Privacy Policy

Last Updated: March 29, 2026 · Effective immediately

This Privacy Policy describes how VM360 Platform ("we", "us", or "our") collects, uses, and protects information about you when you use our cybersecurity vulnerability management platform.

1. Information We Collect

• Account Information: Name, email address, username, and password hashes.
• Organizational Data: Institution name, billing details, and subscription telemetry.
• Security Data: VAPT findings, asset metadata, and remediation logs provided by your organization.
• Technical Logs: IP addresses and session data required for audit trails and security monitoring.

2. Data Isolation & Multi-Tenancy

VM360 is built on a "Zero-Leak" architecture. All data is isolated by unique organization_id keys. We employ row-level isolation and encrypted query-scoping to ensure that no organization can ever access another organization’s data.

3. Data Retention

We retain your account data for the duration of your active subscription plus 90 days. Audit logs are retained per your organization's compliance policy (defaulting to 12 months for banking standards). Full data export is available via the Settings module.

4. Security Standards

We implement industry-grade security controls: bcrypt password hashing (cost 12), TOTP two-factor authentication, CSRF protection, TLS 1.3 encryption in transit, and AES-256 encryption at rest for sensitive findings.

5. Contact & DPA

For privacy inquiries or Data Processing Agreement (DPA) requests, please contact our privacy office at privacy@vm360.com.