Legal
Data Policy
Effective date: July 7, 2026
This Data Policy explains how ThreatWinds LLC(“ThreatWinds”, “we”, “us”) handles the data you provide to and generate through the ThreatExploit.ai platform (the “Service”), with a focus on penetration-testing data and security. It supplements our Terms of Service and Privacy Policy.
1. What We Mean by Customer Data
“Customer Data” means the data you submit to the Service and the data the Service generates for you, including target definitions and scope, credentials and configuration you provide for an engagement, scan and exploitation inputs and outputs, evidence (such as screenshots and logs), findings, and the reports produced for your engagements.
2. We Do Not Train on Your Data
We do not use Customer Data — including target information, engagement inputs, scan and exploitation outputs, evidence, findings, or API request and response content — to train, fine-tune, or otherwise develop or improve AI or machine-learning models. Your data is not used to build datasets, benchmarks, or product features for other customers.
The AI models that power the Service process your data only to carry out the testing and reporting you request, in real time, for your engagement. Prompts, context, and results exchanged with the underlying model infrastructure are used solely to perform your task and are not retained by the model providers to train their models. We contractually require our AI and infrastructure providers not to use your data for training or for their own purposes.
3. No Cross-Customer Use
Customer Data is logically segregated per customer and per engagement. It is not shared with, or made accessible to, other customers, and it is not fed into unrelated model interactions.
4. Dedicated Infrastructure
Penetration tests can be run from dedicated infrastructure rather than shared, multi-tenant execution environments, with regional deployment options (for example, across the Americas, Europe, and Asia) so you can keep testing and data within a preferred region.
5. How Long We Keep Data
- Working context. The transient context an engagement uses while it runs — the scratch memory used to share findings across testing phases — is scoped to that run and is deleted once the pentest reaches a terminal state, to minimize data retention.
- Reports and evidence. Findings, evidence, and reports remain available in your account so you can review, export, and deliver them. They are retained until you delete them or as otherwise agreed, and are exportable in standard formats (for example, PDF, JSON, and structured data).
- On termination. You control deletion of your reports and evidence; on account termination we delete or return Customer Data as required by law and our agreements.
6. Security Measures
We protect Customer Data with measures including:
- encryption of data in transit (TLS) and at rest;
- role-based access controls, least-privilege access, and scoped API keys;
- authentication and authorization controls for platform and API access;
- network and infrastructure hardening and monitoring;
- separation of customer environments and data.
7. Subprocessors
We use a limited set of subprocessors to provide the Service — for example, cloud and infrastructure hosting, AI/LLM inference infrastructure, identity-verification providers, and payment processors. Subprocessors are bound by contract to appropriate confidentiality and security obligations and are not permitted to use Customer Data to train their models or for their own purposes.
8. Your Responsibilities
You are responsible for ensuring that the targets, credentials, and data you submit are within an authorized scope and that you have the right to submit them, and for not uploading data you are not permitted to process. Do not submit personal or sensitive data beyond what is necessary for an engagement.
9. Data Incidents
We maintain processes to detect, investigate, and respond to security incidents. If a personal-data breach affecting your data occurs, we will notify affected customers and, where required, regulators, consistent with applicable law and our agreements.
10. Data Access and Deletion Requests
To request access to, export of, or deletion of Customer Data, or to ask questions about this Data Policy, contact info@threatexploit.ai.
11. Changes
We may update this Data Policy from time to time. When we do, we will revise the “Effective date” above and, for material changes, provide reasonable notice.
12. Contact
info@threatexploit.ai — ThreatWinds LLC.
