EtcSecBeta

Trial privacy notice

Short version of what happens to your data during the anonymous trial at etcsec.com/trial. Effective 2026-04-16.

What we collect

  • Email (optional) — only used to send you the audit report link.
  • IP address, stored as sha256(ip + daily_salt), never in plaintext. Used for rate-limiting and abuse detection.
  • User agent, stored as a SHA-256 hash.
  • Active Directory / Microsoft Entra ID configuration you submit — LDAP host, bind DN, bind password, or Azure tenant/client/secret. Encrypted with AES-256-GCM using a server-only key before it hits the database.
  • Audit findings — severity counts, category buckets, attack paths, top affected entity names (sampled to ≤50 names per finding). No raw LDAP data is retained.
  • Consent record — the timestamp, IP hash, UA hash, and exact clause text you accepted on the first screen.

How long we keep it

  • Credentials (encrypted) — wiped from the database the moment the audit is parsed (usually within a few seconds of the collector reporting back). If that inline wipe fails, a 5-minute background job catches up.
  • Command payloads — the decrypted configuration we hand to the collector lives in a pending queue row. It is overwritten with {} when the command completes.
  • Audit findings, score, attack paths — 7 days, then hard-deleted via DELETE … ON DELETE CASCADE.
  • Consent log — 7 days (cascaded). We keep the clause version+text so we can prove what you agreed to if legal asks.

What runs on your side

The one-liner you run in step 4 downloads our signed Go collector binary (v3.0.20+), extracts it to a temporary directory, runs one audit, reports the result back over HTTPS, and exits. The script uses trap EXIT rm -rf on the temp directory. No systemd service is installed, no configuration file is written to disk, no token is saved to your machine. You can inspect the installer script at get.etcsec.com/install-trial.sh.

Sub-processors

  • Cloudflare — TLS termination, Turnstile captcha (your IP is processed to verify the captcha challenge).
  • SMTP provider — used to email the audit link + PDF if you opted in.

We do not share trial data with any other third party.

Your rights

You can ask us to delete your trial data before the 7-day expiry by emailing [email protected] with your view-token URL or the email address you used. We'll purge the matching session row (cascade drops everything else). You have the usual GDPR rights of access, rectification, erasure, and complaint.

Security

  • AES-256-GCM encryption at rest for all submitted credentials.
  • TLS 1.2+ end-to-end.
  • Trial API is isolated in its own Postgres schema (trial) with service-role access only. Production collector and SaaS customer endpoints refuse any tcol_/tapi_ token.
  • Strict rate limit (3 sessions/IP/24h, 60/h global) + Cloudflare Turnstile.

Contact

Questions? [email protected]. For security issues, [email protected].

← Back to the trial