Subtle White Gold Mesh

Legal & Compliance

Transparency and trust are the foundation of our security services. Review our policies to understand how we protect your business.

Privacy Policy

Last Updated: 2026

At Custodia LLC ("Custodia", "we", "us"), we understand that as a defense contractor, data security is not just a preference—it’s a regulatory requirement. This Privacy Policy outlines how we collect, use, and strictly protect your information, with specific adherence to CMMC and NIST 800-171 standards where applicable.

1. Information We Collect

We collect only the minimum information necessary to provide our Fractional CISO and CMMC Fortress services:

  • Account Information: Name, Company Name, CAGE Code (if provided), Email, and Phone Number.
  • Vulnerability Data: Results from scans performed on your public-facing infrastructure.
  • Usage Data: Information on how you interact with our dashboard and badge widgets.

2. How We Handle Vulnerability Data

Critical: Vulnerability data is treated as CUI (Controlled Unclassified Information) when associated with your specific infrastructure.

  • We do not share scan results with third parties, including Prime Contractors, without your explicit written consent.
  • We do not share your compliance score publicly. The "Live Badge" only indicates a status (e.g., "Verified"), never the specific score or findings.
  • All vulnerability data is encrypted at rest and in transit using TLS 1.2+ and AES-256 standards.

3. No Sale of Data

We do not sell, rent, or trade your personal or business information to third parties. We are in the business of security, not data brokerage.

4. Service Providers (Sub-Processors)

We use trusted US-based infrastructure providers to deliver our services. All sub-processors are vetted for security compliance:

  • Vercel: Web hosting and edge computing.
  • Resend: Transactional email services.
  • Stripe: Payment processing (we do not store credit card numbers).

5. Your Rights

You have the right to request deletion of your data upon termination of service, subject to our record-retention obligations for audit trails. To request data deletion, contact legal@custodia.ai.

6. Changes to This Policy

We may update this policy to reflect changes in CMMC regulations or our services. Major changes will be communicated via email to all active account holders.

Custodia LLC
Attn: Privacy Officer
Washington, DC
legal@custodia.ai