Menu Browse
How It Works Use Cases Compare Chrome Extension Pricing Security Blog Live Demo

Popular Use Cases

Offboarding Automation

Revoke access the moment someone leaves

SOC2 Evidence Collection

Audit-ready evidence in hours, not weeks

License Waste

Find ghost seats draining your SaaS budget

Access Reviews

Automate your quarterly access review process

Hardware Inventory

Build your asset register without spreadsheets

vCISO Partner Portal

Manage all your clients from one portfolio dashboard

Risk Management Workspace

Run a live risk register with budget context
Legal

Privacy Policy

Last updated: April 8, 2026

1. Introduction

At AutoCISO, we respect your privacy and are committed to protecting it. This Privacy Policy explains how we collect, use, and share information when you use our Service, including the web dashboard and the AutoCISO Audit Collector browser extension.

2. Information We Collect

Account & Platform Data

  • Account Data: Name, email address, and company details when you sign up.
  • Usage Data: Feature activity, audit run counts, AI chat request counts, and other usage metrics used to enforce subscription limits.
  • Technical Data: IP address, browser type, and device information.

Workforce & Access Data

The Service is designed to process your organisation's identity and access information. When you upload or enter data, we store:

  • Employee records: Names, email addresses, job titles, departments, managers, locations, phone numbers, employment status, start dates, and end dates of employees and contractors.
  • Access data: Mappings between employees and SaaS applications, including assigned roles, privilege levels, last-seen activity, dormancy status, and service account assignments.
  • Asset inventory: Application and device names, hostnames, criticality classifications, ownership, and asset type metadata.

Compliance & Evidence Data

When you use the ISO 27001 certification and compliance features, we store:

  • Compliance project data: Scope definitions, gap analysis results, risk register entries, Statement of Applicability records, and readiness scores.
  • Policy documents: Policy texts, version history, approval decisions, and acknowledgement records.
  • Evidence artifacts: Files uploaded manually or collected automatically by the Evidence Agent from connected integrations, mapped to specific compliance controls.
  • Audit records: Internal audit findings, backup test results, and management review records.
  • Access review data: Campaign configurations, reviewer assignments, and responses (approve/revoke/escalate) submitted by reviewers via secure token links.
  • Certification data: Uploaded certificates and associated metadata. When you publish a certificate for public verification, the certificate name and issuer are accessible at a public URL.

Risk Management Data

When you use the Risk Management Workspace, we store the records needed to capture, assess, and manage risks across your organisation. This may include:

  • Risk drafts and records: Risk titles, descriptions, domains, segmentation fields, selected owners, review dates, evidence references, workflow status, and change history.
  • Assessment and treatment data: Probability, impact, exposure, control strength, estimated loss, treatment cost estimates, selected or recommended treatment strategy, and residual-risk fields.
  • Risk budget data: Budget amounts, period and scope, consumed and remaining amounts, and plain-language business constraints or assumptions used to derive budget profiles.
  • AI-guided interview data: Interview sessions, question and answer history, answer options shown, free-text responses, extracted facts, AI interpretations, open questions, summaries, confidence indicators, prompt template version, and model metadata.

AI Chat Data

The AI security advisor feature sends your prompts, along with relevant context drawn from your organisation's employee, asset, access, and remediation data, to our AI processing pipeline. Conversation history, session identifiers, and folder organisation are stored to enable continuity and sharing of conversations within your organisation.

Integration Credentials

When you connect third-party services (such as Jira for roadmap task management, or identity providers such as GitHub, Google, or Microsoft for single sign-on), we store the configuration and credentials required to maintain those integrations. Credentials are encrypted at rest using AES-256-GCM.

Audit Trail

All significant actions taken within the Service — including access changes, user administration, policy approvals, compliance events, and configuration changes — are recorded in an audit trail. Audit trail entries include the actor's identity, a timestamp, and a description of the event.

Partner Program Data

If you enroll in the vCISO Partner Program, we collect: your firm or advisor name; your firm logo (stored in our database); portfolio summary cache records for each managed organization (aggregate counts and security scores only — no individual names, email addresses, or raw access records); Partner AI Assistant conversation history; referral credit ledger records; and a registration event record (your user ID, firm name, IP address, terms version accepted, and timestamp).

Browser Extension Data

When you use the AutoCISO Audit Collector browser extension, data is collected only when you explicitly trigger a capture. Specifically:

  • Simplified page DOM: A stripped-down HTML representation of the SaaS admin page you are viewing, compressed before transmission. Password fields and hidden inputs are automatically excluded before any data leaves your browser.
  • Screenshots (optional): A scrolled full-page screenshot of the active tab, captured as a compressed PNG, only when you enable this option or when the DOM capture path is unavailable.
  • Page URL and title: The URL and title of the tab you capture, sent alongside the DOM and screenshot to identify the source application.
  • Page signals: Lightweight page metadata (page title, meta description, heading text, navigation link text) sent to our API to auto-detect the type of data on the page (users, assets, or access lists). No form values or personal data are included in these signals.

The extension requires access to all URLs (<all_urls>) in order to function on any SaaS admin page you choose to audit. The content script is injected into pages but does not read or transmit any data unless you explicitly initiate a capture.

