Last updated: January 1, 2025
PatchGuard Inc. ("PatchGuard," "we," "our," or "us") operates the website at patchguardx.com and provides an AI-powered vulnerability prioritization and automated patch deployment platform for hybrid cloud security (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use our Services, visit our website, or communicate with us.
PatchGuard is headquartered at 1100 Connecticut Ave NW, Washington, DC 20036. If you have questions about this policy or our data practices, contact us at team@patchguardx.com.
By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you are accessing our Services on behalf of a company or organization, you represent that you have authority to bind that entity to this Privacy Policy.
Account Registration: When you create a PatchGuard account, we collect your name, work email address, company name, job title, and a password. We may also collect a phone number if you provide it for account recovery or multi-factor authentication purposes.
Contact and Support Requests: When you submit a contact form, request a demo, or contact our support team, we collect your name, email address, company name, and the content of your message or inquiry. We retain support communications for 36 months to maintain continuity of service history.
Billing Information: For paid subscription accounts, billing information (credit card number, billing address, and payment processor tokens) is collected directly by our payment processor, Stripe Inc. PatchGuard does not store complete credit card numbers. We retain billing records, including transaction history, subscription changes, and invoice data, for 7 years to comply with tax and financial reporting requirements.
Profile and Preferences: Account holders may optionally provide a profile photo, time zone, notification preferences, and custom alert configuration settings. This information is used solely to personalize your experience within the platform.
The core function of PatchGuard's Services requires ingesting technical data about your infrastructure. This data is controlled by you as the data controller; PatchGuard processes it as a data processor under your instruction. Infrastructure data includes:
Asset Inventory: Hostnames, IP addresses, operating system versions, installed software package names and versions, container image digests, cloud resource identifiers (AWS instance IDs, Azure VM resource IDs, GCP Compute instance names), and network configuration attributes such as security group membership and subnet assignments.
Vulnerability Scan Results: CVE identifiers, CVSS scores, affected package versions, detection timestamps, and remediation status. This data is derived from your infrastructure and reflects the security state of your systems.
Patch Deployment Records: Timestamps of patch actions, package versions before and after patching, deployment outcome status, post-patch health check results, approval records, and rollback events. These records form the audit trail required for compliance reporting.
API Credentials and Access Tokens: Cloud provider API tokens (AWS IAM role ARNs, Azure service principal credentials, GCP service account keys) provided to enable PatchGuard to connect to your cloud environments. These credentials are stored encrypted at rest using AES-256 encryption, are never logged in plaintext, and are never shared with third parties. You may revoke credentials at any time through your PatchGuard account settings.
Log Data: When you visit patchguardx.com, our web servers automatically record your IP address, browser type and version, operating system, referring URL, pages visited, time and date of visit, and time spent on each page. Log data is retained for 90 days.
Cookies and Tracking Technologies: We use cookies and similar technologies to maintain your session, remember your preferences, and collect aggregate analytics data. See our Cookie Policy for full details on which cookies we use and how to manage them.
We may receive information about you from third-party sources, including: cloud marketplace listings (AWS Marketplace, Azure Marketplace, GCP Marketplace) that relay subscription and billing information when you subscribe to PatchGuard through a marketplace; security intelligence providers that contribute CVE data, exploit availability signals, and threat intelligence to our scoring model (this data is aggregated and does not contain personal information); and business intelligence services that append publicly available company information (company size, industry, revenue range) to account records to help us tailor onboarding and support.
Providing and Improving the Services: We use account information, infrastructure data, and usage data to operate the PatchGuard platform, process vulnerability scans, execute and monitor patch deployments, generate compliance reports, and continuously improve the accuracy of our risk scoring model. Risk scoring improvements are based on aggregated, anonymized data patterns across our customer base — individual customer infrastructure data is not used to train models that affect other customers' environments.
Communications: We use your email address to send transactional messages required to operate your account (account confirmation, password reset, billing receipts, service outage notifications, and security alerts about your environment). We may also send product update announcements and security research insights. You may opt out of non-transactional emails at any time by clicking the unsubscribe link or contacting us at team@patchguardx.com. Transactional emails cannot be opted out of while your account is active.
Customer Support: We use contact information and account data to respond to support requests, diagnose technical issues, and assist with onboarding.
Security and Fraud Prevention: We analyze access patterns, IP addresses, and account activity to detect and prevent unauthorized access, abuse, and fraudulent use of our Services.
Legal Compliance: We use and retain information as required by applicable law, including financial record-keeping requirements, responses to lawful legal process, and enforcement of our terms of service.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following legal bases:
Contract Performance (Article 6(1)(b) GDPR): Processing your account registration data, billing information, and infrastructure data is necessary to perform our contract with you to provide the Services.
Legitimate Interests (Article 6(1)(f) GDPR): We process website usage data, log data, and security monitoring data based on our legitimate interest in operating a reliable, secure service and understanding how users interact with our platform.
Legal Obligation (Article 6(1)(c) GDPR): We retain billing records and certain audit logs to comply with applicable tax, financial, and regulatory requirements.
