Privacy Policy

What we collect, why we collect it, and what we never do with it.

Last updated May 12, 2026 · Effective May 12, 2026

Minimum data, by design

We ingest only the alert and telemetry fields needed to investigate, correlate and produce evidence. We do not collect raw email bodies, file contents or full packet captures unless explicitly forwarded by an integration you configure.

Encryption everywhere

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Customer secrets and integration credentials are stored in an isolated, key-rotated secrets vault — never in application logs or backups.

Region pinning

Enterprise customers can pin all storage and processing to EU or US regions. We do not move tenant data across regions for processing convenience.

No training on your data

Customer telemetry, alerts, investigations and analyst notes are never used to train SOCPilot or third-party foundation models. AI providers are configured in zero-retention mode where supported.

1. Who we are

SOCPilot, INC (“SOCPilot”, “we”, “us”) provides an AI investigation analyst for security operations teams. This policy explains how we handle personal data and security telemetry processed through socpilot.co and the SOCPilot platform.

2. Data we process

  • Account data — name, work email, organization, role, authentication identifiers (OAuth subject, hashed passwords). Used to authenticate users and enforce role-based access.
  • Security telemetry — alerts, detections, audit events, identity events, cloud control-plane logs, EDR process metadata, DNS metadata. Forwarded by integrations you connect.
  • Investigation artifacts — analyst notes, decisions, approvals, generated briefs, exported evidence packs. Retained according to your tenant retention policy.
  • Product telemetry — request logs, error traces, feature-usage counters. Used to operate and secure the service. Stripped of payload contents.
  • Marketing site data — form submissions, IP-derived country, basic anonymized analytics. No third-party advertising trackers or cross-site identifiers.

3. Why we process it (legal basis)

We process customer data to perform our contract with the customer organization (GDPR Art. 6(1)(b)), to comply with legal obligations (Art. 6(1)(c)), and to pursue legitimate interests in operating, securing and improving the service (Art. 6(1)(f)). Marketing communications rely on consent (Art. 6(1)(a)).

4. AI processing and model providers

SOCPilot uses large-language-model providers (currently Google Gemini and OpenAI GPT families, routed through the Lovable AI Gateway) to draft triage recommendations, investigation summaries, briefs and compliance packs.

  • Customer data sent to model providers is configured for zero retention where the provider supports it.
  • No customer data is used to train SOCPilot models or third-party foundation models.
  • All AI outputs are surfaced as drafts that an analyst can edit, approve or reject. AI never executes containment or response actions without named human approval.
  • Customers can disable live AI inference per workspace; SOCPilot then falls back to its deterministic evidence engine.

5. Sub-processors

We rely on a small set of vetted sub-processors:

  • Cloud infrastructure & managed Postgres (region-pinned)
  • Edge / serverless runtime for ingestion and AI orchestration
  • Email delivery for transactional notifications
  • LLM inference providers (Google, OpenAI) via gateway
  • Error and uptime monitoring

The current sub-processor list with regions and purposes is published in the Trust Center. We notify customers of additions before they take effect.

6. International data transfers

EU customer data is stored and processed in the EU by default. Where transfers outside the EEA / UK occur (e.g., to a US-based LLM endpoint), we rely on Standard Contractual Clauses and the EU–US Data Privacy Framework, supplemented by encryption and access controls.

7. Retention

Default retention windows are configurable per workspace. Out of the box: alerts and evidence — 365 days; investigations and briefs — 1095 days; audit logs — 7 years (immutable). Deletion requests for sensitive content can be filed by a workspace admin and require two-person approval.

8. Your rights

Individuals whose personal data is processed by SOCPilot have the right to access, rectify, erase, restrict, port and object to processing. Most rights are exercised through the customer organization that controls the workspace (the data controller). You can also contact us directly.

9. Security

SOCPilot is built read-only by default. Containment and identity actions require named human approval. SOCPilot is SOC 2 Type II compliant (audit completed January 2026); ISO 27001 Stage 2 audit is scheduled for August 2026. An annual penetration test was conducted by Kestrel Cyber in November 2025. We enforce SSO / MFA on production systems and publish a coordinated vulnerability disclosure program.

10. Children

SOCPilot is a B2B product. We do not knowingly collect personal data from anyone under 16.

11. Changes

We will update this policy as the product and legal landscape evolve. Material changes are announced in-product and via email to workspace owners at least 30 days before they take effect.

12. Contact

legal@socpilot.co · Data Protection Officer reachable at the same address.