Privacy Policy

Penacity Privacy Policy

1. Introduction

Penacity (“we,” “our,” or “us”) is committed to protecting the privacy and security of personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard personal data in connection with our website and the services we provide.

We operate in accordance with applicable data protection and cybersecurity frameworks, including the General Data Protection Regulation, Cyber Essentials, and NIST SP 800-171, as well as requirements applicable to our role as a Certified Third-Party Assessor Organization (C3PAO).

2. Scope of This Policy

This Privacy Policy applies to:

* Visitors to our corporate website
* Prospective clients and business contacts
* Clients and individuals whose information is processed in the course of delivering our services

This policy does not apply to third-party websites or services that we do not control.

3. Information We Collect

3.1 Information You Provide
We may collect personal information that you voluntarily provide, including:
* Name, email address, phone number
* Company name, job title, and business contact details
* Information submitted through contact forms or communications

3.2 Information Collected Automatically
When you visit our website, we may collect limited technical data such as:
* IP address
* Browser type and device information
* Pages visited and usage patterns

This information is collected using standard analytics tools to understand website performance.

3.3 Information Collected in Providing Services
In the course of delivering our services, including cybersecurity and compliance assessments, we may process business-related personal information provided by our clients. This may include personnel and organizational data necessary to perform contracted services.

4. How We Use Information

We use personal information for the following purposes:
* To respond to inquiries and communicate with you
* To provide and deliver our services
* To manage client relationships and contractual obligations
* To improve our website and services
* To maintain security, integrity, and compliance with applicable regulations

We do not sell or trade personal information.

5. Legal Basis for Processing (GDPR)

Where applicable, we rely on the following legal bases:
* Contractual necessity – to provide services requested by clients
* Legitimate interests – to operate, secure, and improve our business
* Consent – where required (e.g., certain cookies or communications)
* Legal obligations – to comply with regulatory or certification requirements

6. Sharing of Information

We do not sell or share personal information with third parties for marketing purposes.

We may share information only in limited circumstances:
* With trusted vendors and service providers who support our operations (e.g., software licensing, cloud hosting), under contractual confidentiality and security obligations
* As required to comply with legal or regulatory obligations
* As necessary to deliver contracted services

All third-party providers are required to protect personal information and use it only for authorized purposes.

7. Data Retention

We retain personal information only for as long as necessary to:
* Fulfill the purposes described in this policy
* Meet contractual obligations
* Comply with legal, regulatory, and certification requirements

Retention periods may vary depending on the nature of the data and applicable obligations, including those related to cybersecurity assessments and compliance frameworks.

8. International Data Transfers

Where personal information is transferred across borders, we implement appropriate safeguards consistent with applicable law, such as contractual protections and security controls.

9. Security of Information

We implement administrative, technical, and physical safeguards designed to protect personal information.

Our security practices align with recognized standards, including NIST SP 800-171 and Cyber Essentials.

As a Certified Third-Party Assessor Organization (C3PAO), we maintain systems that meet CMMC Level 2 requirements and are subject to periodic independent assessments, including oversight by relevant authorities.

While we take reasonable measures to protect data, no system can be guaranteed to be completely secure.

10. Cookies and Analytics

We use limited cookies and analytics tools to understand how our website is used and to improve performance.

We utilize services provided by Google (e.g., Google Analytics), which may collect anonymized usage data such as pages visited and time spent on the site.

You may control cookies through your browser settings.

11. Your Rights

Depending on your location, you may have rights regarding your personal information, including:
* Access to your data
* Correction of inaccurate data
* Deletion of data
* Restriction of processing
* Data portability
* Objection to certain processing activities

To exercise your rights, please contact us using the information below. We will respond in accordance with applicable law.

Individuals in the European Economic Area also have the right to lodge a complaint with a supervisory authority.

12. U.S. Privacy Disclosures

We do not sell or share personal information as defined under applicable U.S. state privacy laws.

13. Children’s Privacy

Our website and services are not directed to children, and we do not knowingly collect personal information from individuals under the age of 13.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with a revised “Last Updated” date.

15. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

Creating security for companies through assessment, monitoring and active defense.

Address

7030 Dorsey Rd
Suite 104
Hanover, MD 21076

+1 (0) 443-837-9550
855 PENACTY (736-2289)

Links

Links