1. Data Controller Identity
Sanctum SecOps LLC ("Sanctum SecOps," "we," "us," or "our") is the data controller for personal data collected through this website and in the course of providing cybersecurity services.
| Field | Details |
|---|---|
| Legal Name | Sanctum SecOps LLC |
| Entity Type | New York Limited Liability Company |
| EIN | 42-2733487 |
| Principal Office | Pine City, New York, United States |
| Privacy Contact | bvicente@sanctumsecops.com |
| SAM.gov Registration | Active Federal Contractor |
| IANA PEN | 65953 |
2. Scope & Applicability
This Privacy Policy applies to:
- All visitors to sanctumsecops.com and any subdomains
- Prospective and current clients who communicate with us by email, phone, or other means
- Individuals whose personal data we process in the course of delivering PKI, cryptographic, or security infrastructure services
- Partners, vendors, and contractors who interact with Sanctum SecOps
This policy does not apply to third-party websites linked from this site. Each third party's own privacy policy governs their data practices.
For EU/EEA/UK residents, this policy constitutes the transparency notice required under GDPR Articles 13 and 14. For California residents, this policy satisfies the disclosure requirements of the California Consumer Privacy Act (CCPA) as amended by the CPRA.
3. Personal Data We Collect
3.1 Data You Provide Directly
| Category | Examples | Collection Point |
|---|---|---|
| Identity Data | Full name, job title, organization | Email inquiries, service agreements |
| Contact Data | Email address, phone number, mailing address | Email, contact forms, contracts |
| Professional Data | Employer, role, compliance posture, technology stack | Service onboarding, discovery calls |
| PKI & Cryptographic Data | Public key material, CSRs, device identifiers, certificate serial numbers | PKI enrollment services — never private keys |
| Communications | Emails, meeting notes, support requests | Email, video calls, ticketing |
| Contract Data | Signed agreements, SOWs, invoices | DocuSign, direct exchange |
3.2 Data Collected Automatically
| Category | Examples | Source |
|---|---|---|
| Technical / Log Data | IP address, browser type & version, OS, referring URL, pages visited, timestamps | Cloudflare edge logs |
| Aggregate Analytics | Page view counts, geographic region (country/state level), device type | Cloudflare Web Analytics — no PII retained |
3.3 Data We Do Not Collect
- Private cryptographic keys (we have no mechanism or need to collect these)
- Payment card numbers (billing handled through third-party processors under their own PCI-DSS obligations)
- Sensitive personal data (health, biometric, racial/ethnic origin) — unless specifically required and consented to for a service
- Data from individuals under 18 years of age (see Section 14)
4. Purposes of Processing & Legal Bases
We process personal data only for specific, explicit, and legitimate purposes. The table below sets out each purpose and its legal basis under GDPR (for EEA/UK individuals) and the equivalent US justification.
| Purpose | GDPR Legal Basis (Art. 6) | US Basis |
|---|---|---|
| Responding to inquiries and providing requested services | Art. 6(1)(b) — Contract performance | Contractual necessity / legitimate business purpose |
| Delivering PKI, certificate, and cryptographic services | Art. 6(1)(b) — Contract performance | Contractual necessity |
| Operating and securing this website | Art. 6(1)(f) — Legitimate interests | Legitimate business interest |
| Federal contracting obligations (SAM.gov, CMMC 2.0, FAR/DFARS) | Art. 6(1)(c) — Legal obligation | Federal law (FAR 52.204-21, DFARS 252.204-7012) |
| Fraud prevention and security threat detection | Art. 6(1)(f) — Legitimate interests | CFAA compliance; legitimate interest |
| Compliance with legal obligations (tax, NY LLC law, GDPR, CCPA) | Art. 6(1)(c) — Legal obligation | Applicable federal and state law |
| Sending service-related communications | Art. 6(1)(b) — Contract performance | Contractual necessity |
| Marketing & newsletters (only where explicitly opted in) | Art. 6(1)(a) — Consent | CAN-SPAM Act compliance; opt-in consent |
| Research and development of cryptographic technologies | Art. 6(1)(f) — Legitimate interests (anonymized/aggregated data only) | Legitimate interest; de-identified data |
Legitimate interests balancing test (GDPR Art. 6(1)(f)): Where we rely on legitimate interests, we have conducted a balancing test and determined that our interests are not overridden by your fundamental rights and freedoms. You may request a copy of our legitimate interests assessment by contacting us at bvicente@sanctumsecops.com.
