Legal

Privacy Policy

Last updated: May 22, 2026

episki, llc ("episki," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the episki platform at app.episki.com and our marketing site at episki.com (collectively, the "Service").

By using the Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

1. Data We Collect

Account Data

When you create an account, we collect your name, email address, organization name, and role. If you sign up via a third-party provider (e.g., Google), we receive your profile information as authorized by that provider.

Customer Data

You may submit compliance-related content to the Service, including programs, assessments, controls, policies, evidence files, risks, vendors, third-party documents you ingest, questionnaire responses, agent conversations and plans, MCP server configurations, and notes ("Customer Data"). You own your Customer Data. episki processes it solely to provide and improve the Service on your behalf.

Integration Data

When you connect a third-party service (such as AWS, Google Workspace, Microsoft 365, Slack, GitHub, or Jira), we receive data from that service as authorized by the scopes you grant. We use that data only to provide the Service. See §4 (Integrations Data) for details.

AI Interaction Data

When you or your agents use AI features, we record the prompts, retrieved Customer Data, AI output, and metadata about the run (such as agent skill, step-run, approval status, and token usage). See §3 (AI Processing) for how this data is processed.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, operating system, and IP address. This data helps us improve performance and user experience.

Communications

If you contact us via email, chat, or support, we retain the content of those communications to resolve your request and improve our support.

2. How We Use Your Data

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Authenticate users and manage account access.
  • Process payments, meter token usage, and manage subscriptions.
  • Send transactional communications (account confirmations, security alerts, billing notices).
  • Send marketing communications (with your consent, which you may withdraw at any time).
  • Monitor for abuse, fraud, and security threats.
  • Generate anonymized, aggregated analytics to improve the Service.
  • Comply with legal obligations.

We do not sell personal data, and we do not use Customer Data to train AI models.

3. AI Processing

What AI features do with your data

When you or an agent in your workspace uses an AI feature, episki sends the relevant Customer Data — including prompts, retrieved evidence excerpts, control or framework context, and prior agent outputs — to one or more third-party AI model providers acting as our sub-processors. The provider returns an output that we store as part of your Customer Data and present to you for review or approval.

AI sub-processors

We use leading AI model providers as sub-processors. Our current list of AI sub-processors (including model providers) is published on our trust center at trust.episki.com (see also §8). We will notify customers at least thirty (30) days before adding a new AI sub-processor.

No training on Customer Data

We do not use Customer Data to train, fine-tune, or improve any AI model. Our AI sub-processors are contractually bound to the same restriction. AI providers may retain inputs and outputs only as long as necessary to operate their service, run safety classifiers, or comply with their legal obligations, and not for model improvement.

AI interaction retention

We retain AI interaction logs (prompts, outputs, tool calls, approvals, token usage) as part of your Customer Data and audit log for the life of your workspace. You may request earlier deletion of specific interactions, subject to legal and audit-log integrity constraints. Workspace administrators may also configure shorter retention.

Human review

AI features are designed to surface work for human approval, especially for sensitive actions. You are responsible for reviewing AI output before relying on it for compliance, regulatory, security, or business decisions.

4. Integrations Data

When you authorize a third-party integration, we receive data from that service as scoped by the authorization you grant. Examples:

  • Cloud (AWS, Google Cloud, Azure): IAM configurations, account metadata, posture findings, and audit logs you choose to ingest.
  • Identity (Okta, Google Workspace, Microsoft Entra): user directory, group membership, MFA enforcement state, and lifecycle events.
  • Ticketing (Jira, Linear, GitHub Issues): tickets we create on your behalf, and ticket metadata we read back to track compliance work.
  • Code (GitHub, GitLab): repository settings, branch protection state, code scanning and dependency scanning results.
  • Chat (Slack, Microsoft Teams): messages we post on your behalf, approval interactions, and any responses to those messages.

We process integration data only to provide the Service to you. We do not sell or share integration data with third parties except in the limited circumstances in §8. You may revoke any integration at any time; we will cease using the credentials within a reasonable time, except where retention is required for legal, billing, or audit-log integrity purposes.

5. Trust Portal Public Data

The Service includes (with the Compliance Platform) a basic public trust page on an episki subdomain, and (with the Trust module) a fully branded trust center on a domain you specify. Content you choose to publish through these surfaces — including control claims, certifications, policy summaries, subprocessor lists, and security narratives — is intentionally public or made available to visitors you approve (for NDA-gated documents).

  • You control what is published. Default visibility for any content is "not published."
  • NDA-gated documents are released only to visitors who complete the NDA flow you configure. Access events are logged.
  • When you publish a subprocessor list, names of those subprocessors (which may be the names of individual companies you contract with) become public. Ensure your contracts permit this.
  • Inbound questionnaire submissions from buyers may include their personal data (name, email, company). Treat such data as Customer Data for the purposes of this policy.

6. MCP Servers and Customer-Configured Tools

You may configure Model Context Protocol ("MCP") servers — first-party or third-party — that agents in your workspace can call. When an agent calls an MCP server you configured, data flows from the Service to that MCP server (and may return from it). Examples include your internal documentation system, a bespoke compliance tool, or a third-party SaaS exposed via MCP.

