Privacy Policy
Last updated · April 18, 2026
How we handle the data you and your organization trust us with — what we collect, why, and the controls you have over it.
Introduction
TitanDef Co. ("TitanDef," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access or use our software-as-a-service (SaaS) cybersecurity platform and related services (collectively, the "Service").
Please read this Privacy Policy carefully. If you do not agree with it, please do not access or use the Service.
Information We Collect
2.1 Personal Information (Account and Relationship Data)
We may collect personal information that you voluntarily provide when you register for an account, subscribe to our services, contact us for support, or participate in surveys, research, or feedback.
This information may include:
- Name and business contact information
- Company name and job title
- Email address and phone number
- Payment and billing information
2.2 Usage Data (Device, Telemetry, and Interaction Data)
We automatically collect certain information when you use the Service, including:
- IP address and general location information derived from IP (e.g., city/state)
- Browser type and settings
- Device identifiers, operating system, and related device information
- Usage patterns and feature interactions
- Diagnostic, performance, and security-related logs
2.3 Customer Data (Security Program Data Processed Through the Service)
When business customers use TitanDef to assess and monitor their security posture, TitanDef processes information submitted to, stored in, or generated through the Service ("Customer Data"). Customer Data may include, depending on configuration and use:
- Asset identifiers (e.g., domains, IP addresses, hostnames)
- Exposure and configuration metadata
- Security scan results, vulnerability findings, and related risk and remediation information
When you connect a Microsoft 365 tenant using the TitanDef M365 connector, TitanDef reads security posture data from your tenant via the Microsoft Graph API using read-only OAuth permissions. This data is treated as Customer Data and may include, depending on your Microsoft 365 license tier:
- Microsoft Secure Score and security control recommendations (all tiers)
- User MFA registration status and authentication method details (all tiers)
- Directory roles and privileged account membership (all tiers)
- Risky user signals and risk detections (requires Microsoft Identity Protection)
- Managed device inventory and compliance status (requires Microsoft Intune)
- Security incidents and alerts (requires Microsoft Defender)
- Conditional Access policy configurations (requires Azure AD P1/P2 or equivalent)
- Attack simulation and phishing training results (where Microsoft Defender Attack Simulation Training is in use)
TitanDef does not write to or modify your Microsoft 365 tenant in any way. All Graph API permissions requested are read-only. The data collected varies by your Microsoft 365 license tier as detected at connection time.
We do not intentionally seek to collect sensitive personal information (such as government identifiers, precise geolocation, or account passwords) through the Service. If such data is submitted or ingested, we will handle it in accordance with this Privacy Policy and applicable agreements and will take reasonable steps to minimize its collection and retention.
2.4 Derived Data and AI-Generated Inferences
When you use AI-powered features of the Service, including the AI Risk Advisor, TitanDef may generate derived data such as risk inferences, prioritized recommendations, and related outputs based on your Customer Data. This derived data is treated as Customer Data and is subject to the same access controls, retention schedules, and deletion rights described in this Privacy Policy.
Where the Service generates vector embeddings or similar representations to support AI functionality, those representations are treated as personal or organizational data where they can be linked back to your organization or individuals within it. They are not used beyond the scope of providing the Service to you.
2.5 Microsoft 365 Integration Data
The M365 connector uses an OAuth 2.0 admin consent flow. Connecting your Microsoft 365 tenant requires a Global Administrator or appropriate delegated administrator to grant TitanDef the read-only Microsoft Graph API permissions configured on the TitanDef enterprise application registration. These permissions are scoped to the data categories listed in Section 2.3 and are used only to read security posture information from your tenant.
At the time of admin consent, Microsoft displays the specific permissions being requested. You can review and consent to the exact scope set in your Microsoft Entra admin portal before authorizing the integration. A detailed scope list is available to business customers on request by contacting privacy@titandef.com.
Where TitanDef adds a new Microsoft Graph permission to its application registration, that change will be disclosed as a material update to this Privacy Policy and may require re-consent by your Global Administrator.
OAuth access tokens issued by Microsoft are encrypted at rest using AES-256-GCM before storage. TitanDef does not store your Microsoft account password. You can revoke TitanDef's access at any time by disconnecting the integration within TitanDef or by removing the TitanDef enterprise application from your Microsoft Entra ID tenant. Both methods immediately terminate TitanDef's ability to read data from your tenant.
On disconnection, cached M365 security data is deleted from TitanDef systems within 90 days, consistent with the Customer Data retention schedule in Section 7.
