Bonterms-derivative. This Privacy Notice substantially follows the Bonterms Privacy Notice framework with adaptations for ElasticD3M, LLC's services, U.S. operations, CCPA / CPRA compliance, and the technical scope of the Enclave AI™ platform (configuration metadata, not CUI payloads).
1. Scope
This Privacy Notice describes how ElasticD3M, LLC ("we", "us") collects, uses, and discloses Personal Information when you visit ai4cmmc.ai, purchase an CMMC Readiness Snapshot™, subscribe to a CMMC L2 Readiness tier, or otherwise interact with our Services. For data we process on Customer's behalf as a Processor under enterprise agreements, the Data Processing Addendum governs.
This Notice is intended primarily for U.S. residents and U.S.-based business contacts. We do not knowingly direct our Services at residents of the European Economic Area, United Kingdom, Switzerland, or jurisdictions where local law would require additional disclosures we have not made; if you are a resident of such a jurisdiction and use our Services, please contact privacy@elasticd3m.com for region-specific information.
2. Information We Collect
We collect the following categories of Personal Information:
- Identity and contact information: name, business email address, phone number, company name, business address, job title, provided at intake, checkout, or via direct correspondence.
- Account information: organization details, CAGE code (if applicable), CMMC scope, contractual posture, provided at intake.
- Configuration metadata from connected cloud services (AWS, Azure, Microsoft 365, Okta, CrowdStrike), read via Customer-authorized read-only connectors and used to generate compliance deliverables. We do not read, store, or transmit Controlled Unclassified Information (CUI) payloads, customer-of-Customer personal data, or substantive business data, only configuration metadata.
- Billing information: limited payment metadata (last 4 of card, billing zip, expiration) provided to us by Stripe. We do not store full payment card numbers; Stripe is our payment processor and is PCI-DSS Level 1 compliant.
- Technical information: IP address, browser type, device type, referrer, pages visited, timestamps, collected automatically via server logs and Cloudflare analytics.
- Communications: emails you send to agents@ai4cmmc.ai or other ai4cmmc.ai addresses, including the content and attachments.
We do not use behavioral tracking pixels in outbound emails, cross-site advertising cookies, or session-replay tools. We do not sell Personal Information.
3. How We Use Information
We use Personal Information to:
- Provide, maintain, and improve the Services, including generating CMMC Readiness Snapshot™ reports and ongoing readiness deliverables.
- Process payments, manage subscriptions, and send transactional emails (welcome emails, deliverable notifications, billing receipts).
- Respond to support requests and other communications.
- Comply with legal obligations, enforce our Terms of Service, and protect against fraud or misuse.
- Send service updates and infrequent product communications. You may opt out of non-essential communications at any time.
We retain Personal Information only as long as needed for these purposes, plus any period required by law or for legitimate business records (typically: account data for the duration of the customer relationship plus seven (7) years for tax and financial records).
4. Disclosure to Third Parties
We disclose Personal Information to:
- Subprocessors, third-party service providers acting on our instructions. The full list with each provider's purpose and data scope is published at /subprocessors and updated at least quarterly.
- Legal authorities when required by valid subpoena, court order, or other legal process. We notify Customer of the request unless legally prohibited.
- Successors in connection with a merger, acquisition, or sale of substantially all assets, subject to confidentiality protections consistent with this Notice.
We do not disclose Personal Information to advertising networks, data brokers, or other parties for marketing purposes. We do not engage in "cross-context behavioral advertising" as defined by CCPA / CPRA.
5. Your Rights (CCPA / CPRA)
California residents have the right to: (i) know what Personal Information we collect, (ii) request deletion of Personal Information, (iii) request correction of inaccurate information, (iv) opt out of sale or sharing of Personal Information (we do not sell or share), and (v) limit use of "sensitive Personal Information" (we do not knowingly process sensitive PI as defined under CPRA). To exercise any right, email privacy@elasticd3m.com. We respond within forty-five (45) days. We will not retaliate against you for exercising these rights.
If you are a resident of another U.S. state with comprehensive privacy law (Virginia, Colorado, Connecticut, Utah, etc.), you have substantially similar rights and may submit a request through the same channel.
6. Data Retention and Deletion
Active account data is retained for the duration of the customer relationship. Following termination, we retain account data for ninety (90) days to allow Customer to retrieve deliverables and configuration, then delete or anonymize unless: (a) retention is required by law (tax records: seven years; communication archives for compliance: as required); or (b) data is part of routine database backups that are overwritten on a documented rotation. Configuration metadata read from connected clouds is retained only as long as needed to generate the deliverable; it is not used for any other purpose.
7. Security
We maintain industry-standard administrative, physical, and technical safeguards to protect Personal Information. Specifics include: AES-GCM encryption at rest for sensitive data, TLS 1.2+ in transit, role-based access control with least-privilege defaults, isolated production credentials encrypted with a dedicated key management service, signed audit logs for material database actions, and a documented incident-response plan. We notify Customer of any confirmed Personal Data Breach within seventy-two (72) hours.
8. International Data Transfers
Our Services are operated from the United States. Subprocessors are predominantly located in the United States with some in Canada and the European Union; the Subprocessors List identifies each provider's primary location. If Customer is located outside the United States, Customer's Personal Information will be transferred to and processed in the United States, subject to applicable transfer mechanisms (Standard Contractual Clauses, where applicable, are available via the DPA).
9. Children's Data
The Services are intended for business use by adults representing organizations. We do not knowingly collect Personal Information from anyone under the age of eighteen (18). If we discover we have collected such information, we will delete it promptly.
10. Changes to This Notice
We may update this Privacy Notice from time to time. For material changes, we will give at least thirty (30) days' advance notice via email or platform notice before the change becomes effective. The "Effective Date" at the bottom of this page indicates when the most recent version took effect.
11. Contact
Privacy questions, data subject requests, or general inquiries: privacy@elasticd3m.com
Postal address:
ElasticD3M, LLC
Attn: Privacy
7700 Broadway St, Ste 104 PMB1083
San Antonio, TX 78209, United States
Effective Date: May 12, 2026 · Version: 2.0 (Bonterms-derivative)
Replaces all prior versions of the Privacy Policy published at ai4cmmc.ai before this date.