Privacy Notice
This notice describes how O3 Security Inc. handles personal information. We tried to write it in plain English. Where law required us to use specific phrasing, we did.
Who we are
O3 Security Inc. ("O3", "we", "us") builds a software supply chain security platform for engineering and security teams. When this notice talks about "you", we mean the person we are collecting information about: a visitor to our website, a prospect we are in conversation with, or a user of the platform.
For data we collect about visitors and customers directly, O3 acts as the controller. For data our customers put into the platform (their code, their dependencies, their findings), O3 acts as a processor on behalf of that customer. The customer is the controller of that data. We say more about this in the "Data you put into the platform" section below.
What we collect
We try to collect only what we need. The categories are:
- Account information. Name, work email, company, role. Provided by you when you sign up or request a demo.
- Usage information. Pages you visit on the website, features you use in the platform, time of access, browser and device basics. Collected automatically.
- Communications. Anything you send us (support tickets, sales emails, calendar invites). Stored for as long as we need it to keep the conversation going.
- Billing information. If you become a paying customer, we collect what is needed to invoice you. Card data is handled by our payment processor, not by us.
- Cookies and similar. See the cookies section below.
How we use it
We use personal information for the things you would expect:
- To run the website and the platform, including authentication, billing, and customer support.
- To improve the product. We look at aggregated usage to understand what is working and what is confusing.
- To talk to you. If you asked for a demo or signed up for updates, we will contact you. You can opt out of marketing communications at any time.
- To meet legal and regulatory obligations, including responding to lawful requests and protecting against fraud or abuse.
Data you put into the platform
When a customer uses the O3 platform, the customer chooses what data the platform receives: code, dependency manifests, container images, runtime telemetry, SBOM data, and so on. That data may contain personal information that the customer is the controller of.
For that data, O3 acts as a processor. We process it only on the customer's documented instructions, as defined in our Data Processing Addendum (DPA). We will not use customer data to train general-purpose models. We will not access customer data except as needed to provide and improve the service for that customer, troubleshoot a problem, or as required by law.
Customers with regulated workloads can deploy the platform in air-gapped or single-tenant configurations where customer data never leaves their perimeter.
How long we keep data
We keep personal information for as long as we need it for the purposes it was collected, plus what we are required to keep for legal or accounting reasons. Account data is deleted on request unless we are legally required to retain it. Aggregated and anonymized data may be retained for longer.
How we protect it
We are a security company. We hold ourselves to the standards we measure others by. Specifically:
- Data in transit is protected with TLS 1.3.
- Data at rest is encrypted with AES-256.
- Access to production systems is restricted, logged, and reviewed.
- We run continuous monitoring on our own infrastructure, including the platform we sell.
- We are SOC 2 Type II and ISO 27001 certified. Audit reports are available on request under NDA.
No system is perfect. If we ever experience an incident affecting your personal information, we will notify you and the appropriate regulators within the timeframes required by law.
Your rights
Depending on where you live, you may have rights over your personal information, including the right to access, correct, delete, port, or restrict our use of it. You may also have the right to object to certain processing and to withdraw consent where consent is our legal basis.
Specific notes:
- India (DPDP Act 2023). You can ask for a summary of what we hold, ask us to correct or erase it, and nominate a person to act on your behalf. Contact us at the address below and we will respond within the timelines the Act specifies.
- European Economic Area and UK (GDPR / UK GDPR). You have the rights listed above. You can also complain to your supervisory authority if you believe we are mishandling your data.
- California (CCPA / CPRA). You have the right to know what we collect, ask us to delete it, correct it, and limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising.
To exercise any of these rights, contact us using the details at the bottom of this page. We will not discriminate against you for exercising them.
International transfers
O3 operates internationally. Personal information we collect may be transferred to, stored in, or processed in countries other than your own. When we do this, we use appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms required by Indian and other applicable laws.
Children
Our website and platform are not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe we have collected data from a child, please contact us and we will delete it.
Changes to this notice
We may update this notice when our practices change or the law requires it. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you directly. Continued use of the website or platform after a change means you accept the updated notice.
Contact us
Privacy questions, data subject requests, or anything in this notice that needs clarifying: [email protected].
Postal address:
O3 Security Inc.
(registered address on the contact page)
For matters relating to our processing of customer data on behalf of an enterprise customer, please reach out through your customer success contact or at [email protected].