5. Cookies & Tracking Technologies
This website uses a minimal, privacy-respecting approach to tracking:
| Type | Used? | Details |
|---|---|---|
| Strictly necessary cookies | Yes — server-side only | Cloudflare security cookies (__cf_bm) for bot protection. No user data stored. |
| Analytics cookies | No | Cloudflare Web Analytics is cookieless by default |
| Advertising / targeting cookies | No | None deployed |
| Third-party tracking pixels | No | None deployed |
| Fingerprinting | No | Explicitly prohibited in our infrastructure configuration |
Because we do not use non-essential cookies, we are not required to display a cookie consent banner under ePrivacy Directive / GDPR for EEA users. Should that change, we will update this policy and implement appropriate consent mechanisms before deploying any non-essential cookies.
6. Data Sharing & Disclosure
We do not sell or rent your personal data. We do not share personal data for cross-context behavioral advertising. We may share data only in the following strictly limited circumstances:
6.1 Service Providers (Data Processors)
We use the following sub-processors who handle data on our behalf under written data processing agreements (DPAs):
| Processor | Purpose | Data Transferred | Location |
|---|---|---|---|
| Cloudflare, Inc. | CDN, DDoS protection, DNS, edge compute, analytics | IP addresses, request metadata (aggregated) | US / Global edge (SCCs for EEA) |
| Microsoft Corporation (Azure) | Cloud infrastructure, PKI hosting, collaboration (M365) | Service data as required by contractual scope | US East / configurable regions |
| GitHub (Microsoft) | Source code management, CI/CD | Usernames, code commits | US |
| DocuSign, Inc. | Electronic signature for contracts | Name, email, signature data | US (GDPR-compliant with SCCs) |
6.2 Legal Disclosures
We may disclose personal data when required by:
- A valid court order, subpoena, or warrant issued by a US federal or state court
- Federal agency oversight related to our SAM.gov registration, CMMC 2.0 assessment, or federal contract performance (including DoD, CISA, or GSA requests)
- Applicable tax authorities (IRS, NYS Department of Taxation)
- GDPR supervisory authority requests (for EEA individuals)
Where legally permitted, we will notify affected individuals before disclosure.
6.3 Business Transfers
In the event of a merger, acquisition, asset sale, or dissolution of Sanctum SecOps LLC, personal data may be transferred as a business asset. We will provide at least 30 days' prior notice by email (where contact data is held) and update this policy before any transfer occurs. The successor entity will be bound by this policy or provide equivalent protections.
6.4 Professional Advisors
We may share data with attorneys, accountants, and auditors who are bound by professional confidentiality obligations, solely for legal, tax, or audit purposes.
7. International Data Transfers
Sanctum SecOps LLC is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is transferred to and processed in the US, which may not provide the same level of data protection as your home jurisdiction.
We rely on the following safeguards for international transfers:
- EU Standard Contractual Clauses (SCCs): Incorporated into our DPAs with Cloudflare and Microsoft for transfers from the EEA to the US (Commission Decision 2021/914/EU, Module 2 Controller-to-Processor).
- UK International Data Transfer Agreement (IDTA): Applied where applicable for transfers from the UK post-Brexit.
- Data Privacy Framework (DPF): We rely on sub-processors certified under the EU-US Data Privacy Framework where available.
You may request a copy of the applicable transfer mechanism by contacting bvicente@sanctumsecops.com.
