Privacy Policy

Last updated: June 16, 2026

1. Information We Collect

When you use TATER, we collect information necessary to provide our compliance management services:

• Account Information: Name, email address, organization name, and role when you register or are invited to an organization.
• Compliance Data: Device inventories, scan results, control assessments, and evidence documents you upload or generate through the platform.
• Usage Data: Log data including IP addresses, browser type, pages visited, and feature usage to improve our services.
• Authentication Data: We use Microsoft Entra ID (Azure AD) for authentication. We do not store passwords.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve TATER's compliance management services
• Authenticate users and enforce role-based access controls
• Generate compliance reports, dashboards, and Trust Center content
• Send service-related communications and security alerts
• Respond to support requests and provide technical assistance

3. Data Storage & Security

All data is stored in Microsoft Azure infrastructure, including Azure Cosmos DB and Azure Static Web Apps. Data is encrypted at rest and in transit using industry-standard TLS 1.2+ encryption. We implement role-based access controls, audit logging, and tenant isolation to protect your information.

4. Multi-Tenant Data Isolation

TATER is a multi-tenant platform. Each organization's data is logically isolated using tenant-specific partition keys. Users can only access data belonging to organizations they are members of, as enforced by server-side authorization checks.

5. TATER Vault & Zero-Knowledge Encryption

TATER Vault is an optional, end-to-end-encrypted password and secret manager. It is built on a zero-knowledge architecture: vault contents (login credentials, TOTP/MFA secrets, secure notes, and items shared within a group) are encrypted and decrypted entirely in your browser or extension. We store only ciphertext and the wrapped encryption keys.

• We cannot read your vault contents. Encryption keys are derived from your vault password and never transmitted to or stored on our servers in a form we can use to decrypt your data.
• Shared vaults use per-user RSA key pairs; the shared symmetric key is wrapped to each member's public key in your browser, so the server never sees a usable shared key.
• One-time Send links carry their decryption key only in the URL fragment (after #), which browsers never transmit to any server — we store and serve only the ciphertext, and the link self-destructs after its view limit or expiry.
• Breach checking uses k-anonymity: only the first five characters of a password's SHA-1 hash are sent to the Have I Been Pwned range API; your password and full hash never leave your device.
• Organizational ownership & recovery. For organization-managed vaults, an encrypted recovery key may be escrowed to your organization's key vault so administrators can recover credentials when an employee departs. This is governed by your organization's policy; where escrow is enabled, your administrators — not TATER — control recovery.

6. Data Sharing

We do not sell your data. We may share information only in these circumstances:

• With your consent or at your direction (e.g., Trust Center public content you choose to publish)
• With service providers who assist in operating our platform (Microsoft Azure)
• To comply with legal obligations or respond to lawful requests

7. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Deleted data is moved to a recycle bin and permanently removed after 30 days. You may request complete data deletion by contacting us.

8. Your Rights

You have the right to access, correct, export, or delete your personal data. Organization administrators can manage user access and data within their tenant. Contact us at privacy@tatersecurity.com for data requests.

9. Changes to This Policy

We may update this policy periodically. We will notify you of material changes via the platform or email. Continued use of TATER after changes constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related inquiries, contact us at privacy@tatersecurity.com.