Privacy Policy

VeeSafe Technology provides cybersecurity, compliance, and documentation tools that may be used in connection with U.S. federal regulations including CMMC, NIST SP 800-171, DFARS 252.204-7012, HB 96, SPRS scoring, POA&M and SSP work, and incident response planning. This policy is designed to meet federal grade expectations for handling sensitive business data and compliance artifacts.

VeeSafe is not a certifying body, auditor, or legal advisor.

1. Data we collect

Account and authentication. Name, email, organization, role, authentication logs, and MFA status — collected through Supabase Auth and our application layer.

Workspace and compliance data. Assessment responses, evidence uploads, policies, plans, POA&M items, SSP content, internal controls, system descriptions, audit notes, and attestations — provided directly by the Client.

System metadata. Browser type, IP address, device information, timestamps, error logs, and non identifying usage analytics.

AI generated content. Inputs you provide, outputs the system generates, and revision history. We do not use Client data to train external AI models.

2. How we use data

To operate the platform, generate compliance documentation, maintain system security, improve performance, provide support, and meet legal obligations. We do not sell personal data, share with advertisers, or use Client data to train public AI models.

3. Subprocessors

We use Lovable (application layer), Supabase (database and authentication), Vercel (frontend hosting), and Cloudflare (DNS and edge security). All subprocessors operate under confidentiality and security obligations. The current list lives at /trust/subprocessors.

4. Data ownership and retention

The Client owns all data they input. Active tenants: data retained while the workspace is active. Terminated tenants: data available for export for sixty days, then may be deleted or anonymized. Backups retained up to ninety days.

5. Security controls

Aligned with NIST SP 800-171 and CMMC Level 2 practices: MFA enforcement, TLS 1.2+ in transit, encryption at rest, row level security, audit logging, least privilege access, network isolation, and regular vulnerability scanning.

6. AI generated content

Based solely on your inputs, not independently verified, not guaranteed to be accurate or compliant, and not legal advice. You must review and validate every output before relying on it.

7. Sharing of data

Only with the subprocessors above, with regulators if legally required, with law enforcement on valid process, or with your authorized users. Never with advertisers or data brokers.

8. Incident response

If we become aware of a security incident affecting Client data we will notify the Client without unreasonable delay, share known details, provide mitigation guidance, and cooperate with investigations.

9. Client responsibilities

You are responsible for accuracy of inputs, maintaining MFA, managing user access, reviewing generated content, and protecting your own systems and devices.

10. Children's privacy

The platform is not intended for individuals under 18.

11. Changes

Material changes require re acceptance. Acceptance is logged with timestamp, IP, and user identity.

12. Contact

VeeSafe Technology — Cuyahoga Falls, Ohio — support@veesafetechnology.com