Security

Wehandlesensitivedata.Security is non-negotiable.

Privacy Conduit processes privacy rights requests — which means we handle sensitive personal information. Security is not a checkbox; it is a core requirement of what we do.

Minimal data custodyControlled accessAudit-ready workflowsResponsible disclosure

Our approach

Privacy Conduit is built for privacy workflows that may include sensitive personal information. We design the product around limited collection, controlled access, auditability, and clear operational ownership.

We use reputable managed infrastructure and vendor controls to operate the service, but we avoid publishing unnecessary implementation details about our production environment.

Data protection

We protect data in transit and at rest using managed security controls from our infrastructure providers. We apply data minimisation: Privacy Conduit collects only what is needed to provide the service and support the privacy workflow.

Privacy Conduit does not sell or share personal data with third parties for advertising or profiling. For a full account of what we collect and why, see our Privacy Policy.

Privacy request data is separated by account or workspace. Internal access is limited to people who need it to operate, support, or secure the product.

Account access

Authentication is handled through a dedicated identity provider. We do not store user passwords. Business workspaces include role-based permissions so teams can limit who can view and manage privacy requests.

Internal access to production systems is restricted, reviewed, and protected by individual accounts. We do not use shared credentials for production access.

Connections

Some features can connect to an email account or mailbox so you can send and track privacy requests. We ask only for the permissions needed for the feature you choose, and you can revoke access at any time from your provider's account settings.

Privacy Conduit does not sell connected account data, use it for advertising, or use it to train AI models.

For Google-connected features, you can review or revoke access from your Google account permissions page.

Privacy Conduit's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

Responsible disclosure

We take security reports seriously. If you discover a vulnerability in Privacy Conduit's systems or applications, please report it to us before publishing details publicly. We commit to:

Acknowledge your report within 2 business days.
Investigate and provide an initial assessment within 7 business days.
Notify you when the issue is resolved.
Credit your report in our changelog (if you wish to be credited).

Please do not use automated scanners against production systems, attempt to access user data, or perform denial-of-service tests.

Security contact

Report vulnerabilities by email to security@privacyconduit.com. For sensitive disclosures, please encrypt your message using our PGP key — available on request.

For non-security questions, see our contact page.

Last reviewed: June 2026