Privacy Policy
Effective Date: May 4, 2026 Last Updated: May 4, 2026
This Privacy Policy describes how Concerto Compliance, LLC ("Concerto," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use the ConcertoGRC platform ("Platform"), this documentation site, and related services (collectively, "Services").
1. Information We Collect
Information You Provide
- Account information -- Name, email address, job title, and organization when your administrator creates your account
- Profile information -- Role assignments, team memberships, and contact details you add to your profile
- Content you create -- Compliance records, evidence uploads, risk assessments, policy documents, vendor information, and other data you enter into the Platform
- Communications -- Support requests, feedback, and correspondence with our team
Information Collected Automatically
- Usage data -- Pages visited, features used, timestamps, and session duration
- Device and browser information -- Browser type, operating system, screen resolution, and language preferences
- Log data -- IP addresses, authentication events, and API request metadata
- Cookies and similar technologies -- See Section 7 below
Information from Third-Party Integrations
When your organization connects third-party integrations (identity providers, cloud services, MDM providers), the Platform receives data from those services as configured by your administrator. This may include employee directory information, device inventory, and security findings.
2. How We Use Your Information
We use personal information to:
- Provide and operate the Services -- Authenticate users, enforce access controls, and deliver platform functionality
- Process compliance data -- Generate reports, calculate control statuses, manage evidence, and support your compliance program
- AI-powered features -- Generate meeting slides, draft questionnaire responses, analyze documents, and provide risk remediation guidance (see our AI & Data Handling documentation)
- Maintain security -- Detect unauthorized access, investigate incidents, and enforce tenant isolation
- Audit logging -- Record create, update, delete, and export actions for compliance accountability and incident investigation
- Improve the Services -- Analyze aggregate, anonymized usage patterns to improve performance and prioritize feature development
- Communicate with you -- Send service notifications, security alerts, and respond to support requests
We do not use your personal information or compliance data to train AI models. See our Platform Security page for details.
3. How We Share Your Information
We do not sell your personal information. We share information only in these limited circumstances:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Cloud infrastructure providers (AWS) | Hosting, storage, compute, and AI inference | Data processing agreement; data stays within configured AWS regions |
| Your organization's administrators | User management, audit log review, and compliance reporting | Role-based access controls within your tenant |
| Third-party integrations | Only when your organization explicitly connects an integration | OAuth scopes limited to necessary permissions; credentials encrypted |
| Legal or regulatory authorities | When required by law, subpoena, or court order | We will notify you unless legally prohibited |
| Business transfers | In connection with a merger, acquisition, or asset sale | Successor entity bound by this policy |
We do not share data between tenants. Each organization's data is logically isolated. See Tenant Isolation.
Subprocessors
The following third-party services process customer data as part of delivering the ConcertoGRC platform:
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure including compute (ECS Fargate), database (RDS), storage (S3), email delivery (SES), authentication (Cognito), AI inference (Bedrock), and document OCR (Textract) | All platform data | US |
| Cloudflare | DNS management, CDN, DDoS protection | Network traffic metadata, IP addresses | Global edge network (see Section 9) |
| Sentry | Application error monitoring and performance tracking | Error context, stack traces, and request metadata; configured to minimize collection of personally identifiable information | US |
All phishing simulation infrastructure (used by the optional Phishing Simulation module) is self-hosted on Concerto-managed servers within AWS. No additional third-party subprocessor is involved.
We maintain data processing agreements (DPAs) with AWS, Cloudflare, and Sentry. We will notify customers of material changes to this subprocessor list at least 30 days in advance. If you have questions about our subprocessors, contact privacy@concertocompliance.com.
4. Data Retention
| Data Type | Retention |
|---|---|
| Account data | Retained while your account is active; deleted upon account removal by your administrator |
| Compliance records | Retained while your organization's tenancy is active; available for export before termination |
| Audit logs (application) | Retained for the duration of the tenancy to support compliance evidence requirements and incident investigation |
| Audit logs (authentication) | Configurable retention period; default 365 days |
| Uploaded files | Retained while associated records exist; deleted when the parent record is removed |
| AI inputs and outputs | Not retained by the AI model provider beyond the request lifecycle |
When an organization terminates its use of the Platform, we provide a 90-day data export window. After that period, all tenant data is permanently deleted from production systems and backups within 30 additional days.
How to Request Data Deletion
Individual users: Contact your organization's ConcertoGRC administrator. Administrators can remove your user account from the Platform, which deletes your profile, role assignments, and authentication credentials. Alternatively, you can email privacy@concertocompliance.com and we will coordinate with your organization's administrator.
