Privacy Policy

1. Introduction

This Privacy Policy describes how GR IT Services LLC (also known as Ghulam Rasool IT Services LLC), a company registered in Dubai, United Arab Emirates ("GR IT Services," "we," "us," or "our"), collects, uses, stores, and protects personal information in connection with the CISGuard compliance automation platform and the CISGuard website at cisguard.ae (collectively, the "Service").

CISGuard is an enterprise compliance automation platform that helps organizations automate CIS benchmark compliance assessments across their IT infrastructure. By accessing or using the Service, you agree to the collection and use of information in accordance with this policy.

We are committed to protecting the privacy and security of your personal information and complying with applicable data protection laws, including the UAE Personal Data Protection Law (PDPL), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

2. Information We Collect

Controller vs. Service Provider Role

When CISGuard is deployed on your premises, GR IT Services acts solely as a software licensor, not a data processor or controller. All compliance scan data is processed and stored within your own infrastructure under your control. GR IT Services acts as a data controller only for information collected through this website (contact forms, demo requests) and as a service provider for managed support services.

2.1 Account Information

When you register for CISGuard, request a demo, or contact us, we may collect:

• Full name
• Business email address
• Company or organization name
• Job title
• Phone number
• Business address

2.2 Technical Data

When you visit the CISGuard website, we automatically collect certain technical information:

• IP address
• Browser type and version
• Operating system and device information
• Pages visited and time spent on each page
• Referring website URL
• Date and time of access

2.3 Compliance Scan Data

CISGuard is deployed on-premises within your infrastructure. All compliance scan data, including benchmark results, security configurations, system audit data, agent telemetry, and compliance scores, is stored exclusively within your own infrastructure. GR IT Services does not collect, access, store, or process any compliance scan data. You retain full ownership and control of all data generated by CISGuard within your environment.

2.4 Usage Analytics

We may collect aggregated, anonymized usage statistics from the CISGuard website (not from on-premises deployments) to understand how visitors interact with our website and improve the user experience. This data cannot be used to identify individual users.

2.5 Cookies and Tracking Technologies

The CISGuard website uses only essential cookies required for basic website functionality, such as session management and security. We do not use advertising cookies, third-party tracking pixels, or social media tracking scripts. No personal data is shared with advertising networks or data brokers through our website.

3. How We Use Information

We use the personal information we collect for the following purposes:

• Provide and maintain the Service: To process demo requests, set up accounts, provide onboarding support, and deliver the CISGuard platform and related services.
• Service notifications: To send essential communications regarding your account, software updates, security advisories, license renewals, and changes to our terms or policies.
• Respond to inquiries: To respond to your questions, support requests, and feedback submitted through our website or email.
• Improve the product: To analyze aggregated, anonymized usage patterns to improve the CISGuard platform, website, documentation, and user experience.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to enforce our terms of service.

Do Not Track Signals

This website does not currently respond to Do Not Track (DNT) browser signals. You can manage tracking preferences through your browser settings.

4. Data Storage and Security

CISGuard is designed as an on-premises solution. All compliance data, scan results, agent configurations, credentials, and audit logs remain within your infrastructure and under your control. GR IT Services does not have access to, and cannot retrieve, any data stored in your CISGuard deployment.

For data that we do process (such as website form submissions and support communications), we implement appropriate technical and organizational security measures:

• Website form submissions and email communications are processed via Microsoft Graph API through our Microsoft 365 tenancy, protected by Microsoft's enterprise-grade security controls.
• All data in transit is encrypted using TLS 1.2 or higher.
• On-premises CISGuard deployments support AES-256 encryption at rest for all stored data, including credentials protected via Windows DPAPI.
• Access to personal data within GR IT Services is restricted to authorized personnel on a need-to-know basis.

5. Data Sharing

GR IT Services does not sell, rent, or trade personal data to third parties. We do not share personal data with third parties for marketing or advertising purposes.

We may share personal information only in the following limited circumstances:

• Service providers: We use Microsoft Corporation as a service provider for email processing (Microsoft 365 / Exchange Online) and website hosting (Microsoft Azure). These service providers are bound by their own data processing agreements and privacy commitments.
• Legal requirements: We may disclose personal information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
• Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction, subject to the same privacy protections described in this policy.

6. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this policy:

• Website inquiries and demo requests: Retained for up to 2 years from the date of submission, unless a business relationship is established.
• Account and customer data: Retained for the duration of the active service agreement plus 1 year after termination to support any post-termination obligations, warranty claims, or billing disputes.
• Compliance scan data: Entirely controlled by you. Since CISGuard is deployed on-premises, you determine the retention period for all compliance data stored within your infrastructure. GR IT Services has no involvement in the storage or deletion of this data.
• Support communications: Retained for the duration of the service agreement plus 1 year.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

7.1 General Rights

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request a copy of your data in a structured, machine-readable format.
• Restriction: Request that we limit the processing of your personal data under certain circumstances.
• Objection: Object to the processing of your personal data for certain purposes.

7.2 GDPR Rights (EU/EEA Residents)

If you are a resident of the European Union or European Economic Area, you have rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict processing, data portability, and object to processing. You also have the right to lodge a complaint with your local data protection authority. Our lawful basis for processing is either (a) performance of a contract, (b) legitimate interests in operating our business, or (c) your consent where applicable.

7.3 CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights, including the right to know what personal information we collect, the right to delete your personal information, and the right to opt-out of the sale of personal information. As stated above, we do not sell personal information. You may exercise your CCPA rights by contacting us at sales@cisguard.ae. We will not discriminate against you for exercising your CCPA rights.

7.4 UAE PDPL Compliance

As a company headquartered in the UAE, we comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and its implementing regulations. UAE residents have the right to access, rectify, and request deletion of their personal data, as well as the right to restrict or object to certain processing activities. To exercise these rights, please contact us at sales@cisguard.ae.

8. International Data Transfers

GR IT Services is headquartered in Dubai, UAE. Personal data collected through the CISGuard website and support channels is primarily processed in the UAE.

Our use of Microsoft services (Microsoft 365, Azure) means that certain personal data (such as emails and website hosting data) may be processed in data centers located outside the UAE, in accordance with Microsoft's data processing agreement and applicable data residency configurations.

Where personal data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

9. Children's Privacy

CISGuard is an enterprise software product designed for business use. Our Service is not intended for, and we do not knowingly collect personal information from, children under the age of 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete such information. If you believe that a child under 16 has provided us with personal data, please contact us at sales@cisguard.ae.

10. Job Applicant Data

If you apply for a position at GR IT Services, we collect your name, contact information, resume, work history, and any information you voluntarily provide. This data is used solely for evaluating your candidacy and is retained for 12 months after the recruitment process concludes, unless you request earlier deletion.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (if we have your contact information) and by posting the updated policy on this page with a revised effective date. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: