Data Protection Policy | Sightline GRC Platform

1. Scope & roles

This policy applies to all personal data Sightline processes. For customer account data we act as a data controller; for the data inside your tenant (users, posture, evidence) we act as a data processor on your behalf, under your instructions and our DPA.

2. What we collect

Account data: name, work email, organization, role, authentication factors.
Posture & evidence: control status, findings, and the minimum evidence needed to assess a control — never the underlying secrets. Credentials and secret values are never stored in findings and are redacted in reports.
Usage & security logs: sign-ins and privileged actions, for security and audit.

3. Lawful basis & purpose

We process personal data to provide the service (contract), to keep it secure (legitimate interest), and to meet legal obligations. We do not sell personal data and do not use your tenant data to train models.

4. How we protect it

Encryption in transit (TLS 1.2+) and at rest. Integration credentials are additionally encrypted with a dedicated key and never stored in plaintext.
Least privilege & tenant isolation — access denied by default; scoped by role, building, department, or framework.
Data minimization — we pull only what's needed to assess a control.
Accountability — privileged actions are logged; MFA/passkeys for admins.

5. Retention & deletion

We retain personal data only as long as needed to provide the service or as required by law. You can export and delete your data at any time; on account termination we delete or return tenant data within 30 days, subject to legal holds.

6. Your rights

Subject to applicable law (GDPR, DPDP, PDPA, and others), you may access, correct, export, or erase your personal data, object to or restrict processing, and withdraw consent. Email us and we will respond within statutory timeframes.

7. Subprocessors & international transfers

Sightline is hosted on Cloudflare (Workers, D1, KV, R2), region-configurable, with data residency available for international customers. A current subprocessor list and transfer safeguards are available on request.

8. Breach notification

We maintain an incident-response process and will notify affected customers without undue delay (and within 72 hours where GDPR/DPDP applies), with the facts, impact, and remediation.

9. Contact

Data protection enquiries and rights requests: contact us through the form.

This policy is provided for transparency and may be updated as our program matures. It is not legal advice or a contract; the binding terms are in your agreement and DPA with Sightline.