Privacy Policy

SentinelSMB LLC ("SentinelSMB," "we," "us," or "our") is a cybersecurity monitoring service operated by Cole Kingsley in Bismarck, North Dakota. This Privacy Policy explains what information we collect, how we use it, who we share it with, how we protect it, and your rights regarding that information.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is incorporated into and subject to our Terms of Service.

Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, company name, industry, and billing information. Payment card details are processed and stored by Stripe; we do not receive or store your full credit card number on our systems.

1.2 Security Event Metadata

When you connect a Cloud Platform (Microsoft 365, Google Workspace, AWS, or Cloudflare), we collect and process security event metadata from that platform, including:

• Timestamps of events
• IP addresses associated with login attempts and other activities
• User identifiers (email addresses, user IDs, service account names)
• Event types and categories (login success/failure, permission changes, email rule modifications, API access patterns)
• Geographic location data derived from IP addresses
• User agent strings and device information from audit logs

1.3 Integration Credentials

To monitor your Cloud Platforms, we store OAuth refresh tokens (for Microsoft 365 and Google Workspace), API access keys (for AWS), and API tokens (for Cloudflare). These credentials are encrypted at rest in our database and are used solely to authenticate API requests for security monitoring.

1.4 AI-Generated Data

For each security event, our AI systems generate triage analyses, severity classifications, plain-English explanations, compliance framework mappings, and remediation suggestions. This AI-Generated Content is stored alongside the event data it relates to.

1.5 Threat Intelligence Data

IP addresses detected in your security events are checked against third-party threat intelligence services (AbuseIPDB, Shodan InternetDB, IPapi) to determine reputation scores, geographic origin, and known malicious activity. The results of these lookups are stored with the associated event.

1.6 Usage Data

We collect basic information about how you interact with the SentinelSMB dashboard, including pages visited, features used, and session timestamps. We use essential cookies for authentication and session management only.

How We Use Your Information

We use the information we collect for the following purposes:

• To monitor your connected Cloud Platforms for security threats, anomalies, and suspicious activity
• To generate automated event triage, severity scoring, compliance mappings, and remediation suggestions
• To deliver security alerts via your configured notification channels (email, Slack, SMS, Microsoft Teams, PagerDuty)
• To produce daily security digest summaries
• To calculate and display your Security Score
• To execute Remediation Actions that you initiate through the dashboard
• To process payments, manage your subscription, and communicate about billing
• To respond to your support requests and communications
• To improve the accuracy, performance, and reliability of the Service
• To comply with legal obligations, including breach notification requirements

Data Sharing and Subprocessors

We do not sell, rent, or share your personal information or Customer Data with third parties for marketing or advertising purposes. We share limited data with the following service providers ("Subprocessors") solely to operate the Service:

We may also disclose your information if required to do so by law, subpoena, court order, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

We will provide notice of material changes to our Subprocessor list by updating this Privacy Policy and, for material additions, by notifying active customers via email.

AI Processing Disclosure

Security event metadata from your Cloud Platforms is sent to the Anthropic API for automated analysis. The data sent to Anthropic includes event types, IP addresses, user identifiers, timestamps, and contextual information about the detected activity. Anthropic processes this data to generate triage analyses, severity classifications, and remediation suggestions. Anthropic does not use data submitted through its API to train its AI models.

Data Storage and Security

Customer Data and Integration Credentials are stored in Supabase with encryption at rest. Integration Credentials are stored separately from event data. Our monitoring agent infrastructure is hosted on DigitalOcean in the United States. All data in transit is encrypted using TLS.

We implement commercially reasonable security measures to protect your data, including:

• Encryption in transit (TLS) for all web and API communications
• Encryption at rest for stored data via Supabase
• OAuth 2.0 for Cloud Platform integrations (we do not store your platform passwords)
• Row-level security policies on database tables
• HMAC signature verification for internal webhook communications
• Access to production systems limited to authorized personnel

No method of electronic storage or transmission is 100% secure. While we strive to use commercially reasonable means to protect your data, we cannot guarantee absolute security.

Data Retention

• Security event data and AI-Generated Content: Retained for twelve (12) months from the date of creation. Data older than 12 months is automatically purged. This retention period applies regardless of subscription status to support compliance and audit requirements under applicable regulatory frameworks.
• Integration Credentials: Deleted within 7 days of disconnection or account cancellation
• Account information: May be retained for up to 12 months after cancellation for legal and billing purposes
• Payment records: Retained by Stripe in accordance with financial recordkeeping requirements
• Anonymized, aggregated data: May be retained indefinitely for service improvement and research

Upon cancellation, security event data will continue to be retained for the remainder of the 12-month retention window from the date each record was created, then automatically purged. You may request earlier deletion by contacting us, though early deletion may affect your ability to demonstrate regulatory compliance.

Your Rights

You have the right to:

• Access the personal data and Customer Data we hold about you
• Correct inaccurate or incomplete data
• Delete your data (subject to legal retention obligations)
• Export your security event data in a machine-readable format
• Disconnect any Cloud Platform integration at any time from your dashboard
• Cancel your subscription at any time through your dashboard
• Object to processing of your data for purposes beyond service delivery

To exercise any of these rights, contact us at support@sentinelsmb.co. We will respond to requests within 30 days.

State Privacy Law Compliance

8.1 North Dakota

SentinelSMB complies with North Dakota Century Code Chapter 51-30, which requires notification to affected individuals in the event of a data breach involving personal information. If we become aware of a breach affecting your personal information, we will notify you in accordance with NDCC 51-30 requirements.

8.2 California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information we collect and how we use it, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your California privacy rights, contact us at support@sentinelsmb.co.

8.3 Other States

If you are located in a state with applicable consumer privacy legislation (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, and Tennessee), you may have additional rights regarding your personal information. Contact us to exercise those rights.

International Users

SentinelSMB is operated from the United States. All data is stored and processed in the United States. If you access the Service from outside the United States, you acknowledge that your data will be transferred to and processed in the United States, which may have different data protection standards than your jurisdiction.

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your data under the legal basis of contractual necessity (to provide the Service) and legitimate interest (to maintain security and improve the Service). You may exercise your rights under applicable data protection law, including the right to lodge a complaint with your local data protection authority, by contacting us.

Cookies and Tracking

SentinelSMB uses only essential cookies required for authentication, session management, and security. We do not use advertising cookies, third-party tracking cookies, or analytics pixels. We do not participate in cross-site tracking or targeted advertising.

Children

The Service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify active customers by email at least 30 days before the changes take effect. The updated Privacy Policy will be posted at sentinelsmb.co/privacy with a revised "Last updated" date. Continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

Contact