Privacy Policy

1. Information We Collect

1.1 Business Information

We collect information necessary to provide CMMC consulting services, including:

• Company contact information and federal contractor details
• Technical infrastructure specifications and network architecture
• Security policies, procedures, and current compliance status
• Federal contract information and regulatory requirements
• Employee training records and security awareness data

1.2 Technical Data

During compliance assessments, we may collect:

• Network configuration and security control implementations
• System logs and security monitoring data
• Vulnerability assessment results
• Compliance evidence and documentation

1.3 Website Information

Our website may collect:

• IP addresses and browser information
• Pages visited and time spent on site
• Contact form submissions and inquiries
• Cookies for website functionality (non-tracking)

2. How We Use Information

2.1 Service Delivery

We use collected information to:

• Conduct CMMC compliance assessments and gap analysis
• Implement security controls and develop remediation plans
• Create customized documentation and evidence packages
• Provide ongoing compliance monitoring and support

2.2 Legal and Regulatory Compliance

Information may be used to:

• Meet federal contractor reporting requirements
• Comply with security clearance and background check processes
• Respond to legitimate government requests
• Maintain audit trails for compliance verification

3. Data Protection & Security

3.1 Encryption

All client data is protected through:

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• End-to-end encryption for sensitive communications
• Encrypted backup storage with geographic redundancy

3.2 Access Controls

Data access is restricted through:

• Multi-factor authentication for all systems
• Role-based access control (RBAC)
• Security clearance verification for personnel
• Regular access reviews and privilege management

3.3 Infrastructure Security

Our infrastructure includes:

• Azure GCC High certified cloud environments
• Continuous security monitoring and incident response
• Regular penetration testing and vulnerability assessments
• Secure development and deployment practices

4. Information Sharing

4.1 No Unauthorized Sharing

We do not sell, rent, or share client information with third parties except as described in this policy.

4.2 Authorized Disclosures

Information may be shared only when:

• Required by federal law or regulation
• Authorized by written client consent
• Necessary for service delivery (with trusted partners under NDA)
• Required for legal proceedings or government investigations

4.3 Federal Requirements

As federal contractors, we may be required to provide information to:

• Defense Security Service (DSS) for security clearance maintenance
• Contracting officers for compliance verification
• Auditors for government contract compliance
• Law enforcement for national security purposes

5. Data Retention

5.1 Retention Periods

• Client project data: 7 years post-project completion
• Compliance documentation: As required by federal regulations
• Security logs: Minimum 3 years or as required
• Website analytics: 24 months maximum

5.2 Secure Disposal

When retention periods expire, data is securely destroyed using NIST SP 800-88 guidelines for media sanitization.

6. Your Rights

6.1 Access and Correction

You have the right to:

• Request access to your personal information
• Correct inaccurate or incomplete data
• Request data deletion where legally permissible
• Receive copies of your data in portable format

6.2 Federal Contractor Limitations

Some rights may be limited by federal contractor obligations, security clearance requirements, and regulatory compliance needs.

7. International Considerations

7.1 Data Location

All client data is stored and processed within the United States in accordance with federal contractor requirements.

7.2 Cross-Border Restrictions

We do not transfer controlled technical data outside the United States without proper export control authorization.

8. Incident Response

8.1 Security Incidents

In the event of a security incident affecting client data:

• We will investigate and contain the incident immediately
• Affected clients will be notified within 24 hours
• Federal authorities will be notified as required
• Remediation steps will be implemented and documented

8.2 Breach Notification

We maintain incident response procedures compliant with federal breach notification requirements and will notify affected parties promptly.

9. Third-Party Services

9.1 Approved Vendors

We only work with vendors who meet federal security requirements and maintain appropriate certifications (FedRAMP, SOC 2, etc.).

9.2 Subcontractor Compliance

All subcontractors are required to maintain the same level of data protection and security as OnTrack Dynamics LLC.

10. Policy Updates

We may update this privacy policy to reflect changes in:

• Federal regulations and compliance requirements
• Our business practices and service offerings
• Technology and security improvements
• Legal and regulatory obligations

Material changes will be communicated to clients with 30 days advance notice.

11. Compliance Certifications

OnTrack Dynamics LLC maintains the following security and privacy certifications:

• SOC 2 Type II - Security, availability, and confidentiality
• ISO 27001 - Information security management
• CMMC Level 2 - Advanced cybersecurity practices
• Federal contractor security clearance compliance