Contents
- Introduction
- Data Protection Officer
- How we collect and use (process) your personal information
- Use of the Exaforce.com website
- Cookies and tracking technologies
- When and how we share information with third parties
- Transferring personal data to the U.S.
- Data Subject rights
- Security of your information
- Data storage and retention
- Do Not Sell or Share My Personal Information
- Data Deletion and Opt-Out Requests
- Subject Access Requests (SARs)
- Global Privacy Control (GPC) & Do Not Track (DNT) Compliance
- Compliance Reporting and Audit Trail Maintenance
- Children’s Data
- Questions, concerns, or complaints
1. Introduction
Exaforce's mission is to significantly simplify enterprise security using autonomous BOTs. Our first BOT, Exabot Detect, solves the problem of threat detection and risk visibility for customers’ applications and identities in cloud [IaaS and SaaS].
We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Notice describes Exaforce’s policies and practices regarding its collection and use of your personal data and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and we will update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.
2. Data Protection Officer
Exaforce is headquartered in California, in the United States. Exaforce has appointed an internal Data Protection Officer for you to contact if you have any questions or concerns about Exaforce’s personal data policies or practices. If you would like to exercise your privacy rights, please direct your query to Exaforce’s data protection officer:
Nuno Ferreira
Exaforce
2570 N First St, Suite 300, San Jose, CA 95131, USA
dpo@exaforce.com
+1 – 408-547-0446
3. How We Collect and Use (Process) Your Personal Information
Exaforce collects personal information about its website visitors and customers. With a few exceptions, this information is generally limited to:
- Name
- Job title
- Employer name
- Work address
- Work email
- Work phone number
We use this information to provide prospects and customers with services. We do not sell personal information to anyone and only share it with third parties who facilitate the delivery of our services.
Exaforce is committed to consumer privacy rights, and we:
- Do Not Sell or Share Personal Information.
- Do Not Collect Sensitive Personal Information.
- Provide a mechanism for your PII to be removed from our systems by exercising the Opt-Out Preference Signal available on our website (https://exaforce.com) or by emailing our DPO directly at dpo@exaforce.com.
4. Use of the Exaforce Website
Exaforce’s website collects certain information automatically and stores it in log files. This may include IP addresses, general location, browser type, operating system, and usage information about site visits.
We use this data to analyze trends, improve website functionality, and enhance security. In compliance with UDSP, California Privacy Rights Act (CPRA), and GDPR, you may submit a Subject Access Request (SAR) to access, correct, or delete your personal data. Please send an email to dpo@exaforce.com with details of your request. Our Data Protection Officer will respond per regulatory timelines.
5. Cookies and Tracking Technologies
Exaforce has a Cookie Notice available at https://exaforce.com that describes the cookies and tracking technologies used on the Exaforce website and provides information on how users can accept or reject them.
6. When and How We Share Information with Third Parties
The personal information Exaforce collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval.
A list of our third-party sub-processors includes:
- Google Workspace (subprocessors)
- AWS (subprocessors)
- Anthropic (subprocessors)
- Snowflake (subprocessors)
We do not otherwise disclose your personal data unless required by law, to protect rights and safety, or as part of service agreements.
7. Customer-Enabled AI Integrations
Customers may, at their discretion, enable third-party AI integrations that allow large-language-model providers to query the Exaforce platform on the customer's behalf. The Exaforce MCP (Model Context Protocol) connector for Anthropic Claude is one such integration.
When a customer enables the MCP connector:
- AuthorizationAuthorization flows through OAuth 2.1 with PKCE. Exaforce does not store the customer's Anthropic / Claude credentials. The customer authorizes Anthropic's client via a one-time consent flow scoped to their Exaforce tenant.
- Data FlowQueries the user issues through Claude that invoke Exaforce tools, and the data Exaforce returns in response, transit Anthropic's infrastructure as part of normal Claude operation. Anthropic processes this data under their published privacy policy and sub-processor agreements (https://trust.anthropic.com).
- Tenant ScopingTool calls executed via the MCP connector are scoped to the calling user's Exaforce tenant. Exaforce does not expose data from other tenants through the connector.
- Disable / RevokeCustomers may revoke the MCP connector at any time via the Exaforce or Claude UI, which immediately invalidates the OAuth token and prevents further data access.
Use of any third-party AI integration is the customer's choice; Exaforce does not enable such integrations by default.
8. Transferring Personal Data to the U.S.
Exaforce is headquartered in the U.S., and all personal data is processed in the U.S. By using Exaforce’s services, you acknowledge that your data may be transferred to and processed in the United States. We apply suitable safeguards to protect personal data, including binding contractual clauses with vendors and compliance with GDPR regulations.
9. Data Subject Rights
You have rights under GDPR and other privacy laws, including:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right of data portability
- Right to object
- Rights related to automated decision-making
To exercise these rights, contact privacy@exaforce.com.
10. Data Storage and Retention
Exaforce retains personal data only for as long as necessary for business, regulatory, or legal obligations.
- Deletion Requests: Personal data may be deleted upon verified request from data subjects or their authorized agents.
- Storage Location: Data is stored securely on AWS and Google Cloud.
11. Do Not Sell or Share My Personal Information
Exaforce does not sell or share personal information. However, under certain privacy regulations (e.g., CPRA, UDSP), consumers have the right to explicitly opt out of personal data sharing. We provide a "Do Not Sell or Share" button on our website and a web form to manage these requests.
12. Data Deletion and Opt-Out Requests
- Users can request deletion of their personal information via our web form or by contacting privacy@exaforce.com.
- Requests will be acknowledged within 10 days and completed within 45 days unless legal obligations require otherwise.
- Users will receive confirmation when their data has been successfully deleted.
13. Subject Access Requests (SARs)
- Exaforce acknowledges receipt of SARs within 10 days.
- SARs (e.g., data access, corrections, deletions) are processed within 45 days.
- Exaforce maintains records of SARs for 24 months.
14. Global Privacy Control (GPC) & Do Not Track (DNT) Compliance
- Exaforce’s website supports GPC signals and Do Not Track (DNT) requests.
- If a user’s browser sends a GPC signal, Exaforce will automatically apply opt-out settings.
15. Compliance Reporting and Audit Trail Maintenance
- Exaforce maintains detailed logs of all user privacy interactions, including opt-outs, data access, modifications, and deletions.
- Regular compliance reports are generated to track:
- Number of opt-out, deletion, and SAR requests processed.
- Response timelines and outcomes.
- Vendor compliance with data handling obligations.
- Audit logs are stored for at least 24 months.
16. Children’s Data
Exaforce does not knowingly attempt to solicit or receive information from children. If we discover that we have collected personal data from a child, we will delete it promptly.
17. Questions, Concerns, or Complaints
If you have questions, concerns, complaints, or would like to exercise your rights, please contact us at:
Nuno Ferreira
Exaforce
2570 N First St, Suite 300, San Jose, CA 95131, USA
dpo@exaforce.com
+1 – 408-547-0446