Verdrix is an AI-native threat modeling platform operated by Verdrix. This Privacy Policy describes how Verdrix collects, uses, stores, and protects information when you access or use the Verdrix platform and associated services ("the Service").
By using the Service, you acknowledge that you have read and understood this policy. If you do not agree with this policy, you should not use the Service.
This policy applies to all users of the Verdrix platform, including organisation owners, administrators, analysts, and viewers operating under a customer account.
When you register for an account, we collect your first name, last name, email address, company name, and a hashed representation of your password. We do not store your password in plaintext at any point.
When you use the Service, our web servers automatically record standard access log data, including your IP address, browser type, operating system, pages requested, and timestamps. This data is generated as a normal function of operating a web service and is used solely for security monitoring and infrastructure diagnostics. It is not linked to your account or used for profiling.
The core function of the Service requires you to input descriptions of your AI system architecture, including components, data flows, and configuration properties. This information is stored and processed to generate threat analyses and compliance reports on your behalf. This data remains your property — see Section 6 for details.
You may upload files as evidence attachments within the Risk Register. These files are stored and associated with your account and project. You should not upload files containing credentials, keys, or other secrets unrelated to security evidence.
Billing for paid subscriptions is handled by a third-party payment processor. We do not collect, store, or process payment card data directly. The payment processor's own privacy policy governs the handling of your payment information.
We do not sell your personal data to third parties. We do not use your data for advertising profiling or share it with data brokers.
The Verdrix platform is hosted on major cloud infrastructure providers. Data in transit is protected using TLS 1.2 or higher. Data at rest is stored with encryption mechanisms provided by the underlying infrastructure.
Tenant data is logically segregated by a unique tenant identifier. Each customer organisation's data is isolated from other customers at the application layer, meaning users from one organisation cannot access data belonging to another.
Access to production data is restricted to authorised Verdrix personnel with a legitimate operational need. We perform periodic internal security reviews of our platform and access controls.
No method of transmission over the internet or electronic storage is completely secure. While we apply industry-standard measures, we cannot guarantee absolute security of your data.
To deliver the Service, we share data with a limited set of trusted third-party processors under appropriate data processing agreements. Categories of processors include:
We do not permit these processors to use your data for any purpose other than providing the services we have contracted them to perform.
If you are located in the European Economic Area or another jurisdiction with data protection laws, you may have rights including access to, correction of, or deletion of your personal data, as well as the right to data portability or to object to certain processing. To exercise any of these rights, email us at [email protected]. We will respond to requests within a reasonable timeframe. We handle these requests manually.
The Verdrix platform does not use cookies for authentication or tracking. Authentication is managed using tokens stored in your browser's local storage. We do not use advertising cookies or third-party tracking scripts.
The Verdrix platform may process and store data in regions outside your country of residence, including regions with different data protection standards. Where personal data is transferred across jurisdictions, we take appropriate measures to ensure the transfer is conducted in accordance with applicable legal frameworks, including where required, the use of standard contractual clauses or equivalent safeguards.
The Verdrix platform is a professional security tool not directed at, and not intended for use by, persons under the age of 16. We do not knowingly collect personal data from children. If you believe a minor has submitted information through the Service, please contact us at [email protected] and we will take appropriate action.
We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page. We encourage you to review this policy periodically to stay informed about how we handle your data. Continued use of the Service after any changes constitutes your acceptance of the updated policy.
For privacy-related enquiries, data subject requests, or concerns about this policy: