Legal
Privacy Policy
How Scrutineer, the compliance and risk platform that maps controls, gathers evidence and scores vendor risk, collects, uses and protects your information. Last updated: June 2026.
The short version
Scrutineer is a governance, risk and compliance platform. We collect the account details you give us, the framework selections, evidence and vendor information you submit to the service, and basic analytics and log data, so we can run the product and improve it. We process your compliance and vendor data to map it against controls, flag gaps and score risk, and we return a readiness report. We never sell your data, and the evidence and findings you create stay yours.
What this policy covers
This policy explains what we collect when you visit scrutineer.ai, create an account, run a scrutiny, upload evidence, assess a vendor, or contact us. It covers the Scrutineer website and product, which maps your controls against SOC 2, ISO 27001, HIPAA, GDPR and PCI, gathers and links evidence, flags gaps and scores third-party risk, returning an evidence-linked readiness report and a prioritized remediation list.
Controller and processor roles
For the evidence and vendor data your organization uploads or generates through a scrutiny, your organization is the data controller and Scrutineer acts as a processor, handling that data only on your instructions to provide the service. For our own account, billing and website data, such as the details you give us when you sign up, Scrutineer is the controller. If you are a third party that one of our customers has assessed and you have a question about your data, please contact that customer, and we will support their request.
Compliance and vendor data
To run a scrutiny, Scrutineer processes the framework and controls you select, the policies, configurations, logs and other evidence you submit, the vendor and third-party details you enter, and the resulting scores, findings, rationale and remediation items. We process that data to map controls, link evidence, flag gaps, score risk and operate the service for you. As between you and us, you keep all rights to your evidence, vendor data and reports. We use this data only to provide the service, and we do not sell it or share it for anyone else's marketing.
Information we collect
- Account information. The email address you provide when you sign up, and any optional details you choose to share, such as your name, company and the frameworks you target. We use a short verification code to confirm your email.
- Evidence and vendor data. The framework selections you make, the evidence you upload, the vendors you assess, and the scores, findings, rationale and remediation lists generated from them, so the service can run and you can return to your work.
- Messages you send us. If you use the contact form, we keep your name, email and message so we can respond.
- Analytics data. Aggregate usage information about how the site and product are used, so we can understand which features are helpful and improve the experience.
- Technical and log data. Standard information such as IP address, browser type, and the page or campaign you arrived from, used for security, fraud prevention and understanding traffic sources.
How we use your information
- To run the service, including mapping controls, linking evidence, flagging gaps, scoring vendor risk and building readiness reports and remediation lists.
- To set up your account, verify your email address and respond to your questions.
- To send you relevant product updates about Scrutineer, where you have asked to hear from us.
- To understand, in aggregate, how the product is used so we can improve it.
- To protect the service from abuse, fraud and security threats, and to handle billing for your paid plan.
How we think about security
We design to minimize the data we collect, limit access to it, and protect the evidence you trust us with. We use strong encryption in transit and at rest and least-privilege access. We do not claim any certification or attestation status we do not hold, and Scrutineer does not itself issue any certification.
How we share information
We do not sell your personal information, evidence or vendor data. We share information only with service providers who help us operate the product, such as our hosting, AI processing, payment and email delivery providers, and only to the extent they need it to perform their function. We may disclose information if required by law or to protect our rights and our users.
AI processing
Control mapping and risk scoring are performed by AI models that analyze your evidence and vendor data against a framework's controls. Your data is used to produce your reports and is not used to train public or third-party models. The AI provides per-control scoring and evidence-linked findings as decision support for readiness. You always make the final decision on remediation, and an accredited auditor, not Scrutineer, issues any attestation or certification.
Data retention
We keep account details and the evidence and vendor data you submit for as long as an account is active and for a reasonable period afterward to meet legal, billing and security obligations. You can ask us to delete the data you have submitted at any time, and we will do so unless we are required to retain it.
Security
We use industry-standard measures to protect your information in transit and at rest, and we limit who can access it. No method of transmission or storage is perfectly secure, but we work to keep your data safe and to collect as little of it as possible in the first place.
Your choices and rights
You can access, correct or delete the information and data you have submitted, and you can opt out of non-essential email at any time. Depending on where you live, you or the third parties you assess may have additional rights over personal data. To exercise any of these, email us and we will help, and where you are a third party assessed by one of our customers we will work with that customer.
Changes to this policy
We may update this policy as the product and site evolve. When we make material changes we will update the date at the top and, where appropriate, notify you. Continued use after changes means you accept the updated policy.
Contact
Questions about privacy? Email team@scrutineer.ai or use our contact page.