CyberDD, LLC ("CyberDD," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cybersecurity due diligence platform and related services (collectively, the "Services").
1. Information We Collect
1.1 Information You Provide
We collect information you voluntarily provide when using our Services, including:
Account Information: Name, email address, company name, job title, and password when you create an account.
Contact Information: Information you provide when you contact us or request a demo.
Deal Information: Information about M&A transactions, target companies, and due diligence activities you enter into the platform.
Questionnaire Responses: Security questionnaire responses and supporting documentation uploaded to the platform.
Payment Information: Billing details processed through our secure payment processors.
1.2 Information Collected Automatically
When you access our Services, we automatically collect certain information, including:
Device Information: IP address, browser type, operating system, and device identifiers.
Usage Data: Pages visited, features used, time spent on the platform, and interaction patterns.
Log Data: Server logs, error reports, and security-related information.
1.3 Due Diligence Content
In the course of using our Services, you or your organization may upload or submit sensitive cybersecurity-related content for analysis, including:
Security Policy Documents: Information security policies, incident response plans, access control policies, and similar governance documents.
Certifications & Audit Reports: SOC 2 reports, ISO 27001 certificates, PCI DSS attestations, and other compliance documentation.
Questionnaire Responses: Completed cybersecurity due diligence questionnaires and associated evidence.
We recognize this content is highly confidential and treat it with the highest level of protection as described throughout this Policy, including in Section 3 (AI-Powered Analysis & Third-Party Data Processing).
2. How We Use Your Information
We use the information we collect to:
Provide, maintain, and improve our Services
Perform AI-powered analysis of security policies, certifications, and questionnaire responses (see Section 3)
Generate risk scores, maturity assessments, and due diligence reports
Process transactions and send related information
Send administrative messages, updates, and security alerts
Respond to your comments, questions, and support requests
Monitor and analyze usage patterns and trends
Detect, prevent, and address technical issues and security threats
Comply with legal obligations
3. AI-Powered Analysis & Third-Party Data Processing
CyberDD uses artificial intelligence to analyze security policies, certifications, questionnaires, and other due diligence content you submit. This section explains exactly how your data is processed, what protections are in place, and what guarantees we provide.
3.1 How AI Analysis Works
When you submit a document for analysis (such as a security policy or certification), the following process occurs:
Document Upload & Storage: Your document is uploaded to CyberDD's secure, encrypted cloud storage (Amazon S3 with AES-256 encryption). The original file never leaves our infrastructure.
Text Extraction: CyberDD extracts text content from the document on our own servers. Only the extracted text — not the original file — is used in subsequent analysis steps.
AI Analysis: The extracted text is sent to Anthropic's Claude API for analysis via an encrypted API connection (TLS 1.3). Claude evaluates the content against cybersecurity frameworks, identifies findings, and returns a structured analysis.
Results Storage: The analysis results (scores, findings, recommendations) are stored in CyberDD's database, associated with your deal. The AI provider does not retain your content after processing (see Section 3.2).
3.2 AI Provider Data Protections
CyberDD uses Anthropic's Claude API under Anthropic's Commercial Terms of Service. This is critically important because Anthropic's Commercial Terms provide the following contractual protections that apply to all data processed through CyberDD:
No Model Training: Anthropic does not use data submitted through its Commercial API to train, fine-tune, or improve its AI models. Your security policies, certifications, questionnaire responses, and all other content submitted to CyberDD are never used for AI model training. This prohibition is contractual and applies regardless of any changes Anthropic may make to its consumer product policies.
No Data Retention Beyond Operational Needs: Under Anthropic's standard Commercial API terms, inputs and outputs are automatically deleted from Anthropic's backend systems within 30 days of processing. This limited retention exists solely for abuse detection and compliance monitoring. CyberDD is pursuing a Zero Data Retention (ZDR) agreement with Anthropic to further reduce this to immediate deletion after processing.
No Cross-Customer Access: API calls are stateless and isolated. Content submitted by one CyberDD customer is never accessible to, visible to, or shared with any other customer of CyberDD or Anthropic.