Organization administrators: To request deletion of your entire organization's data, email privacy@concertocompliance.com. We will confirm the request, provide a 90-day data export window, and permanently delete all tenant data within 30 days after the export window closes.
What we delete:
- User profile and account data
- Authentication credentials and session history
- All compliance records, evidence files, and uploaded documents
- AI-generated content (meeting slides, questionnaire drafts, reports)
- Integration connection credentials and sync data
What we may retain after deletion:
- Audit log entries -- We may retain records of actions taken within the Platform where required for legal compliance, regulatory obligations, or active investigations. Retained entries are limited to action type, timestamp, and user identifier.
- Anonymized or aggregated data -- Data that can no longer identify you may be retained for service improvement purposes.
- Backup retention -- Deleted data may persist in encrypted backups for up to 30 days before being purged.
Response timeframe: We acknowledge deletion requests within 5 business days and complete processing within 30 days (GDPR) or 45 days (CCPA). If additional time is needed, we will notify you with an explanation.
5. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access -- Request a copy of the personal data we hold about you
- Right to rectification -- Request correction of inaccurate or incomplete data
- Right to erasure -- Request deletion of your personal data, subject to legal retention requirements
- Right to restriction -- Request that we limit processing of your data in certain circumstances
- Right to data portability -- Receive your data in a structured, machine-readable format
- Right to object -- Object to processing based on legitimate interests
- Right to withdraw consent -- Where processing is based on consent, withdraw it at any time
Legal bases for processing: We process personal data based on contractual necessity (to provide the Services), legitimate interests (security, incident investigation, service improvement), legal obligations (audit and compliance requirements), and consent (where applicable).
Response timeframe: We will respond to data subject requests within 30 days. If we need additional time due to request complexity, we will notify you within that initial 30-day period and may extend by up to 60 additional days as permitted by GDPR.
To exercise these rights, contact us at privacy@concertocompliance.com.
6. Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:
- Right to know -- Request disclosure of the categories and specific pieces of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it
- Right to delete -- Request deletion of personal information we have collected from you
- Right to correct -- Request correction of inaccurate personal information
- Right to opt-out of sale or sharing -- We do not sell or share personal information for cross-context behavioral advertising
- Right to non-discrimination -- We will not discriminate against you for exercising your CCPA rights
Categories of personal information collected: Identifiers (name, email, IP address), professional information (job title, role), internet activity (usage data, log data), and inferences drawn from the above.
We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.
To exercise these rights, contact us at privacy@concertocompliance.com. We will verify your identity before processing your request and respond within 45 days as required by the CCPA. You may also designate an authorized agent to submit requests on your behalf.
7. Cookies
Documentation Site
This documentation site uses minimal cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Theme preference | Remembers your light/dark mode selection | Persistent |
| Search index | Local search functionality | Session |
This site does not use third-party analytics, advertising cookies, or tracking pixels.
ConcertoGRC Platform
The Platform uses cookies necessary for operation:
| Cookie | Purpose | Duration |
|---|---|---|
| Authentication tokens | Session management via Amazon Cognito | Session (access token) / Persistent (refresh token) |
| Tenant context | Remembers your selected organization | Session |
| UI preferences | Sidebar state, table settings, theme | Persistent |
The Platform does not use third-party advertising or behavioral tracking cookies.
8. Data Security
We implement technical and organizational measures to protect your information, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, tenant isolation, audit logging, and secure development practices. For details, see our Platform Security page.
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify affected customers without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR
- Notify affected California residents as required by the California Civil Code Section 1798.82
- Provide details of the nature of the breach, the data affected, and the measures taken to address it
9. International Data Transfers
The Platform is hosted on Amazon Web Services in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the US.
Cloudflare, which provides DNS and CDN services, processes network traffic metadata at global edge locations. This means request-level data (IP addresses, request headers) may be transiently processed outside the US and EEA. Cloudflare maintains appropriate data protection safeguards including their own DPA and Standard Contractual Clauses.
For all international transfers, we rely on Standard Contractual Clauses (SCCs) and supplementary technical measures (encryption in transit and at rest, access controls, tenant isolation) as required by applicable law.
10. Children's Privacy
The Services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a revised "Last Updated" date and, for material changes that affect how we process your data, by notifying account administrators via email at least 30 days in advance. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.
12. Contact Us
For privacy-related questions, requests, or complaints:
Concerto Compliance, LLC Email: privacy@concertocompliance.com
For security vulnerabilities, see our Responsible Disclosure information.