Authentication tokens obtained via Auth0 are stored in your browser's local extension storage (chrome.storage.local) to maintain your session between uses. These tokens are never written to web page storage or accessible to page scripts. In the web dashboard, access tokens are held in memory only and are not persisted to browser storage.

3. How We Use Information

We use your information to:

  • Provide and maintain the Service, including access inventory, employee lifecycle workflows, compliance management features, and the risk management workspace.
  • Process captured page data through our AI Vision pipeline to detect users, assets, and access relationships.
  • Power the AI security advisor by providing your prompts and relevant organisational context to our AI processing pipeline.
  • Generate, store, and update risk drafts, interview sessions, risk records, and budget views so your organisation can identify, assess, prioritise, and treat risks.
  • Use AI to interpret guided-risk interview answers, extract structured facts, propose draft summaries, and suggest scoring, treatment, and budget-related outputs.
  • Automate evidence collection and map it to compliance controls within ISO 27001 and other frameworks.
  • Track and enforce subscription usage limits (audit runs, AI requests, connected applications).
  • Communicate with you about your account, security notifications, and product updates.
  • Ensure security, detect fraud, and maintain the integrity of the Service.
  • To compute your managed-org discount tier and apply referral credits to your Partner subscription.
  • To power the Portfolio AI Assistant, which processes portfolio summary data on your behalf.

4. Data Controller & Processor Relationship

When you upload or otherwise provide personal data about your employees, contractors, or other individuals (such as workforce records and access data), your organisation acts as the data controller and AutoCISO acts as a data processor on your behalf. We process that personal data only as directed by you and in accordance with our Data Processing Agreement (DPA), which is available on request. If your organisation is subject to the GDPR or similar data protection legislation, you are responsible for ensuring you have a lawful basis to provide that personal data to AutoCISO.

Partner Portal Access. vCISO partners access only aggregated, anonymized security posture summaries for managed organizations — not raw tenant data. Individual employee names, email addresses, and access records are never exposed through the Partner Portal. Partners are responsible for their own legal and contractual relationship with their client organizations.

5. Data Processing & AI

AutoCISO uses AI processing in two contexts:

  • Audit pipeline: Simplified HTML and optional screenshots captured via the browser extension are processed by our AI Vision pipeline to extract identity and access information. We apply PII masking before data reaches AI providers. Raw capture data is used solely to produce audit results and is not retained beyond the processing pipeline.
  • Risk management pipeline: When you use AI-guided or AI-assisted risk features, we send interview prompts, answer content, free-text risk descriptions, and related context needed to generate the next question, extract structured facts, summarize risk scenarios, and suggest scoring or treatment outputs. Those interview records, AI interpretations, extracted facts, summaries, and confidence metadata are stored in your tenant workspace to support resumability, review, and auditability.
  • AI security advisor (chat): When you use the AI chat feature, your prompt and contextual data drawn from your organisation's employee, asset, access, and remediation records are sent to our AI provider (Anthropic) to generate a response. Chat history is stored and can be shared within your organisation. AI responses are generated and may not be accurate; they do not constitute professional security, legal, or compliance advice.
  • Portfolio AI Assistant: When you use the Portfolio AI Assistant, we send portfolio-level summary data (counts, scores, trends) to our AI provider (Anthropic). No individual names, email addresses, or raw access records are included in AI prompts.

6. Information Sharing

We do not sell your personal information. We share information only with the following categories of service providers to operate the Service:

  • Authentication: Auth0 (user authentication and identity management).
  • AI processing: Anthropic (AI Vision pipeline and AI chat responses).
  • Payment processing: Paddle (subscription billing).
  • Cloud infrastructure: Hosting and database providers used to run the Service.
  • Identity providers (when configured by your organisation): GitHub, Google, or Microsoft, if you enable single sign-on via those providers.
  • Third-party integrations (when connected by your organisation): Jira, when you connect it for compliance roadmap task management.

We may also disclose information where required by law or to protect the rights, property, or safety of AutoCISO, our users, or others.

7. Public-Facing Features

The Service includes features that make certain data accessible outside your organisation's account. When you publish an ISO certificate for public verification, the certificate name, issuer, and validity dates become accessible at a public URL. When you share an auditor portal link or an access review link, the recipient can access the relevant data without logging in, for as long as the token remains valid. You are responsible for managing access to these links and revoking them when no longer needed.

8. Your Rights

Depending on your location, you may have rights under the GDPR, CCPA, or other privacy laws to access, correct, or delete your personal data. If you are an employee whose data has been uploaded by your employer, please direct requests to your employer as the data controller. AutoCISO users may contact us directly at legal@autociso.io to exercise their rights.

9. Security

We use AES-256-GCM encryption for stored credentials and sensitive data at rest, TLS for data in transit, and continuously scan dependencies against the NVD vulnerability database. Access tokens in the web dashboard are held in memory only and not written to browser storage. Role-based access control and multi-tenant isolation ensure that each organisation's data is accessible only to authorised users within that organisation.

10. Contact Us

If you have any questions about this Privacy Policy or wish to request a Data Processing Agreement, please contact us at legal@autociso.io.