Privacy Policy — Defense Catalyst Inc.

Who we are

This Privacy Policy describes how Defense Catalyst Inc. (“Defense Catalyst,” “we,” “us,” or “our”) collects, uses, and shares personal information when you use our websites (e.g., defensecatalyst.com) and SaaS products for defense-sector business development and compliance automation (the “Services”).

Note for government/defense customers: We are not authorized to receive Classified information. Handling of Controlled Unclassified Information (CUI), ITAR-controlled or EAR-controlled technical data is prohibited under this general policy and requires a separate, written agreement that explicitly authorizes such data and specifies applicable safeguards (see “Prohibited & Controlled Data” and “Accidental Receipt” below).

Information we collect

We collect information you provide directly (e.g., account details, content you upload, support requests) and information collected automatically (e.g., log and device data such as IP, browser, OS, pages viewed). We may also collect limited geolocation and usage analytics to improve the Services.

How we use information

  • Provide, secure, and maintain the Services

  • Communicate about accounts, features, and updates

  • Personalize content and improve performance and reliability

  • Comply with law and enforce terms

Legal bases (EEA/UK only)

We rely on consent, contract performance, legitimate interests (e.g., service security and improvement), and compliance with law.

Prohibited & controlled data (read this before using the Services)

Unless we enter into a separate, signed agreement that expressly authorizes and governs such handling, do not submit any of the following to the Services:

  • Classified information;

  • Controlled Unclassified Information (CUI) as defined by the NARA CUI Program;

  • ITAR-controlled defense articles, technical data, or defense services;

  • EAR-controlled technology or source code;

  • Export-restricted technical data subject to U.S. export controls;

  • Protected Health Information (PHI) under HIPAA;

  • Other data that imposes regulatory handling obligations not explicitly agreed to in writing.

Accidental receipt of confidential or controlled information

If you inadvertently submit data that is confidential to you or a third party—or is CUI/ITAR/EAR-controlled—under this policy and without a separate written authorization, you agree that:

  • Immediate notification: You will promptly notify us at privacy@defensecatalyst.com upon discovery and identify the affected records.

  • Containment: We may suspend related processing and segregate involved systems/data.

  • Disposition: At your instruction and subject to law, we will return or delete the data and any derived artifacts from our active systems and request the same of relevant subprocessors.

  • No license granted: Our temporary possession is not a license to use or disclose such information except as necessary to remediate.

  • Export-control cooperation: You will reasonably cooperate so both parties can meet any export-control or government reporting obligations.

  • Reservation of rights: We may preserve minimal records as required by law, incident response, audit, or defense of claims.

Where a separate, signed agreement exists (e.g., incorporating DFARS 252.204-7012 or similar), those incident-handling, reporting (e.g., DoD 72-hour reporting), and safeguarding obligations will govern.

Security

We implement administrative, technical, and physical safeguards appropriate to our risk profile and the information we process. Where a customer agreement authorizes handling of CUI, our controls will align to NIST SP 800-171 requirements and/or CMMC level(s) as specified in that agreement.

Data retention

We retain personal information for as long as needed to provide the Services, comply with law, resolve disputes, and enforce agreements. Upon account closure, we delete or anonymize personal data within a commercially reasonable period, except where retention is legally required.

Your rights

Depending on your location, you may have rights to access, correct, delete, object, restrict, or port your data, and to opt out of certain processing or marketing.

Cookies & similar technologies

We use cookies and similar technologies for essential operations, performance, and functionality. See our Cookie Policy for details and controls.

Sharing & transfers

We share data with vendors (e.g., cloud hosting, analytics, payments) under appropriate contractual safeguards. International transfers are protected consistent with applicable law (e.g., SCCs when applicable).

Government customers & flow-downs

If you purchase through a prime or subcontract and your order includes U.S. Government requirements (e.g., DFARS 252.204-7012), those obligations apply only where explicitly accepted by Defense Catalyst in the order or master agreement. Otherwise, this Privacy Policy and our standard terms govern.

Changes

We may update this Privacy Policy periodically. Material changes will be communicated via the Services or by email where appropriate.

Contact

Defense Catalyst Inc.

Privacy: privacy@defensecatalyst.com