Last Updated: March 6, 2026

Privacy Policy

EtcSec is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information when you use our identity security audit platform.

Data Controller

EtcSec is the data controller for the personal data collected through our platform at etcsec.com. For any questions regarding data processing, you can contact our Data Protection Officer at:

[email protected]

Information We Collect

Account Data

  • Email address and name (at registration)
  • Organization name
  • Authentication credentials (hashed, never stored in plain text)

Audit Data

Identity security audit results submitted via the EtcSec Collector, covering Active Directory, Azure AD/Entra ID, Microsoft Intune, Exchange Online, and Google Workspace configurations.

Self-Hosted Architecture

Audit data is collected by our open-source collector running on your infrastructure. In standalone mode, all data stays local. In SaaS mode, processed security findings are transmitted to EtcSec via encrypted TLS connection using consumable authentication tokens. You choose the deployment model.

Usage Data

  • Browser type, IP address, pages visited
  • Feature usage analytics (anonymized)

How We Use Your Information

  • Provide and maintain the identity security audit service
  • Generate security reports, MITRE ATT&CK mappings, and remediation recommendations
  • Send service communications (security alerts, product updates)
  • Improve our platform and expand our 369+ security checks
  • Comply with legal obligations

Data Storage & Security

  • Data hosted within the European Union
  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Consumable authentication tokens (no persistent API keys)
  • Regular security audits of our own infrastructure
  • Access controls and audit logging

Data Sharing

We do not sell your data. We do not share your personal data with third parties for marketing purposes.

We may share limited data only with:

  • Infrastructure providers necessary to operate the service (hosting, CDN)
  • As required by applicable law or legal process

We do not transfer personal data outside the European Union without adequate safeguards in compliance with GDPR.

Your Rights Under GDPR

As a data subject, you have the following rights:

Right to Access

Request a copy of your personal data

Right to Rectification

Correct inaccurate personal data

Right to Erasure

Request deletion of your personal data

Right to Restrict Processing

Limit how we use your data

Right to Data Portability

Receive your data in a portable format

Right to Object

Object to certain processing activities

To exercise any of these rights, contact us at [email protected]. You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) or your local supervisory authority.

Cookies

We use only essential cookies required for the platform to function. We do not use third-party tracking cookies or advertising cookies.

CookiePurposeDuration
etcsec_access_tokenAuthentication session24 hours
etcsec_refresh_tokenSession renewal7 days
etcsec_themeUI theme preferencePersistent

Data Retention

  • Account data: Retained while your account is active, plus 30 days after deletion
  • Audit data: Retained according to your plan (30 days for Free, 90 days for Essentials, 1 year for Professional and above)
  • Usage logs: 90 days

Changes & Contact

We may update this privacy policy from time to time. We will notify you of any material changes by email. The “Last Updated” date at the top of this page indicates when the policy was last revised.

For any questions about this privacy policy or our data practices, please contact us at [email protected] or visit our contact page.

Privacy Policy — EtcSec | EtcSec