilege access controls for engineering personnel; access scoped via individual SSO-tied accounts.
- OAuth 2.0 for inbound IMAP (Microsoft Entra) and outbound LinkedIn / HubSpot integrations — no long-lived static passwords for third-party services.
- Audit logging for sensitive operations (user registration, password change, role change, account deletion).
No system is impenetrable. If you believe you have discovered a vulnerability, please email support@reremrdsgosoc.com with details. We will acknowledge within two business days.
12. Children
The Service is intended for use by businesses and is not directed at children under the age of 16 (EEA), 13 (U.S.), or the equivalent local age threshold. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified to tenant account holders via the email address on their account, and the updated policy will be posted at this URL with a new "Last updated" date. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact us
Privacy questions, deletion requests, or data-subject-access requests:
Governing law. This policy is governed by the laws of the State of Texas, USA, without regard to its conflict-of-law principles, except where preemptive consumer protection law of your jurisdiction applies (such as the GDPR in the EEA / UK, the CCPA / CPRA in California, or other state privacy laws in your residence state).