Privacy Policy

Website visitors — anyone who browses redteamtrust.com without creating an account.

Partner account holders — MSPs and MSSPs who create a partner account and use the console, API, or assessment platform.

Client portal users — employees of client organizations who are invited by a partner to access the compliance portal.

Assessed organizations — organizations on whose systems an assessment agent is run by a partner with written authorization. RedTeamTrust processes their endpoint telemetry on behalf of the partner.

We collect standard web server logs (IP address, browser type, referring URL, pages visited, timestamps) for security monitoring and basic analytics. We do not use third-party behavioral tracking scripts or advertising pixels on this site. If you contact us by email, we retain your message and contact details to respond to your inquiry.

When you create a partner account or subscribe, we collect:

• Name, email address, and company name;
• Billing information processed by our payment provider (Stripe) — we do not store full card numbers;
• Account activity logs (logins, bundle downloads, assessment runs, report generations);
• API keys you generate (stored as hashed values — the raw key is shown only once at creation).

When a partner invites a client contact to the compliance portal, we collect:

• Email address and password (hashed — never stored in plaintext);
• Activity within the portal (control views, evidence uploads, sign-outs).

Client portal accounts are created at the direction of the partner. If you are a client portal user and have questions about how your data is used, contact the MSP or MSSP that manages your account.

When an assessment agent runs on a device, it collects structured telemetry about the security configuration of that endpoint. This is the core data our platform processes to generate findings and reports.

The agent collects:

• Operating system version, patch level, and pending update status;
• Security software registration status (antivirus, EDR, firewall);
• Security control configuration (BitLocker, Defender settings, ASR rules, logging policy, audit policy);
• Local user account names, SIDs, enabled/disabled status, last logon timestamps, and password policy settings;
• Names and running status of security-relevant services (Sysmon, WinRM, Remote Registry);
• Network adapter configuration relevant to known attack vectors (LLMNR, NBT-NS, mDNS, SMB signing, IPv6);
• Presence (not contents) of specific file types and paths known to indicate credential exposure (e.g., SSH key files, cloud credential files, browser credential databases);
• Results of behavioral probes that test whether active security controls intercept known attack patterns.

The agent does not collect:

• File contents of any kind;
• Passwords, password hashes, or credential material;
• Keystrokes or screen captures;
• Network traffic or packet data;
• Email, documents, or personal files;
• Data from systems outside the device on which it runs.

Telemetry is transmitted over an encrypted connection to our ingestion endpoint and processed server-side to produce findings. The agent does not persist on the device after the assessment run completes — it is a one-time collection tool, not a persistent agent.

We use the information we collect to:

• Operate, maintain, and improve the Platform;
• Generate assessment findings, risk scores, and reports;
• Map findings to compliance framework controls and generate gap reports;
• Process Subscription payments and manage billing;
• Send transactional communications (account creation, billing receipts, assessment completion notices);
• Respond to support inquiries;
• Detect and prevent unauthorized access, abuse, or fraud;
• Comply with legal obligations.

We do not sell your data or your clients' data to third parties. We do not use assessment telemetry for advertising, profiling, or any purpose other than generating the reports and compliance outputs described above.

We may use aggregated, de-identified statistics (e.g., “X% of assessed endpoints have BitLocker disabled”) for product development and public threat intelligence reporting. No individual organization or device is identifiable in such aggregations.

For partner account data (Section 2b), RedTeamTrust is the data controller — we determine how that data is used and are responsible for it under applicable law.

For endpoint assessment telemetry and client portal data (Sections 2c and 2d), RedTeamTrust acts as a data processor on behalf of the partner. The partner is the data controller — they directed the assessment, obtained written authorization from the assessed organization, and determined the purpose for which the data is processed. Partners who operate under data protection regulations (GDPR, HIPAA, etc.) are responsible for ensuring their use of the Platform complies with those obligations. Contact us at privacy@redteamtrust.com to request a Data Processing Agreement.

We share information only in the following circumstances:

• Service providers — we use Stripe for payment processing and cloud infrastructure providers for hosting and storage. These providers process data on our behalf under data processing agreements and are not permitted to use your data for their own purposes.
• Legal requirements — we may disclose information if required by law, court order, or valid legal process, or if we believe disclosure is necessary to prevent imminent harm.
• Business transfer — if RedTeamTrust is acquired or merges with another company, account data may transfer to the acquiring entity. We will notify affected users before any such transfer and describe the privacy choices available to them.
• With your consent — in any other case, only with your explicit consent.

We will not share assessment telemetry or findings with anyone other than the partner who initiated the assessment and the assessed organization they represent, except as required by law.

• Assessment telemetry and reports— retained for a minimum of twelve (12) months from the date of assessment to support historical comparison and re-assessment. Partners may request deletion of a specific organization's data at any time; see Section 8.
• Partner account data — retained for the duration of the active Subscription plus thirty (30) days after termination, then deleted. Billing records are retained for seven (7) years as required for tax and accounting purposes.
• Client portal accounts— retained until the partner deletes the organization or account, or until the partner's account is terminated.
• Written authorization records — retained for a minimum of three (3) years from the date of assessment.

We implement technical and organizational measures to protect data against unauthorized access, disclosure, alteration, and destruction. These include encrypted data transmission (TLS), hashed credential storage, access controls limiting which personnel can access production data, and rate limiting on authentication endpoints.

No security measure is perfect. If you discover a security vulnerability in our platform, please report it to security@redteamtrust.com. We commit to acknowledging reports within two business days and will not take legal action against good-faith researchers who follow responsible disclosure practices. See our Trust & Security page for our full disclosure commitment.

In the event of a data breach that affects your account or your clients' data, we will notify you within seventy-two (72) hours of becoming aware of the incident, to the extent required by applicable law.

Depending on your location and applicable law, you may have rights to access, correct, delete, or export personal data we hold about you. To exercise any of these rights, contact us at privacy@redteamtrust.com with a description of your request. We will respond within thirty (30) days.

Partners — you may access and update your account information in the partner console. You may request deletion of your account and associated data by contacting us; note that billing records subject to legal retention requirements cannot be deleted.

Assessed organizations — because RedTeamTrust processes your data as a processor on behalf of the partner who directed the assessment, data subject requests (access, deletion, correction) should first be directed to the MSP or MSSP that manages your engagement. If you are unable to reach them or your request is not fulfilled, contact us directly and we will assist.

Marketing communications — we do not send marketing emails without your explicit opt-in. If you have opted in and wish to unsubscribe, use the unsubscribe link in any email or contact us directly.

The marketing website (redteamtrust.com) uses a session cookie for navigation state only. We do not use advertising, tracking, or analytics cookies on the marketing site.

The partner console and client portal use session cookies required for authentication. These cookies expire when you sign out or after a period of inactivity. They are necessary for the platform to function and cannot be disabled while using the console.