Consent (Article 6(1)(a) GDPR): For non-essential cookies and marketing communications, we rely on your consent. You may withdraw consent at any time.
Service Providers: We share data with third-party vendors who process it on our behalf to provide the Services. These include: Amazon Web Services (cloud infrastructure hosting), Stripe (payment processing), SendGrid (transactional email delivery), Datadog (infrastructure monitoring and log management), and Salesforce (customer relationship management). Each service provider is bound by data processing agreements that restrict their use of your data to the specific purpose for which it was shared.
Professional Services Partners: For enterprise customers who engage PatchGuard's professional services team for implementation assistance, relevant account and infrastructure data may be accessible to certified PatchGuard implementation partners under confidentiality agreements.
Legal Requirements: We may disclose your information if required to do so by applicable law, regulation, legal process, or enforceable governmental request. We will attempt to notify affected account holders before disclosing information in response to legal process unless prohibited from doing so by law or court order.
Business Transfers: If PatchGuard is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify affected users via email or prominent notice on our website at least 30 days before information is transferred and becomes subject to a different privacy policy.
We do not sell personal information. PatchGuard does not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes.
We retain different categories of data for different periods based on business necessity and legal requirements:
Account data (name, email, company): Retained for the life of the account plus 12 months after account closure, to fulfill final billing, support obligations, and legal holds. After 12 months, account data is deleted or anonymized.
Infrastructure data (asset inventory, vulnerability findings, patch records): Retained for 24 months to support compliance reporting, trend analysis, and audit evidence requests. Data older than 24 months is automatically purged. Enterprise accounts may request extended retention up to 60 months for compliance purposes.
Billing records: Retained for 7 years from the date of the last transaction, as required by US tax law and financial reporting obligations.
Support communications: Retained for 36 months to maintain service history continuity.
Website logs: Retained for 90 days, then automatically deleted.
You may request deletion of your account and associated data at any time by contacting team@patchguardx.com. Deletion requests will be processed within 30 days, subject to our legal retention obligations for billing records and any outstanding contractual obligations.
If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation:
Right of Access: You may request a copy of the personal data we hold about you, including the categories of data, the purposes of processing, and the parties with whom it has been shared.
Right to Rectification: You may request that we correct inaccurate or incomplete personal data we hold about you.
Right to Erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, or where processing was unlawful. We will honor erasure requests subject to our legal retention obligations.
Right to Restriction: You may request that we restrict processing of your data in certain circumstances, such as while we investigate a dispute about accuracy.
Right to Data Portability: You may request that we provide your personal data in a structured, machine-readable format (JSON or CSV) for transfer to another service provider.
Right to Object: You may object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.
To exercise any GDPR right, contact team@patchguardx.com with the subject line "GDPR Data Request." We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority if you believe your rights have been violated.
California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Right to Know: You may request disclosure of the categories of personal information collected, the sources, the business purpose, and the third parties with whom it is shared.
Right to Delete: You may request deletion of personal information we have collected, subject to exceptions for completing transactions, security, legal obligations, and other permitted purposes.
Right to Correct: You may request correction of inaccurate personal information we maintain about you.
Right to Opt Out of Sale/Sharing: PatchGuard does not sell personal information as defined under the CCPA and does not share personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those necessary to provide the Services.
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, contact team@patchguardx.com or call +1 (202) 637-4182. We will verify your identity before processing the request and respond within 45 days, with one 45-day extension if needed.
PatchGuard implements administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These measures include: AES-256 encryption for data at rest; TLS 1.2 or higher for all data in transit; access controls requiring multi-factor authentication for all PatchGuard staff with access to production systems; annual penetration testing by an independent third-party security firm; SOC 2 Type II certification for our infrastructure; and role-based access controls limiting staff access to the minimum data necessary for their job function.
Despite these measures, no security system is impenetrable. If you believe your account has been compromised, contact us immediately at team@patchguardx.com. In the event of a data breach affecting your personal information, we will notify affected users and relevant regulatory authorities as required by applicable law, including within 72 hours for GDPR-covered incidents.
PatchGuard is based in the United States. If you are accessing our Services from outside the United States, your information will be transferred to, stored, and processed in the United States. For transfers of personal data from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers. A copy of the applicable SCCs is available upon request by contacting team@patchguardx.com.
Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete that information promptly. If you believe we may have collected information from a child, contact us at team@patchguardx.com.
Our website and platform may contain links to third-party websites, integrations, and services. PatchGuard does not control the privacy practices of third-party sites. We recommend reviewing the privacy policy of any third-party site you visit. This Privacy Policy applies only to patchguardx.com and the PatchGuard platform.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via email to the address associated with your account, or by posting a prominent notice on our website, at least 30 days before the changes take effect. The "Last updated" date at the top of this policy reflects when the current version was published. Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes.
For questions, concerns, or requests regarding this Privacy Policy or our data practices, contact:
PatchGuard Inc.
Attn: Privacy Team
1100 Connecticut Ave NW
Washington, DC 20036
Email: team@patchguardx.com
Phone: +1 (202) 637-4182
We will respond to all data privacy requests within 30 days of receipt.