  • You are responsible for the privacy posture of MCP servers you configure.
  • We log MCP tool calls (server, parameters, results) as part of your Customer Data and audit log.
  • The AI Governance module, when subscribed, provides allowlisting and additional controls.
  • We do not endorse, certify, or vet third-party MCP servers.

7. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Contract: Processing necessary to perform our agreement with you (providing the Service, managing your account).
  • Legitimate interests: Improving the Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
  • Consent: Marketing communications and non-essential cookies, which you may withdraw at any time.
  • Legal obligation: Processing required to comply with applicable laws.

8. Data Sharing and Sub-processors

We do not sell your personal data. We share information only in the following circumstances:

  • Sub-processors: We use a vetted set of sub-processors for hosting, AI model providers, payment processing, email delivery, analytics, and customer support. Sub-processors are contractually bound to confidentiality, security, and use-limitation obligations consistent with this policy. Our current sub-processor list is published on our trust center at trust.episki.com.
  • New sub-processors: We publish updates to our sub-processor list on trust.episki.com with at least thirty (30) days' notice before a new sub-processor begins processing Customer Data. You can subscribe to changes from the trust center. If you object on reasonable grounds, you may terminate the affected portion of the Service.
  • Legal requirements: We may disclose data if required by law, regulation, legal process, or government request, and will narrow such disclosure to the extent permitted.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.
  • With your consent: We may share data when you explicitly authorize us to do so.

9. Data Retention

  • Account data: Retained for the duration of your account and up to 90 days following deletion, unless a longer retention period is required by law.
  • Customer Data: Retained during your subscription. Upon termination, you may export your data within 30 days. After that period, Customer Data may be permanently deleted.
  • AI interaction logs: Retained as Customer Data for the life of your workspace. Workspace administrators may configure shorter retention.
  • Usage data: Retained for up to 24 months for analytics purposes, then anonymized or deleted.
  • Backups: Backup copies of data may persist for up to 30 days after deletion from active systems.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

GDPR Rights (EEA, UK, Switzerland)

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests or for direct marketing.
  • Complaint: Lodge a complaint with your local data protection authority.

CCPA / CPRA Rights (California Residents)

  • Right to know what personal information we collect and how it is used.
  • Right to delete your personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information (we do not sell or share personal data for cross-context behavioral advertising).
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising your rights.

To exercise any of these rights, contact us at hello@episki.com. We will respond within 30 days (or sooner if required by law).

11. Cookies and Tracking

We use cookies and similar technologies on episki.com and app.episki.com to operate the Service and understand usage patterns. The categories of cookies and tools we use include:

  • Essential cookies: Required for the Service to function — authentication, session management, CSRF protection.
  • Analytics (Plausible Analytics): A privacy-focused, cookieless analytics service that helps us understand page-level traffic without tracking individuals across sites.
  • Tag management (Google Tag Manager): Used to manage the loading of other approved scripts. GTM itself does not set tracking cookies; loaded scripts may.
  • Customer support (Intercom): Used to provide in-app messaging and support. Intercom may set cookies to identify returning visitors and maintain chat session state.

You can manage cookie preferences through your browser settings. Disabling essential cookies may impair the functionality of the Service.

12. International Data Transfers and Data Residency

episki is based in the United States. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries where our sub-processors operate.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum where applicable) or other legally recognized transfer mechanisms to ensure your data is protected.

Regional data residency. Workspaces subscribing to the Regional Data Residency add-on may pin workspace data to a specific region (currently US, EU, or Canada). Pinning takes effect at the next provisioning cycle and applies to Customer Data at rest. Some operational metadata, sub-processor processing, and integration data may still be processed in other regions; we describe these in the add-on documentation.

13. Security Measures

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS) and at rest.
  • Role-based access controls and least-privilege principles.
  • Regular security assessments and vulnerability management.
  • Audit logging of access and changes to Customer Data, including agent and AI actions.
  • Incident response procedures for prompt identification and containment of security events.

While we take reasonable precautions, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data.

14. Children's Privacy

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@episki.com and we will promptly delete it.

15. Data Processing Agreement

For customers processing personal data subject to GDPR, the UK GDPR, the Swiss FADP, CCPA/CPRA, or comparable laws, we offer a Data Processing Agreement ("DPA") incorporating Standard Contractual Clauses, sub-processor commitments, and security obligations consistent with this Privacy Policy.

To request a DPA, contact hello@episki.com. The DPA, once executed, supplements these Terms.

16. Data Processing Roles

Controller: episki acts as the data controller for account data and usage data we collect directly through our marketing site and account-provisioning flows.

Processor: For Customer Data that you submit to the Service (compliance programs, assessments, evidence, AI interactions, integration data, etc.), episki acts as a data processor on your behalf. You remain the data controller and are responsible for ensuring you have an appropriate lawful basis to process any personal data contained within Customer Data.

Operator Partner Program: Where a partner administers a workspace on behalf of an end customer, the partner may act as a processor of the end customer, and episki acts as a sub-processor of the end customer. The applicable Operator Partner Agreement and any DPA executed with the partner or end customer govern this relationship.

17. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. For non-material changes (clarifications, typos, formatting), we may update this policy without advance notice and indicate the change by revising the "Last updated" date.

18. Contact Us

Our sub-processor list is published on our trust center at trust.episki.com. For questions about this Privacy Policy, to exercise your data rights, or to request a DPA, contact us at:

hello@episki.com

episki, llc · Pennsylvania, USA