No Third-Party Sharing: Anthropic does not sell, license, or share Commercial API customer data with any third parties.
Ownership: Under Anthropic's Commercial Terms, Anthropic does not claim ownership of any inputs (your content) or outputs (the analysis results). CyberDD and its customers retain all rights.
3.3 Data Minimization
CyberDD follows the principle of data minimization when processing your content through AI analysis:
Only extracted text is sent for analysis — not raw files, metadata, filenames, or account information.
Analysis requests do not include personally identifiable information about your organization's employees.
Each analysis request is independent and does not reference or include data from other deals, customers, or prior analyses.
We do not send your data to any AI provider other than our disclosed subprocessor (Anthropic) without prior notice and consent.
3.4 Subprocessor Disclosure
The following third-party subprocessors may process your due diligence content as part of our Services:
Anthropic, PBC — AI-powered document analysis (policy scoring, certification analysis, risk assessment). Governed by Anthropic's Commercial Terms of Service and Data Processing Addendum (DPA). Data processing location: United States.
Amazon Web Services (AWS) — Cloud infrastructure, encrypted document storage (S3), and database hosting. Governed by the AWS Data Processing Addendum. Data processing location: United States.
We will provide at least 30 days' advance notice before adding any new subprocessor that handles your due diligence content, via email notification to your account administrator.
3.5 Your Controls
You maintain control over what content is analyzed by AI:
Documents are only submitted for AI analysis when you or an authorized user in your organization explicitly initiates the analysis.
You can upload and store documents on the platform without triggering AI analysis.
You can request deletion of your documents and all associated analysis results at any time.
Audit logs record every AI analysis action, including who initiated it and when, providing full accountability.
4. Information Sharing and Disclosure
We do not sell your personal information or your due diligence content. We may share your information in the following circumstances:
With Your Consent: When you authorize us to share information with third parties.
AI Analysis Subprocessors: With Anthropic for AI-powered document analysis, subject to the protections described in Section 3.
Infrastructure Providers: With cloud hosting and infrastructure vendors (e.g., AWS), subject to data processing agreements and confidentiality obligations.
Service Providers: With other vendors who assist in providing our Services (e.g., payment processing, email delivery), subject to confidentiality obligations. These providers do not have access to your due diligence content.
Legal Requirements: When required by law, regulation, or legal process.
Business Transfers: In connection with a merger, acquisition, or sale of assets.
Protection of Rights: To protect our rights, privacy, safety, or property, or that of our users or others.
5. Data Security
We implement robust security measures to protect your information, including:
AES-256 encryption for data at rest
TLS 1.3 encryption for data in transit
Multi-factor authentication requirements
Regular security audits and penetration testing
Access controls and audit logging
Secure data centers with SOC 2 Type II certification
6. Data Retention
We retain your information for as long as your account is active or as needed to provide Services. We may retain certain information as required by law or for legitimate business purposes, such as resolving disputes and enforcing our agreements.
6.1 Due Diligence Content
Your uploaded documents, analysis results, questionnaire responses, and other due diligence content are retained for the duration of your active account and any applicable deal lifecycle. Upon account termination or at your request, we will delete your due diligence content from our systems within 30 days, subject to any legal retention requirements.
6.2 AI Provider Retention
Content sent to Anthropic's Claude API for analysis is retained by Anthropic for no more than 30 days under their standard Commercial terms, and is then automatically deleted. Anthropic's retention of this data is solely for abuse detection and compliance purposes — it is never used for model training or any other purpose. We are actively pursuing a Zero Data Retention (ZDR) agreement to reduce this to immediate deletion after processing.
7. Your Rights and Choices
Depending on your location, you may have certain rights regarding your personal information:
Access: Request a copy of your personal information.
Correction: Request correction of inaccurate information.
Deletion: Request deletion of your personal information.
Portability: Request a portable copy of your data.
Opt-Out: Unsubscribe from marketing communications.
Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.
9. Children's Privacy
Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Effective Date" above.
11. Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us: