Verdrix is an AI-native threat modeling platform operated by Verdrix. This Privacy Policy describes how Verdrix collects, uses, stores, and protects information when you access or use the Verdrix platform and associated services ("the Service").
By using the Service, you acknowledge that you have read and understood this policy. If you do not agree with this policy, you should not use the Service.
This policy applies to all users of the Verdrix platform, including organisation owners, administrators, analysts, and viewers operating under a customer account.
When you register for an account, we collect your first name, last name, email address, company name, and a hashed representation of your password. We do not store your password in plaintext at any point.
We collect technical information to operate and improve the Service. This includes IP address, browser type and version, operating system, pages visited, session duration, and referring URLs. This data is collected automatically when you interact with the platform.
The core function of the Service requires you to input descriptions of your AI system architecture, including components, data flows, and configuration properties. This information is stored and processed to generate threat analyses and compliance reports on your behalf. This data remains your property — see Section 6 for details.
You may upload files as evidence attachments within the Risk Register. These files are stored and associated with your account and project. You should not upload files containing credentials, keys, or other secrets unrelated to security evidence.
Billing for paid subscriptions is handled by a third-party payment processor. We do not collect, store, or process payment card data directly. The payment processor's own privacy policy governs the handling of your payment information.
We do not sell your personal data to third parties. We do not use your data for advertising profiling or share it with data brokers.
The Verdrix platform is hosted on major cloud infrastructure providers. Data in transit is protected using TLS 1.2 or higher. Data at rest is stored with encryption mechanisms provided by the underlying infrastructure.
Tenant data is logically segregated by a unique tenant identifier. Each customer organisation's data is isolated from other customers at the application layer, meaning users from one organisation cannot access data belonging to another.
Access to production data is restricted to authorised Verdrix personnel with a legitimate operational need. We perform periodic internal security reviews of our platform and access controls.
No method of transmission over the internet or electronic storage is completely secure. While we apply industry-standard measures, we cannot guarantee absolute security of your data.
To deliver the Service, we share data with a limited set of trusted third-party processors under appropriate data processing agreements. Categories of processors include:
We do not permit these processors to use your data for any purpose other than providing the services we have contracted them to perform.
Depending on your jurisdiction, you may have the following rights regarding your personal data:
To exercise any of these rights, contact us at privacy@verdrix.com. We will respond within the timeframe required by applicable law (typically 30 days). Where we cannot fulfil a request, we will explain why.
We use session cookies that are strictly necessary for authentication and to maintain your logged-in state. These cookies expire when your session ends or you log out.
We may use analytics cookies to understand how users navigate the platform. These cookies collect aggregated, anonymised information and do not track you across other websites.
We do not use third-party advertising cookies or tracking pixels.
You can configure your browser to block cookies, but doing so may prevent you from using authentication-dependent features of the Service.
The Verdrix platform may process and store data in regions outside your country of residence, including regions with different data protection standards. Where personal data is transferred across jurisdictions, we take appropriate measures to ensure the transfer is conducted in accordance with applicable legal frameworks, including where required, the use of standard contractual clauses or equivalent safeguards.
The Verdrix platform is a professional security tool not directed at, and not intended for use by, persons under the age of 16. We do not knowingly collect personal data from children. If you believe a minor has submitted information through the Service, please contact us at privacy@verdrix.com and we will take appropriate action.
We may update this Privacy Policy from time to time. For changes that are material to how we collect or use your data, we will provide notice by email to the address associated with your account at least 14 days before the change takes effect.
The "Effective date" at the top of this page reflects the date of the most recent revision. Continued use of the Service after the effective date of a revised policy constitutes acceptance of the revised terms.
For privacy-related enquiries, data subject requests, or concerns about this policy: