Privacy Policy

Last Updated: March 2026

1. Introduction

DriftAlarm ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the DriftAlarm platform at www.driftalarm.com. This policy applies to all users of the Service. Effective date: March 2026.

2. Information We Collect

2a. Account Information

  • Email address (from Microsoft Azure AD External ID authentication)
  • Display name
  • Organization name (if provided)
  • User ID (assigned by authentication provider)
  • Tier and subscription status
  • Activation milestones (first asset added, first scan completed, alerts configured)

2b. Scan Target Information

  • Domain names and IP addresses/ranges you submit for scanning
  • Scan results including discovered vulnerabilities, open ports, SSL certificates, DNS records, subdomains
  • Asset inventory data (subdomains, IPs, ports, URLs, technologies)
  • Drift detection data (baselines, change events, alarm configurations)
  • Deep security scan results (DAST findings, SSL/TLS analysis, web server analysis)

2c. AI Processing Data

  • Scan findings sent to Anthropic's Claude API for remediation guidance, risk scoring, and report generation
  • Technology stack data sent for AI analysis
  • AI-generated content (remediation advice, executive reports, risk assessments)
  • Anthropic's commercial API does not use inputs/outputs for model training

2d. API Key Data

  • API key names and scopes (user-defined)
  • API key hashes (SHA-256 — full key never stored)
  • API key usage: request count, last used timestamp, last used IP address

2e. Analytics and Usage Data

  • Google Analytics data (page views, session duration, feature usage)
  • Activation tracking events (onboarding wizard completion, first scan, alert configuration)
  • Feature usage patterns (scan types used, reports generated, tools accessed)
  • Browser type, device type, and IP address

2f. Communication Data

  • Onboarding email engagement (5-email drip sequence for trial users)
  • Notification channel configurations (email addresses, Slack webhook URLs, generic webhook URLs)
  • Email opt-out preferences

3. How We Use Your Information

  • Provide and operate the scanning and monitoring services
  • Generate scan reports, vulnerability assessments, and AI-powered analysis
  • Detect configuration drift and trigger alarm notifications
  • Send service notifications, security alerts, and onboarding emails
  • Process subscription management (via sales@driftalarm.com — no automated billing)
  • Analyze and improve Service performance and reliability
  • Enrich scan data with third-party intelligence (GreyNoise IP reputation, Certificate Transparency logs, RDAP registration data)
  • Respond to support requests

4. Data Sharing and Third-Party Services

We do NOT sell your personal information. We share data with the following categories of third parties:

  • Microsoft Azure — All platform data for cloud hosting, storage, and authentication (East US region)
  • Anthropic — Scan findings and technology data for AI-powered analysis and remediation (Claude API)
  • GreyNoise — IP addresses for reputation classification (24-hour cache)
  • Microsoft Graph API — Email addresses and notification content for email delivery (alerts and onboarding)
  • Google Analytics — Anonymized usage data for analytics and service improvement
  • Certificate Transparency Logs — Domain names for subdomain discovery (crt.sh)
  • RDAP Registries — Domain names for registration data lookup

Legal requirements: We may disclose data when required by law, court order, or governmental authority. Business transfers: In connection with a merger, acquisition, or sale of assets.

5. Data Retention

  • Scan result files: 90 days (30 days active → 30 days Cool tier → deletion via Azure Blob lifecycle)
  • Asset findings: Retained while asset is active. Deleted when asset is removed (hard delete across all resources)
  • Drift events & baselines: Retained while asset is active. Deleted with asset removal
  • GreyNoise cache: 24 hours (automatically refreshed)
  • AI remediation cache: 7 days (cached per CVE/template + asset type)
  • User account data: Retained while account is active. Deleted within 90 days of account closure
  • Onboarding email records: Retained while account is active (tracks sent emails for deduplication)
  • Weekly/monthly reports: Retained per blob lifecycle policy (stored in Azure Blob Storage)

6. Data Security

  • Encryption at rest: Azure Storage encryption (AES-256)
  • Encryption in transit: HTTPS/TLS for all connections
  • Authentication: Microsoft Azure AD External ID (CIAM) with JWT tokens
  • API key security: SHA-256 hashed storage, full key shown only once at creation
  • Per-user data isolation: all scan data partitioned by user ID
  • Access controls: role-based access via CIAM
  • Scan data isolation: separate result IDs per scan type (discovery, vuln-scan, deep-security)
  • No plaintext credentials stored

7. Cookies and Local Storage

We use minimal browser storage:

  • Local Storage — Theme preference: Persists UI theme selection (indefinite)
  • Local Storage — Tier cache: Caches subscription tier for performance (session)
  • Session Storage — JWT tokens: Authentication state (session)
  • Cookies — MSAL auth: Microsoft authentication library (session)

We do NOT use third-party advertising cookies. Google Analytics uses its own cookies for aggregate analytics.

8. Your Rights

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data (data removed across all resources)
  • Export your scan data (CSV/JSON export available in-platform)
  • Opt out of onboarding emails (toggle in Settings)
  • Opt out of marketing communications

To exercise these rights, email support@driftalarm.com. Response time: within 30 days.

9. GDPR (European Users)

Lawful basis for processing:

  • Contract performance: providing scanning and monitoring services you requested
  • Legitimate interest: service improvement, security, analytics
  • Consent: onboarding email sequence (opt-out available)

Data controller: DriftAlarm. Data processor: DriftAlarm processes scan data on behalf of you (the controller of the scanned assets).

Data subject rights: access, rectification, erasure, restriction, portability, objection.

Data Processing Agreement: available at our DPA page for customers requiring formal DPA documentation.

International transfers: Data processed in Azure East US (United States); Standard Contractual Clauses available on request. Data Protection Officer: Contact support@driftalarm.com.

10. CCPA (California Users)

  • Categories of personal information collected: identifiers (email, name), internet activity (scan usage, IP address), commercial information (subscription tier)
  • We do NOT sell personal information — not now, not ever
  • Right to know: Request disclosure of data collected about you
  • Right to delete: Request deletion of your personal information
  • Right to opt out: No sale of data to opt out of
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise CCPA rights, email support@driftalarm.com.

11. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and posted on the Service. We will provide at least 30 days' notice for material changes affecting data processing.

13. Contact Us

For privacy inquiries or to exercise your rights, contact us at support@driftalarm.com.

14. Related Policies

Terms of Service|Privacy Policy|Acceptable Use|DPA