Privacy Policy | PeytonixAI

Core Principle

PeytonixAI Does Not Store Customer Evidence Files

All audit evidence files are uploaded directly from user browsers to customer-owned cloud storage using secure, time-limited access mechanisms. PeytonixAI never receives, processes, or stores the contents of those files.

This policy applies to: Visitors to peytonixai.com, users of the PeytonixAI application, and customers, prospects, and support contacts. It does not apply to customer-owned data stored in customer-controlled infrastructure, as described below.

Data Collection

Information We Collect

Website Information

IP address, browser type and version, pages visited and interaction data, referral source. Used solely for website security, analytics, and performance monitoring.

Account & Identity Information

Name, work email address, organization name, role and access level, authentication identifiers (e.g., SSO subject ID). Authentication is typically handled through the customer's identity provider.

Application Metadata

Audit entities and hierarchies, control definitions, workpaper status, evidence references (object IDs, hashes, timestamps — not file contents), access logs and audit trails.

Support & Communications

Contact information, support messages, and troubleshooting metadata when you contact us for assistance.

Privacy Boundaries

Information We Do Not Collect

✓ We do not store customer audit evidence files
✓ We do not inspect or process customer evidence contents
✓ We do not monitor customer business data
✓ We do not sell personal data
✓ We do not use customer data for advertising

Data Usage

How We Use Information

We use information only for the following purposes:

✓ Provide and operate the PeytonixAI platform
✓ Authenticate users and enforce access controls
✓ Maintain security and audit logging
✓ Provide customer support
✓ Improve system reliability and performance
✓ Meet legal and regulatory obligations

Your Control

Customer-Owned Infrastructure

Customers deploy and control their own infrastructure for evidence storage.

Evidence Storage

Customer-owned Amazon S3 buckets for all audit evidence files.

Encryption Keys

Customer-managed AWS KMS keys for encryption at rest.

CloudTrail & Logging

Optional customer-controlled logging for independent audit trails.

Data Residency

Customer-selected regions and retention policies.

PeytonixAI accesses customer infrastructure only through explicit, customer-granted permissions, which can be revoked at any time.

Retention

Data Retention

✓ Audit metadata and security logs: retained by default for 7 years, aligned with SOX and SOC 2 expectations
✓ Low-risk operational events: retained for shorter periods where appropriate
✓ Evidence files: retained and deleted according to customer policy in customer-owned systems

Upon Contract Termination

PeytonixAI deletes customer metadata within contractually defined timeframes. Customers retain full control of their evidence storage and encryption keys.

Protection

Security Measures

PeytonixAI implements industry-standard security controls.

✓ Role-based and entity-level access controls
✓ Encryption in transit (TLS 1.2+)
✓ Encryption at rest using customer-managed keys
✓ Immutable audit logging
✓ Secure authentication and session handling
✓ Regular security testing and monitoring

Detailed security documentation is available to customers under NDA. See our Security page for more information.

Third Parties

Subprocessors & International Transfers

Subprocessors

PeytonixAI uses a limited number of subprocessors to support service delivery, including cloud infrastructure providers, monitoring and alerting services, and optional AI services (disabled by default). A current list of subprocessors is available in our Trust Package.

International Data Transfers

PeytonixAI processes metadata in regions selected by the customer. Evidence files remain in customer-selected regions and accounts. Where applicable, appropriate safeguards are applied for international transfers.

Your Rights

Your Privacy Rights

Depending on your jurisdiction, you may have rights to:

✓ Access your personal information
✓ Request correction or deletion
✓ Restrict or object to processing

Requests can be submitted via the contact information below. Requests related to customer data are handled in coordination with the customer organization.

Contact

Changes & Contact Information

Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be posted on this page with an updated effective date.

Privacy Questions

privacy@peytonixai.com

Security Team

security@peytonixai.com

Legal & DPA

legal@peytonixai.com