Privacy Policy

AxiomGuardOS ("AxiomGuardOS," "we," "us") provides a CMMC Readiness Assessment platform designed to help defense contractors turn NIST SP 800-171 requirements into verifiable controls and generate System Security Plans (SSP). This Privacy Policy explains how we collect, use, disclose, and protect information when you access our websites, applications, APIs, and related services (collectively, the "Services").

1. Information We Collect

We collect information in three main ways: (a) information you provide, (b) information generated through your use of the Services, and (c) information from third parties.

A) Information you provide

• Account information: name, email, organization name, role/title, authentication identifiers (e.g., SSO subject IDs).
• Billing/contact information: billing contact, invoicing details. (Payment card data is typically handled by our payment processor when applicable.)
• Support communications: messages, attachments, and metadata you send to support.

B) Information generated through use of the Services (assessment + compliance data)

Depending on your configuration and what you upload, we may process:

• Policy and control artifacts: policies, standards, controls, procedures, exceptions, approvals, and related governance documentation.
• System Security Plans (SSP) and related control implementation narratives, diagrams, and references you document in the Services.
• Plan of Action and Milestones (POAM) entries, remediation activities, task assignments, due dates, and completion status.
• Network architecture metadata and environment descriptions you provide (for example, asset groupings, logical/physical boundary information, zone labels, and similar descriptors).
• Compliance documentation you upload or author in the platform (including policies, procedures, control narratives, and assessment workpapers).
• Gap assessment scoring and related metrics, including practice-level evaluations against NIST SP 800-171 and Supplier Performance Risk System (SPRS) scoring.

The Services are designed to store and process compliance metadata and assessment evidence only. You are strictly prohibited from uploading, storing, or otherwise submitting actual Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) into the standard AxiomGuardOS environment. You are responsible for ensuring that any information you choose to provide does not include CUI or FCI, unless we have entered into a separate written agreement with you that expressly permits such processing.

C) Device and usage information

• IP address, browser type, device identifiers, operating system, pages viewed, and referring URLs.
• Cookies and similar technologies (see Cookies & Analytics).

D) Information from third parties

• Identity providers (SSO): basic profile and authentication tokens/claims.
• Integrations you enable (e.g., repositories, ticketing, cloud platforms): data you choose to connect, governed by your integration settings.
• Service providers: hosting, analytics, support tooling.

2. How We Use Information

We use information to:

• Provide and operate the Services (authentication, authorization, product features).
• Produce CMMC readiness and compliance outputs (e.g., SSP/POAM exports, evidence packs, assessment reports).
• Secure the Services (fraud prevention, abuse detection, incident response).
• Improve and debug (performance, feature usage insights, reliability).
• Communicate with you (service updates, security notices, support responses).
• Comply with law and enforce our agreements.

3. Legal Bases (where applicable)

Where required, we rely on one or more of: contract necessity, legitimate interests (security, improvement), consent (optional cookies/marketing where enabled), and legal obligations.

4. Sharing and Disclosure

We may share information with:

• Service providers (hosting, monitoring, analytics, support) acting under contract.
• Your organization and administrators (workspace-level visibility and audit requirements).
• Integration partners you enable (only as configured by you).
• Legal and safety disclosures when required by law or to protect rights and security.

We do not sell personal information.

5. Data Retention

We retain information for as long as necessary to:

• Provide the Services and maintain auditability (e.g., evidence chains, governance logs),
• Meet legal/accounting requirements,
• Resolve disputes and enforce agreements.

Retention periods may vary by workspace configuration. You may request deletion subject to legal and operational requirements.

Upon account termination or upon the written request of the applicable customer, we will delete or irreversibly anonymize stored compliance evidence and assessment data within a commercially reasonable period, subject to our legal obligations and backup/archival retention. Data destruction is performed in accordance with our internal policies implementing applicable federal data sanitization standards.

6. Security

We use administrative, technical, and physical safeguards designed to protect information, including access controls, encryption in transit, and least-privilege practices. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Data Residency & Sovereignty

To support defense contractor obligations, including requirements under the Defense Federal Acquisition Regulation Supplement (DFARS) and related U.S. Government frameworks, we host AxiomGuardOS customer assessment data exclusively on infrastructure physically located within the United States. We do not intentionally transfer client compliance assessment data (including SSP, POAM, network architecture metadata, or gap assessment outputs) outside of the United States or rely on international data transfer mechanisms for such data.

8. Your Rights and Choices

Depending on your location, you may have rights to:

• Access, correct, or delete personal information,
• Object to or restrict certain processing,
• Export your information (where applicable),
• Withdraw consent (where processing is based on consent).

Requests can be made at: privacy@axiomguardos.com

9. Cookies & Analytics

We use cookies and similar technologies to:

• Maintain sessions and security,
• Remember preferences,
• Understand usage to improve the Services.

You can control cookies through your browser settings. Some features may not function without essential cookies.

10. Children's Privacy

The Services are not directed to children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the "Last updated" date.

12. Contact Us

Questions or concerns: privacy@axiomguardos.com