Privacy Policy

Last updated: January 2026

At Offgrid Security ("we", "us", "our"), security and privacy are foundational to everything we do. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Kira and our related services. As a cybersecurity company, we hold ourselves to the highest standards of data protection.

1. Information We Collect

Information You Provide

  • Account Information: Name, email address, company name, job title, and role when you register or request a demo.
  • Payment Information: Billing details processed securely through PCI DSS compliant payment providers. We do not store full credit card numbers.
  • Communications: Information you provide when contacting support, participating in surveys, or engaging with our team.
  • Integration Credentials: OAuth tokens and API keys for connected services (stored encrypted, never in plaintext).

Information Collected Automatically

  • Usage Data: How you interact with our services, features used, analysis runs, and performance metrics.
  • Device Information: Browser type, operating system, IP address, and device identifiers.
  • Audit Logs: Records of account access, configuration changes, and security-relevant activities.
  • Cookies: We use essential and analytics cookies to improve your experience.

Code and Repository Data

When you connect repositories to Kira, we process your code to provide security analysis. We want to be transparent about how we handle this sensitive data:

  • Processing: Code is analyzed to map architecture, trace data flows, and identify vulnerabilities.
  • Storage: Source code is processed in memory and cached only as long as necessary for analysis. We do not maintain permanent copies of your source code.
  • Analysis Results: Security findings, vulnerability reports, and architectural maps are stored to provide our services and are retained according to your data retention settings.
  • No ML Training: We never use your code, vulnerability data, or analysis results to train machine learning models.
  • Isolation: Each customer's data is logically isolated and never commingled with other customers' data.

Vulnerability and Security Data

Security findings generated by Kira may include sensitive information about vulnerabilities in your systems. This data is:

  • Treated as strictly confidential
  • Encrypted at rest using AES-256
  • Accessible only to authorized personnel within your organization
  • Never shared with third parties or other customers

2. How We Use Your Information

  • Provide, maintain, and improve our security analysis services
  • Process transactions and send related information
  • Send technical notices, updates, security alerts, and threat intelligence relevant to your environment
  • Respond to your comments, questions, and support requests
  • Monitor and analyze service usage to improve detection capabilities
  • Detect, investigate, and prevent fraudulent or unauthorized activities
  • Generate aggregated, anonymized statistics about vulnerability trends (never including identifiable customer data)
  • Comply with legal obligations and protect our rights

3. Information Sharing

We do not sell your personal information or vulnerability data. We may share information only in these limited circumstances:

  • Service Providers: Vetted third parties that perform services on our behalf (cloud hosting, payment processing). All service providers are contractually bound to protect your data and undergo security assessments.
  • Legal Requirements: When required by law, subpoena, or legal process, or to protect our rights, safety, and property. We will notify you of such requests unless legally prohibited.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, where the acquiring entity agrees to be bound by this Privacy Policy.
  • With Your Consent: When you explicitly authorize sharing with specific third parties.

Sub-processors

We maintain a list of sub-processors who may process your data. Enterprise customers can request this list and will be notified of changes to sub-processors with 30 days' notice.

4. Data Security

As a cybersecurity company, we implement comprehensive security measures that exceed industry standards:

  • Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Access Controls: Role-based access control, principle of least privilege, and mandatory multi-factor authentication for all employees
  • Infrastructure: Secure cloud infrastructure with continuous monitoring and hardened configurations
  • Security Testing: Regular penetration testing, vulnerability assessments, and security audits by independent third parties
  • Audit Logging: Comprehensive logging of all access to customer data with tamper-evident storage
  • Incident Response: Documented incident response procedures with defined escalation paths
  • Employee Security: Background checks, security training, and confidentiality agreements for all personnel

While we implement robust security measures, no system is completely secure. We encourage responsible disclosure of any security concerns to contact@offgridsec.com.

5. Security Incident Notification

In the event of a security incident affecting your data, we will:

  • Notify affected customers within 72 hours of confirmed breach discovery
  • Provide details about the nature and scope of the incident
  • Describe the data potentially affected
  • Outline remediation steps taken and recommended actions
  • Cooperate with your incident response as needed

6. Data Retention

  • Account Data: Retained while your account is active and for 30 days after termination
  • Source Code: Processed in memory; not retained after analysis completion
  • Analysis Results: Retained according to your subscription settings (default: 1 year) or until you request deletion
  • Audit Logs: Retained for 2 years for security and compliance purposes
  • Backup Data: Encrypted backups retained for 90 days for disaster recovery

You may request deletion of your data at any time. Upon account termination, we delete your data within 90 days unless legally required to retain it.

7. Your Rights

Depending on your location, you may have the right to:

  • Access, correct, or delete your personal information
  • Export your data in a machine-readable format (data portability)
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority
  • Request information about automated decision-making

To exercise these rights, contact us at contact@offgridsec.com. We will respond within 30 days.

GDPR (European Users)

If you are in the European Economic Area, we process your data under lawful bases including contract performance, legitimate interests, and consent where applicable.

CCPA (California Users)

California residents have additional rights including the right to know what personal information is collected, request deletion, and opt-out of sale. We do not sell personal information. We do not discriminate against users who exercise their privacy rights.

Enterprise and Compliance

Enterprise customers requiring security documentation or custom agreements should contact us at contact@offgridsec.com.

8. International Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for such transfers, including:

  • Contractual obligations requiring recipients to protect your data
  • Verification that recipients maintain adequate security measures

Enterprise customers may request data residency in specific regions where available.

9. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential: Authentication, security, and core functionality
  • Analytics: Understanding usage patterns to improve our services
  • Preferences: Remembering your settings and preferences

We do not use cookies for advertising or sell cookie data. You can control cookies through your browser settings. Disabling essential cookies may affect functionality.

10. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email and by posting the new policy on this page at least 30 days before changes take effect. Your continued use after such notice constitutes acceptance.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: contact@offgridsec.com