8. Technical & Organizational Security Measures
As a security company, we apply the highest standards to protecting personal data:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ enforced site-wide; HSTS with 2-year max-age and preload; HSTS Preload List enrolled |
| Encryption at rest | AES-256 or equivalent for stored client data; Azure Key Vault for key management |
| Access control | Least-privilege principle; certificate-based authentication (YubiKey hardware tokens); MFA enforced on all admin accounts |
| PKI security | Multi-tier CA hierarchies; offline root CAs; CMMC 2.0-aligned controls (AC, IA, SC domains) |
| Post-quantum readiness | NIST FIPS 203/204/205 algorithms; Cygnus composite certificate issuance available for PQC-ready clients |
| Incident response | Documented IR procedure; 72-hour GDPR breach notification capability; CISA coordination procedures |
| Vendor security | Sub-processor security assessments; DPAs with all processors; annual review |
| Physical security | Operations conducted from secured facilities; no shared office or co-working environments for sensitive operations |
9. Data Retention
We retain personal data only as long as necessary for the stated purpose or as required by law. The following retention schedule applies:
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Client contracts & agreements | Duration of relationship + 7 years | NY UCC; federal contractor recordkeeping (FAR 4.703) |
| Business communications (email) | Duration of relationship + 5 years | Legitimate interest; legal obligation |
| PKI / certificate audit logs | Minimum 7 years | CMMC 2.0 AU.2.042; federal contracting requirements |
| Invoices & financial records | 7 years | IRS recordkeeping requirements (26 U.S.C. § 6001) |
| Website access logs (Cloudflare) | Up to 30 days (Cloudflare default) | Security / legitimate interest |
| Aggregate web analytics | Up to 12 months | Legitimate interest; no PII retained |
| Non-client inquiry data | 24 months from last contact | Legitimate interest |
| Consent records | Duration of consent + 5 years | GDPR Art. 7(1) accountability |
Upon expiry of applicable retention periods, data is securely deleted using cryptographic erasure or NIST SP 800-88 media sanitization procedures.
10. Your Rights — Overview
The rights available to you depend on your jurisdiction. The table below provides an overview; detailed jurisdiction-specific rights follow in Sections 11–13.
To exercise any right, email bvicente@sanctumsecops.com with the subject line "Privacy Rights Request — [Your Right]". We will respond within 30 days (GDPR: 1 calendar month; CCPA: 45 days with one 45-day extension if needed). We will verify your identity before processing requests and will not discriminate against you for exercising your rights.
11. EEA, UK & Swiss Residents — GDPR Rights
If you are located in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) / UK GDPR / Swiss nFADP applies to our processing of your personal data.
11.1 Additional GDPR Rights
- Right not to be subject to automated decision-making (Art. 22): We do not use automated decision-making or profiling that produces legal or similarly significant effects.
- Right to lodge a complaint (Art. 77): You have the right to lodge a complaint with your local supervisory authority. For EU residents, find your authority at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
11.2 Data Protection Officer
As a small business processing limited categories of personal data, Sanctum SecOps LLC is not required to appoint a formal DPO under GDPR Art. 37. However, all privacy inquiries are handled directly by the controller: bvicente@sanctumsecops.com.
11.3 Representative in the EU/UK
Sanctum SecOps LLC does not maintain a physical establishment in the EEA or UK. If you are an EEA or UK individual who believes we process your personal data on a non-occasional basis, you may contact us to discuss appointment of an Article 27 representative. At present, all EU/UK-related processing is incidental to our US-based B2B operations.
12. California Residents — CCPA / CPRA Rights
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents the following rights. Note: as Sanctum SecOps LLC is a small business (fewer than 25 employees, under $25M annual gross revenue), certain CCPA obligations may not apply. We nonetheless honor these rights as a matter of policy.
12.1 Right to Know
You may request disclosure of: (a) the categories of personal information collected; (b) the sources; (c) the business purpose; (d) the categories of third parties with whom we share it; and (e) the specific pieces of personal information we hold about you.
12.2 Right to Delete
You may request deletion of your personal information, subject to exceptions (e.g., completing a transaction, legal obligations, security purposes).
12.3 Right to Correct
You may request correction of inaccurate personal information (added by CPRA, effective Jan 1, 2023).
12.4 Right to Opt Out of Sale / Sharing
We do not sell or share personal information as defined under CCPA/CPRA. No opt-out mechanism is required, but you may submit a request confirming this by emailing us.
12.5 Right to Limit Use of Sensitive Personal Information
We do not process sensitive personal information (as defined by CPRA § 1798.121) beyond what is necessary to provide our services.
12.6 Non-Discrimination
We will not discriminate against you for exercising any CCPA rights — including by denying services, charging different prices, or providing a different level of service.