How We Use Your Information
We use information we collect for purposes including to:
- Provide, maintain, and support the Service
- Process payments and manage subscriptions
- Send technical notices, security alerts, and support messages
- Respond to inquiries and provide customer support
- Monitor, protect, and maintain the security of the Service (including detecting, preventing, and responding to fraud, abuse, and security incidents)
- Improve the Service and develop new features and functionality
- Create aggregated and/or de-identified insights (where permitted by law and contract) to improve platform performance, reliability, and security
- Comply with legal obligations and enforce applicable terms
- Send marketing communications where permitted by law, and provide opt-out mechanisms as required
3.1 AI Features and Model Training
TitanDef uses AI and machine learning to power features including the AI Risk Advisor. With respect to how your data interacts with these systems:
- Your Customer Data is used solely to provide the Service to you. It is not used to train, fine-tune, or improve AI models that serve other customers or third parties.
- TitanDef does not sell, license, or share Customer Data with AI model providers for training purposes.
- Any use of Customer Data for internal model improvement requires your explicit opt-in consent. You will be presented with a clear choice and can opt out at any time without affecting your access to the Service.
- AI-generated outputs, including risk scores, recommendations, and prioritization, are produced based solely on your Customer Data assembled for each request. To generate responses, your query and the relevant Customer Data are transmitted over encrypted channels to our AI inference sub-processor (see Section 4.1), which processes the request and returns an output. Your data is not retained by that sub-processor to train or improve its models, under a written agreement with TitanDef.
Roles and Scope (Controller vs. Processor)
This Privacy Policy covers TitanDef's processing of personal information related to our own business operations (such as account administration, billing, support, and marketing).
When TitanDef processes Customer Data on behalf of a business customer, TitanDef typically acts as a service provider or processor and processes Customer Data in accordance with the customer's instructions and any applicable agreements (such as a Data Processing Addendum, where applicable). Business customers are responsible for determining the lawful basis and appropriate notices for collecting and using Customer Data within their organizations.
Data Security
We maintain a security program designed to protect information against unauthorized access, alteration, disclosure, or destruction. Our safeguards include, as appropriate:
- Encryption of data in transit and at rest
- Access controls based on least privilege, with authentication requirements appropriate to risk
- Ongoing monitoring, logging, and alerting to detect suspicious activity
- Secure development practices, including code review and vulnerability management
- Employee training on security and data protection practices
- Regular assessments and audits of security controls
No method of transmission over the Internet or electronic storage is 100% secure. While we work to protect information, we cannot guarantee absolute security.
6.1 Breach Notification
In the event of a confirmed data breach that presents material risk to affected individuals or organizations, TitanDef will notify affected customers within 72 hours of determining that a breach has occurred. Notification will include, to the extent known at the time: the nature of the breach, the categories of data involved, the likely consequences, and the measures taken or planned to address it.
We will cooperate with affected customers and applicable regulatory authorities as required by law.
6.2 Sensitive Organizational Data
TitanDef recognizes that Customer Data submitted through the Service — including security posture assessments, vulnerability findings, risk scores, compliance gaps, and Microsoft 365 security telemetry — constitutes sensitive operational information. We apply enhanced controls to this data, including:
- Strict role-based access controls limiting internal access to personnel with a documented need
- Logical separation of customer environments
- Encryption at rest using AES-256 or equivalent (including AES-256-GCM for M365 OAuth tokens)
- Audit logging of access to Customer Data by TitanDef personnel
This data is never accessed for purposes beyond operating, supporting, and improving the Service for your organization.
Data Retention
We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
Retention periods by data type:
- Account, billing, and transactional records: 7 years to meet legal, tax, and accounting obligations
- Assessment and risk data (Customer Data): duration of active subscription plus 90 days following account termination or cancellation
- Microsoft 365 integration data (cached security telemetry): duration of active M365 connection plus 90 days following disconnection or account termination, whichever comes first
- Microsoft 365 OAuth tokens: deleted immediately upon disconnection or revocation; otherwise retained only for the duration of the active integration
- AI conversation history and query logs: retained for up to 180 days following creation, after which they are purged or anonymized. Conversations you delete are removed immediately and purged within 30 days.
- Security and diagnostic logs: 12 months to support security operations, troubleshooting, and incident investigations
- Aggregated and anonymized benchmarking data (not linkable to any individual organization): may be retained indefinitely for platform improvement
When we no longer need information for the purposes described above, we will securely delete or anonymize it, consistent with applicable technical constraints and legal requirements.
