Privacy Policy

1. Overview

3PRM ("we," "our," or "us") operates a software-as-a-service platform for third-party risk management, M&A due diligence, and vendor security intelligence. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website (3prm.com) or use our platform (platform.3prm.com).

By using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect your name, email address, company name, job title, and authentication credentials. Account creation and authentication are managed through our infrastructure provider (Supabase Auth).

2.2 Platform Data

In the course of using our platform, you may input or upload:

• Vendor information including company names, contact details, and risk classifications
• Security assessment responses, questionnaire answers, and maturity ratings
• Documents such as SOC 2 reports, ISO certifications, policies, and SBOMs
• Findings, remediation plans, and risk scores
• M&A due diligence data including deal information, technology inventories, and personnel rosters

2.3 Trust Network Data

If you participate in the 3PRM Trust Network, certain vendor security data may be shared across organizations on the network. This includes vendor security profiles, certification status, assessment completion rates, and aggregated risk indicators. Data shared via the Trust Network is governed by the participation settings configured by your organization. No customer-proprietary assessment responses or internal findings are shared without explicit configuration.

2.4 AI Processing Data

Our AI features (including the Tria AI agent) process documents, assessment data, and user queries to provide analysis, scoring, and recommendations. Document content submitted for AI analysis is sent to our AI service provider (Anthropic) for processing and is not retained by the AI provider beyond the processing session. We do not use your data to train AI models.

2.5 Usage and Technical Data

We automatically collect certain technical information including IP address, browser type, device information, pages visited, features used, session duration, and interaction patterns. This data is used for service improvement, security monitoring, and troubleshooting.

2.6 Demo Request and Marketing Data

When you request a demo or contact us through our website, we collect the information you provide in the form, including name, email, company, and any additional context you share.

3. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve our platform and services
• Process vendor risk assessments, monitoring, and scoring
• Power AI-driven analysis, document extraction, and recommendations
• Facilitate Trust Network data sharing in accordance with your organization's settings
• Send service-related communications including security alerts, assessment reminders, and platform updates
• Respond to demo requests, support inquiries, and customer feedback
• Monitor and prevent security incidents, fraud, and abuse
• Comply with legal obligations

We do not sell your personal information or platform data to third parties. We do not use your data for advertising purposes.

4. Data Sharing and Disclosure

4.1 Trust Network Participants

If your organization participates in the Trust Network, certain vendor profile data is shared with other participants as described in Section 2.3. Your organization controls what data is shared through platform configuration settings.

4.2 Service Providers (Sub-Processors)

We use the following third-party service providers to operate our platform:

• Supabase — Database hosting, authentication, edge functions, and file storage. Supabase maintains SOC 2 Type II compliance. Data is hosted in the United States.
• Cloudflare — Content delivery, DDoS protection, and DNS for our marketing site.
• Anthropic — AI processing for document analysis, assessment scoring, and the Tria AI agent. Data sent to Anthropic is processed in real-time and not retained for model training.
• Formspree — Processing of demo request form submissions on our marketing site.

4.3 Legal Requirements

We may disclose your information if required to do so by law, in response to valid legal process, to protect our rights or safety, or to investigate potential violations of our Terms of Service.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) enforcing organization-level data isolation in our database
• JWT-based authentication with secure session management
• Rate limiting on API endpoints and Edge Functions
• Regular security assessments of our platform and infrastructure
• Role-based access controls within the platform

Our infrastructure provider (Supabase) maintains SOC 2 Type II compliance. While 3PRM itself does not currently hold an independent SOC 2 attestation, we operate on SOC 2-compliant infrastructure and implement security controls consistent with SOC 2 Trust Services Criteria.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your account data and platform data for as long as your account is active or as needed to provide services to your organization. When an organization's account is terminated, we retain data for a period of 30 days to allow for data export, after which it is permanently deleted from our systems. Backup copies may persist in encrypted backups for up to 90 days.

Demo request form submissions and marketing inquiries are retained for up to 24 months.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate personal information
• Request deletion of your personal information
• Object to or restrict processing of your personal information
• Request portability of your data in a structured, machine-readable format
• Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@3prm.com. We will respond to requests within 30 days.

8. Cookies and Tracking

Our marketing site (3prm.com) does not currently use third-party analytics cookies or tracking pixels. We use essential cookies for authentication and session management on the platform (platform.3prm.com). We do not use cookies for advertising or cross-site tracking.

9. International Data Transfers

Our platform infrastructure is hosted in the United States via Supabase (AWS). If you are accessing our services from outside the United States, your data will be transferred to and processed in the United States. By using our services, you consent to this transfer.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or platform notification.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

3PRM
Email: privacy@3prm.com