12.7 Categories of Personal Information Collected (CCPA Disclosure)
| CCPA Category | Collected? | Sold? | Shared for Cross-Context Advertising? |
|---|---|---|---|
| Identifiers (name, email, IP address) | Yes | No | No |
| Commercial information (contracts, transactions) | Yes | No | No |
| Internet / network activity (log data) | Yes (aggregated) | No | No |
| Professional / employment information | Yes (for clients) | No | No |
| Sensitive personal information | No | No | No |
| Biometric data | No | No | No |
| Geolocation data | No (country/state aggregate only) | No | No |
13. Other US State Privacy Rights
Residents of the following states have privacy rights under applicable state law. We honor these rights to the extent applicable:
| State | Law | Key Rights Honored |
|---|---|---|
| Virginia | VCDPA (effective Jan 1, 2023) | Access, correction, deletion, portability, opt-out of sale/profiling |
| Colorado | CPA (effective July 1, 2023) | Access, correction, deletion, portability, opt-out |
| Connecticut | CTDPA (effective July 1, 2023) | Access, correction, deletion, portability, opt-out |
| Texas | TDPSA (effective July 1, 2024) | Access, correction, deletion, portability, opt-out |
| New York | NY SHIELD Act; NY PDPA (pending) | Breach notification (500-day rule); reasonable data security |
| All US states | FTC Act § 5 (unfair/deceptive practices) | Accurate representations; data security; no deceptive practices |
To submit a rights request under any state law, contact bvicente@sanctumsecops.com. Include your state of residence and the specific right you wish to exercise. We will respond within the timeframe required by applicable law (generally 45–60 days).
14. Children's Privacy (COPPA)
Sanctum SecOps LLC's services are directed exclusively to businesses and adult professionals. We do not knowingly collect personal information from individuals under 13 years of age (or under 16 for EEA residents under GDPR) and our website is not directed to children.
Compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506: We do not operate any website, application, or service directed to children, and we do not knowingly collect, use, or disclose personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will delete it promptly. To report a concern, contact bvicente@sanctumsecops.com.
15. Third-Party Links & External Services
This website contains links to external resources including:
- IETF Datatracker (datatracker.ietf.org)
- GitHub (github.com)
- NIST (nist.gov)
- Zenodo DOI service (zenodo.org)
- ORCID (orcid.org)
We are not responsible for the privacy practices of any third-party website. We encourage you to review the privacy policies of any external site you visit. These links are provided for informational purposes under IETF open standards principles and do not constitute endorsement of the third party's privacy practices.
16. Federal Contracting & Regulatory Compliance
As a SAM.gov-registered federal contractor, Sanctum SecOps LLC is subject to additional data protection requirements beyond general privacy law:
- FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) — We maintain security controls protecting Federal Contract Information (FCI)
- DFARS 252.204-7012 (Safeguarding Covered Defense Information) — Applicable when processing Controlled Unclassified Information (CUI) under DoD contracts
- CMMC 2.0 Level 1 / Level 2 — Our controls framework aligns with NIST SP 800-171 Rev. 2 requirements for protecting CUI
- FISMA — Federal Information Security Modernization Act standards applied to any federal data processed
- E-Government Act / Privacy Act of 1974 (5 U.S.C. § 552a) — Applicable to any federal agency personal data processed under contract
Sanctum SecOps LLC maintains a System Security Plan (SSP) and Plan of Action & Milestones (POA&M) as required by CMMC 2.0. These documents are available to authorized federal agencies upon request.
17. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or services. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Where feasible, notify affected individuals by email at least 30 days before the change takes effect
- For material changes affecting EEA/UK individuals' rights, seek fresh consent where required by GDPR
- Maintain a version history available upon request
Your continued use of our website or services after the effective date of any update constitutes your acknowledgment of the revised policy. If you disagree with any changes, you may exercise your rights under Section 10 or cease using our services.
18. Contact Information & How to Exercise Your Rights
For all privacy inquiries, rights requests, complaints, or questions about this policy:
| Channel | Details |
|---|---|
| Email (preferred) | bvicente@sanctumsecops.com — Subject: "Privacy Request" |
| Organization | Sanctum SecOps LLC |
| Jurisdiction | Pine City, New York, United States |
| Response time | Within 30 days (GDPR); within 45 days (CCPA/US state) |
Supervisory Authority Complaints (EEA/UK): If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office.
US Complaints: US residents with concerns about our privacy practices may contact the Federal Trade Commission at ftc.gov or their state Attorney General's office.