Your Rights and Choices
Depending on your location and applicable law, you may have certain rights regarding your personal information, including:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information
- Portability: Request a machine-readable export of your data (JSON or CSV format) within 30 days of your request
- Objection/Restriction: Object to or restrict certain processing
- Consent Withdrawal: Withdraw consent where processing is based on consent
- Opt-Out of AI Model Training: Opt out of any use of your data for AI model improvement (see Section 3.1)
To exercise these rights, please contact us using the information in the "Contact Us" section below. We may need to verify your identity before responding. Where permitted by law, you may designate an authorized agent to submit requests on your behalf.
You may also have the right to lodge a complaint with your local data protection authority.
8.1 Colorado Privacy Act (CPA) Rights
TitanDef is headquartered in Colorado and serves organizations in Colorado and across the United States. Colorado residents have specific rights under the Colorado Privacy Act, including:
- The right to access personal data we process about you
- The right to correct inaccurate personal data
- The right to delete personal data you have provided or that we have collected about you
- The right to obtain a portable copy of your personal data
- The right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects
To exercise your CPA rights, contact us at privacy@titandef.com. We will respond within 45 days, with a possible 45-day extension where reasonably necessary. California residents may exercise similar rights under the CCPA/CPRA by contacting us at the same address.
Automated Decision-Making and AI-Assisted Recommendations
TitanDef does not use personal information for automated decision-making that produces legal or similarly significant effects on individuals in a fully automated manner without human review.
The AI Risk Advisor and related features generate security recommendations, risk prioritizations, and posture assessments based on your Customer Data. These outputs are advisory. They are designed to inform and support human decision-making, not replace it. TitanDef does not guarantee specific security outcomes based on AI-generated recommendations, and customers remain responsible for the security decisions they make using the Service.
Where AI-assisted features process Customer Data to produce recommendations or risk scores:
- Outputs are generated based on your organization's data only
- You may request information about how a specific AI-generated output was produced by contacting privacy@titandef.com
- You can opt out of AI-assisted features by contacting privacy@titandef.com, or by not using them — AI features are user-initiated and are never applied to your data automatically.
TitanDef monitors applicable state AI regulations, including the Colorado AI Act (effective June 2026), and will update its practices and disclosures as requirements take effect.
Third-Party Integrations
TitanDef offers integrations with third-party platforms to pull security-relevant data into the Service on your behalf. These integrations are optional and require your active authorization.
11.1 Microsoft 365 Connector
The Microsoft 365 connector reads security posture data from your Microsoft 365 tenant using the Microsoft Graph API. Key facts about this integration:
- Read-only access: TitanDef requests only read-only Graph API permissions. We do not create, modify, or delete any data in your Microsoft 365 tenant.
- Admin consent required: Connection requires a Microsoft 365 Global Administrator (or delegated equivalent) to complete the OAuth consent flow, which grants TitanDef access at the tenant level.
- Data pulled: Depends on your Microsoft 365 license tier. See Section 2.3 for a full list by tier.
- Token security: OAuth access and refresh tokens are encrypted at rest using AES-256-GCM. TitanDef does not store your Microsoft account password.
- Revocation: You can disconnect the integration at any time from within TitanDef, or by removing the TitanDef enterprise application from your Microsoft Entra ID tenant. Both methods immediately terminate TitanDef's ability to pull data.
- Data deletion on disconnect: Cached M365 security data is deleted from TitanDef systems within 90 days of disconnection.
Your use of Microsoft 365 is governed by your agreement with Microsoft. TitanDef is not responsible for Microsoft's data practices. We encourage you to review Microsoft's privacy documentation for the Microsoft Graph API and related services.
Third-Party Links
The Service may contain links to third-party websites or services. TitanDef is not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any external sites you visit.
Children's Privacy
The Service is intended for use by organizations and is not directed to children. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete it.
International Data Transfers
Your information may be transferred to and processed in countries other than your own. Where required by applicable law, TitanDef implements appropriate safeguards for international transfers, such as contractual protections (including Standard Contractual Clauses where applicable) and other lawful transfer mechanisms.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated Privacy Policy on this page and revise the "Last updated" date at the top of this document.
If changes are material, we will provide additional notice as appropriate, such as by notifying account administrators or posting a prominent notice within the Service.
Summary of material changes in this version:
- Named Anthropic PBC as the AI inference sub-processor for the AI Risk Advisor (§4.1, §3.1)
- Clarified that Microsoft Graph API scopes are those configured on the TitanDef enterprise application at consent time, shown by Microsoft at admin consent, and available on request (§2.5)
- Added attack simulation / phishing training data to the list of Customer Data categories pulled via the M365 connector (§2.3)
- Clarified retention for AI conversation history (§7)
- Corrected the AI opt-out mechanism to reflect the current product (§10)
Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:

