Privacy Policy | SecValley

Introduction

This Privacy Notice ("Notice") describes how SecValley Inc. ("SecValley", "we", or "us") collect, use, disclose and otherwise process your personal information in connection with the management of our business and our relationships with customers, visitors and event attendees.

This Notice explains your rights and choices related to the personal information we collect when:

You interact with our websites, including https://www.secvalley.com/ any other websites that we operate and that link to this Notice (our "Sites")
You visit, interact with, or use any of our offices, events, sales, marketing or other activities; and
You use our platform, including software and other products and services (the "Solution", or "Solutions")

This Notice does not cover:

Applicant information. This Notice does not cover information related to our employment recruiting efforts.
Organizational Use. When you use our products or services on behalf of an organization (e.g., your employer), your use is administered and provisioned by your organization under its policies regarding the use and protection of personal data. If you have questions about how your data is being accessed or used by your organization, please refer to your organization's privacy notice and direct your inquiries to your organization's system administrator.
Third Parties. This Notice does not apply to any products, services, websites, or content that are offered by third parties and/or have their own privacy statement.

SecValley determines the purposes and means of the processing (i.e., we are the data controller) of your personal information as described in this Notice unless expressly specified otherwise.

Personal Information Collection

We may collect the following types of personal information:

Business contact information, such as your first and last name, professional title, business affiliation and address, email, and phone number.
Services account information, such as the Solutions you use, webinars and other events you sign up for, transactions, and business relationship information.
Communications with us, including questions or inquiries you may send us, and any information that you create, input, submit, post, upload, transmit, store or display on our Sites.
Information from cookies and other automated technologies, such as information about the devices you use to engage with our Solutions and Sites, and online activity data.

We may also obtain personal information from other sources, including:

Third parties, such as business intelligence services, event co-sponsors, and other data providers.
Public sources, such as company websites and our pages on social media platforms.

How We Use Personal Information

We use personal information for the following purposes:

SecValley Site. When you visit our Sites, we use personal information to interact with you, provide you relevant marketing data and information, contact you about our Solutions, personalize or customize your experience (based on preferences or geography, for example), conduct research (such as to test the performance and layout of our Sites), and to improve the content and availability of the Sites.
Administering the Solutions. If you subscribe or are exploring a subscription to our Solutions, we use personal information to create and administer your account, manage our business relationship, and communicate with you about the Solutions, including to send you notifications and keep you informed of any updates to the Solutions.
Newsletters, events, marketing and advertising. If you sign up to receive newsletters or other additional information from us, attend a webinar or live event, or participate in any other offering, we use the information you provide to facilitate your request and to identify business opportunities. Subject to consent where required, we also use personal information to develop and send direct marketing communications.
Testimonials. Where you permit us to share your experience with our Solutions, we may post testimonials on the Sites that may contain Personal Information. We obtain your consent to post your name along with your testimonial. If you wish to update or delete your testimonial, you can contact us at privacy@secvalley.com.
Partners. If you partner with us to promote or provide the Solutions, including by using our Partner Portal, we use your information to maintain and administer our business relationship and to evaluate the performance of our partnership.
Compliance and protection. We also use personal information to comply with applicable laws, lawful requests, and legal process; protect our, your, or others' rights, privacy, safety, or property; audit our internal processes for compliance; enforce the terms and conditions that govern our Solutions; and prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity.
At your option. Other than as set out above, you will receive notice when personal information about you might be shared with third parties, and you will have an opportunity to choose not to share that information.

We will only use your personal information as described in this section if we have a valid legal ground for the processing under applicable laws. Our legal grounds for processing include: consent, where you have consented to the use of your personal information; legitimate interests, such as to promote, develop and improve our Sites and Services, to protect our legal rights, and to establish, exercise, or defend legal claims; and legal obligations, including to comply with tax and accounting obligations.

How We Share Personal Information

We share personal information with:

Affiliates. All SecValley entities in the US and worldwide, for purposes consistent with this Notice.
Service providers. Companies and individuals that provide services on our behalf or help us operate our Solutions (such as hosting, information technology, customer support, email delivery, and website analytics services). SecValley contractually requires all its third-party business partners to take commercially reasonable steps to safeguard your personal information.
Advertising vendors. Third party advertising companies, including for interest-based advertising purposes, can collect information on our Sites through cookies and other automated technologies.
Social media platforms. Our Sites may include social media features that may collect your IP address. Your interactions with these features are governed by the privacy notice of the company providing the feature.
Third parties. We may also share your personal information with business partners and third parties, such as event sponsors when you attend one of our events.
Professional advisors. Professional advisors, such as lawyers, auditors, bankers, and insurers, in the course of the professional services that they render to us.
Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for compliance and protection purposes.
Business transferees. Acquirers and other relevant participants in business transactions involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale, or other disposition of all or any portion of the business or assets of SecValley.

SecValley does not sell personal information as that term is defined under California law.

Use of Cookies and Web Technologies

SecValley Sites, Solutions, and advertisements may use automatic data collection tools such as cookies, embedded web links, and web beacons.

Third-Party Links

The Sites may include links to third-party sites, products or services. Please note that your access to and use of these third-party sites may result in the collection of or sharing of your information. These third parties have separate and independent privacy policies, and we are not responsible or liable for your interactions with such third-parties. We encourage you to review and understand such third-parties' privacy policies.

Solutions

SecValley

"True Posture, Proven Commitments."

The SecValley platform is a cloud-based security assessment platform that evaluates your organization's Microsoft cloud environments against industry-standard security benchmarks, provides recommendations on mitigation steps for identified risks, educates operators with easy to consume insights powered by Kai, creates multiple options of reporting on progress and sets modifiable dashboards to keep tabs on critical aspects of your cloud infrastructure.

Azure Security Scanner: Assesses your Azure subscription configuration against CIS benchmark controls, covering areas such as identity and access management, Microsoft Defender, storage accounts, database services, logging and monitoring, networking, virtual machines, Key Vault, App Service, and Databricks.
Entra ID Scanner (formerly Azure Active Directory): Evaluates your Entra ID tenant configuration against CIS benchmark controls, including user and group settings, authentication methods, conditional access policies, privileged identity management, application registrations, service principal security, external collaboration settings, OAuth consent grants, identity protection and risk analysis, sign-in activity analysis, and directory audit log analysis.
Office 365 Scanner: Reviews your Microsoft 365 tenant configuration against CIS benchmark controls, covering Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Microsoft Forms, Microsoft Defender for Office 365, Microsoft Purview, Intune device management, Power Platform settings, identity and MFA analysis, conditional access policies, application and credential security, administrative role management, and organizational security posture.

The number of controls evaluated by each scanner may change over time as cyber security benchmarks are updated, and new controls are added. Current control counts are published on our website.

In addition, SecValley provides AI-powered executive security reports (vCISO Reports) that summarize scan findings into actionable insights, risk prioritization, and remediation guidance tailored to your organization's environment.

How SecValley Accesses Your Environments

To perform security assessments, SecValley requires access to your Microsoft cloud environments. Depending on the setup method you choose, either SecValley or you will create an Azure App Registration in your tenant with the necessary permissions for scanning. SecValley generates and manages the authentication certificate used by the scanner. SecValley does not use or store your user passwords.

When using the automated setup method, SecValley requests elevated permissions (with admin consent) to create the app registration, assign API permissions, and configure the appropriate read-only roles for scanning. These elevated permissions are granted through admin consent and remain until you revoke them in your Azure tenant. SecValley uses these permissions only during the initial setup process; ongoing scan operations use only the read-only permissions assigned to the scanner's app registration.

You are responsible for ensuring that you have the legal authority to grant SecValley access to your Microsoft cloud environments and that the processing of data within those environments complies with applicable laws.

The specific data accessed during scans includes:

Configuration and Policy Data: Security policies, conditional access rules, role assignments, authentication method configurations, compliance policy settings, and mail flow rules within your Azure, Entra ID, and Office 365 environments.
Resource Metadata: Information about Azure resources (subscriptions, resource groups, virtual machines, storage accounts, databases, network security groups), Entra ID objects (users, groups, applications, service principals), and Office 365 service configurations.
License and Feature Information: Details about active Microsoft 365 and Azure subscriptions, assigned licenses, and enabled features, used to determine which security controls are applicable to your environment.
Audit and Log Data: Settings related to diagnostic logging, activity logs, and audit log retention. SecValley reads log configuration status and directory audit log events to evaluate security controls. SecValley does not read the content of end-user activity logs such as email access logs or file access logs.
User Directory Metadata: User attributes from your Entra ID directory, including user principal names, display names, account status, MFA registration status, role assignments, and last sign-in timestamps. For the Office 365 scanner, mailbox configuration settings, inbox forwarding rules, and shared mailbox configurations are also collected. Permissions used to access mailbox configuration and forwarding rules do not grant access to email message content. Permissions used to evaluate file sharing settings and folder structure do not grant access to file contents.
Application and Service Principal Data: Application registrations, service principal configurations, OAuth consent grants, delegated permission grants, and credential expiration status from your Entra ID directory.
Administrative Configuration Data: Administrative settings from Microsoft 365 service-specific admin interfaces, including SharePoint administration, Forms and Sway configuration, Power Platform governance settings, and Teams organizational policies.
Authentication Method Data: Types of authentication methods registered by each user. Only the method type is retained in assessment results; method-specific details are not stored.
Sign-in and Risk Data: Sign-in log metadata including timestamps, IP addresses, geographic location, device information, and success/failure status. SecValley also reads Identity Protection risk detections.

What SecValley Does Not Access

SecValley does not read the content of emails, chat messages, documents stored in SharePoint or OneDrive, calendar entries, or any other end-user files. The Azure Security Scanner operates exclusively through Microsoft's management APIs and does not access application-level content such as database records, storage blob contents, Key Vault secret values, virtual machine disk data, or network traffic flow logs.

Permissions Beyond Read-Only Access

Ongoing scan operations use only read-only permissions. Certain optional scanning capabilities require elevated API permissions that are broader than read-only in scope but are used by SecValley exclusively for read operations. Customers may exclude these modules during setup. Detailed permission requirements are provided during the connection setup process.

SecValley requests only the permissions necessary to perform the assessments described above. However, Microsoft may change the scope or behavior of these permissions from time to time. SecValley will alert users of the platform of any material changes to required permissions through the management console.

Customer Data

Customer Data collected through the scanning process is processed on behalf of customers in accordance with the directions provided to us in the Master Terms of Service. This includes scan results, identified vulnerabilities, compliance scores, control evaluation details, and remediation recommendations generated for your environments.

Scan results may contain user directory metadata (email addresses, display names, account status, authentication method details, and activity metrics) to the extent necessary for evaluating identity and access security controls. Personally identifiable fields within scan results are automatically removed after the retention period specified in our data retention schedule. This data is logically isolated per organization within our multi-tenant infrastructure.

System Data

In addition to Customer Data, we also collect and process System Data to provide the Solutions. System Data consists of:

Technical and Operational Data: Information about the Solutions you are using and about the systems and related environment from which you access the Solutions. Examples include browser type, IP address, operating system, and connection timestamps.
Platform Data: Information about your usage of the Management Console. Examples include configuration settings, dashboard preferences, user roles, authentication events, and other administrative settings.
Security Event Data: To protect your account, we log authentication events including successful and failed login attempts, session activity, IP addresses, and device information. Sensitive values are not stored in logs.
Audit Trail: Administrative actions performed within the Management Console are recorded for accountability and compliance purposes.

SecValley's marketing website (secvalley.com) uses Google Analytics for website traffic analysis, loaded only after you consent through our cookie banner. Google Analytics collects anonymized usage data such as page views, referring URLs, browser type, and approximate geographic location. This data is processed by Google LLC under its own privacy policy. The SecValley platform application (app.secvalley.com) does not use any third-party analytics or tracking services. No platform data is shared with advertising platforms or analytics providers.

Use of AI Services

SecValley uses AI services such as Azure OpenAI Service to generate AI-powered features such as recommendations, security risks, reports, and other features. When generating these items, only aggregated and anonymized scan data are used for processing. SecValley will provide an option to opt-out of data collection if you do not wish to supply this limited data. The data sent to AI services includes:

Summary statistics (total controls evaluated, pass/fail counts, severity breakdown)
Category-level assessment scores
Failed control titles and severity levels
User uploaded policies and materials
Trend data (previous vs. current security score)

No user directory data (email addresses, display names, IP addresses), credentials, certificates, and tenant-identifying information is included in AI processing requests.

In accordance with Microsoft's data privacy commitments for Azure OpenAI Service:

Your data is not used to train, retrain, or improve OpenAI foundation models.
Your data is not shared or accessible by any other customer.
Your data is not used to improve Microsoft products or services.
All processing occurs within the Azure region associated with your deployed resource, subject to Azure's standard enterprise data protection and compliance certifications.

Kai Reports are generated by artificial intelligence and are provided for informational purposes only. They do not constitute professional security advice, legal advice, or a guarantee of regulatory compliance. You are solely responsible for evaluating and acting upon any recommendations contained in these reports.

Security

SecValley maintains (and requires its service providers to adhere to provided guidelines) appropriate organizational and technical measures designed to protect against unauthorized access, alteration, disclosure or destruction of personal information, taking into account the nature of the personal information and the processing, and the threats posed. We are constantly working to improve on these safeguards to help keep your personal information secure, however no security procedures or protocols are ever guaranteed to be 100% secure.

Privacy Choices

Unsubscribe from marketing communications. You can unsubscribe from marketing-related communications by following the instructions at the bottom of the emails you receive from us or by contacting us as provided in the Contact Us section below.

Privacy rights. Depending on your location, you could be entitled to submit the following requests about your personal information:

Access. Request that we provide you with information about our processing your personal information and give you access to your personal information.
Deletion. Request that we delete the personal information that we maintain about you.
Correction. Request that we update or correct inaccuracies in your personal information.
Transfer. Request that we transfer a machine-readable copy of your personal information to you or a third party that you designate.
Restriction. Request that we restrict the processing (including sharing) of your personal information.
Objection. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.

To exercise all other choices described above, please contact us at privacy@secvalley.com. To avoid security breaches, we will need to authenticate your identity before we respond to the request and to assess whether these rights apply to you. Additionally, applicable law can limit these rights, for example, by prohibiting us from providing certain sensitive information in response to an access request and limiting the circumstances in which we must comply with a deletion request. While we endeavor to satisfy the requests we receive, if you are unsatisfied with our response, you may have the right to complain to a privacy or data protection regulator in your country.

Children's Personal Information

Our Solutions are not intended for use by children. If you have reason to believe that a child has provided personal information to us, please contact us at privacy@secvalley.com. We will use commercially reasonable efforts to delete such personal information.

U.S. State Privacy Laws

Some U.S. state privacy and data protection laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA) require specific disclosures for state residents. We are committed to adherence to all relevant privacy laws.

Retention

We retain personal information for as long as necessary to fulfill the purposes for which we collect it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes. Specific retention periods for Customer Data are set forth in our Terms of Service (Section 8.7) and Data Processing Agreement (Annex A). In general, scan assessment data is retained for 1 year by default (configurable up to 7 years by your organization administrator), system logs are retained for 12 months, and connection credentials are deleted within 90 days of account cancellation. To determine the appropriate retention period for other personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, and the applicable legal requirements.

Changes to This Notice

If there are any material changes to this Notice, you will be notified by our posting of a prominent notice on our Sites prior to the change becoming effective or as otherwise required by law. We encourage you to periodically review this page for the latest information on our privacy practices. Your continued use of our Sites constitutes your agreement to be bound by such changes to this Notice.

Contact Us

If you have questions regarding this Notice or about our privacy practices, please contact us by email at privacy@secvalley.com.