Privacy Policy

We collect the following categories of information:

• Account information: full name, work email, company name, title, phone, industry. Required at signup for client primary accounts.
• Authentication metadata: session timestamps, IP address, user-agent, multi-factor authentication device identifiers.
• Engagement data: the documents, evidence, and assessments you upload to the vault, plus the controls and tasks you create or complete.
• Plugin-collected evidence: data ingested via connected integrations (Okta, GitHub, AWS CloudTrail, and similar) under credentials you provide.
• Audit log records: every state change in the platform is recorded in an append-only audit log with prev_hash / row_hash chain.
• Billing information: processed by Stripe; we do not store full card details on our servers.

We use the information we collect to:

• Operate the consulting platform and the Mission Brief diagnostic.
• Generate readiness scores, quarterly reports, and practitioner-signed attestations.
• Detect and respond to security incidents, including audit-chain anomalies and suspicious access patterns.
• Comply with our regulatory obligations (HIPAA, PCI-DSS, CMMC, TSA, and FMCSA where applicable to our role).
• Communicate service-related notifications, including evidence-review approvals and expiry warnings.

Key 102 uses an AI advisor named Tammie to accelerate intake interviews, gap analysis, and the drafting of findings, policy text, and readiness summaries. The following describes what AI processing does — and, just as importantly, what it does not do.

• What gets processed: intake answers you submit, documents and evidence you upload to your engagement, and the context of your active compliance conversation. Personal information that is not relevant to the compliance work is not sent to the AI advisor.
• What the AI does: drafts preliminary scope, surfaces likely control gaps, suggests evidence to collect, and helps shape findings and policy text. All output is labeled as an automated draft from self-reported data.
• What the AI does not do:attest that a control is satisfied, tell you that you are compliant, set scope or price as final, or treat self-reported answers as verified facts. No deliverable is issued on the AI’s authority.
• Human attestation gate:every Mission Brief, quarterly report, SSP, POA&M, SPRS affirmation, and any other regulator-facing artifact is reviewed and signed by a named Key 102 practitioner before it is delivered. Their name appears on every signed page. Specialty-credentialed sign-offs (Cyber AB RP, HIPAA Security Officer, PCI QSA) restore as those credentials and 1099 network members activate.
• Sub-processor: AI inference is performed by Anthropic, PBC under their commercial terms and privacy policy. Anthropic does not train on customer data submitted through the API.
• Telemetry retention: AI invocation metadata (request id, latency, token counts, model id, cost) is recorded for reliability and cost-cap enforcement. Prompt and completion bodies are retained only as long as the underlying engagement record is retained, subject to the retention schedule in section 7 below.

• Sub-processors strictly necessary to operate the Services (e.g., Stripe for billing, Resend for transactional email, AWS for hosting).
• Auditors, regulators, or law enforcement when legally required.
• The named practitioners assigned to your engagement.