Commitment to Your Privacy and Security

CritAlertResponse

Website & Service Privacy Policy

SOC-lite Platform

Effective Date: [4/1/2026]  |  Last Updated: [4/10/2026]

This Privacy Policy describes how CritAlertResponse, Inc. collects, uses, stores, and shares information through our website (critalertresponse.org) and our SOC-lite security alert escalation platform (“Platform” or “Service”). Please read this policy carefully. If you have questions, contact us at privacy@critalertresponse.org.

1. Who We Are

CritAlertResponse, Inc. is a Georgia corporation providing AI-assisted, after-hours security alert triage and escalation services primarily to K–12 school districts, municipalities, counties, educational service districts, and other public and nonprofit entities (“Members”).

CritAlertResponse, Inc.

Resaca, GA 30735

cybersecurity@critalertresponse.org

For purposes of applicable data protection law, CritAlertResponse acts as the “data controller” for Member organization data and as a “data processor” acting on Member instructions for alert content data forwarded to the Platform.

2. What Data We Collect

We collect two distinct categories of data: data about your organization and contacts (“Member Data”), and the security alert content you choose to forward to the Platform (“Alert Content”). These are treated differently and are described below.

2.1 Member Organization Data

When a Member subscribes to the Service, we collect:

  • Organization name, address, and billing contact information
  • Names, titles, email addresses, and direct phone numbers of designated emergency contacts (primary and backup)
  • Licensed email domain(s) configured for alert forwarding
  • Payment and invoicing information (processed by a third-party payment processor; CritAlertResponse does not store full payment card numbers)
  • Account configuration settings and onboarding records

2.2 Alert Content Data

When a Member’s security tools forward alert emails to the SOC-lite centralized mailbox, we receive and process:

  • The full text of forwarded security alert emails, which may include system-generated event descriptions, IP addresses, hostnames, usernames, event timestamps, and device identifiers
  • Metadata associated with forwarded emails (sender address, timestamp, subject line)

Important: CritAlertResponse does not seek or require student personally identifiable information (PII), employee personal data, or financial records in alert emails. Members are responsible for configuring their forwarding rules to minimize the transmission of such data. If student PII or employee personal data is incidentally present in a forwarded alert email, it will be handled in accordance with applicable law and will not be used for any purpose other than processing that specific alert.

2.3 Audit and Operational Log Data

The Platform automatically generates and retains:

  • Triage decision records
  • Notification delivery records
  • Monthly simulated drill records
  • System access logs for authorized personnel

2.4 Website Visitor Data

When you visit critalertresponse.org, we may collect standard web analytics data including browser type, pages visited, time on page, and referring URL. We do not use tracking cookies for advertising purposes. See Section 10 for cookie details.

3. How We Use Your Data

We use data collected through the Platform strictly for the following purposes:

  • Service delivery: Processing forwarded alert emails, running AI triage analysis, and initiating automated voice escalation calls to designated contacts.
  • Audit and accountability: Maintaining a complete audit log of all triage decisions and notification events for each Member.
  • Monthly drill management: Scheduling, executing, and logging the monthly simulated alert drill for each Member.
  • Billing and account administration: Invoicing, payment processing, and license management.
  • Service quality and support: Diagnosing issues, investigating disputes, and improving Platform reliability.
  • Legal compliance: Meeting our obligations under applicable federal, state, and local law.

We do not use alert content for marketing, advertising, profiling, or any purpose outside direct service delivery. Alert content is never sold, licensed, or shared with any party for commercial purposes.

4. AI Processing Disclosure

The SOC-lite Platform uses two third-party Large Language Model (LLM) providers to perform AI triage analysis on forwarded alert emails. 

4.1 Third-Party LLM Providers

Each forwarded alert is independently analyzed by two different LLM company agents. Both providers are subject to data processing agreements that govern how they handle prompt data submitted via API.

4.2 No AI Training on Alert Content

Alert content submitted to the LLMsI via the SOC-lite API integration is not used by either provider to train, fine-tune, or improve their AI models. CritAlertResponse operates under API usage terms that prohibit model training on customer prompt data. Members should confirm this directly with each provider’s enterprise data handling documentation if required for their own compliance purposes.

4.3 Dual-LLM Consensus Protocol

To reduce the risk of AI errors (“hallucinations”), both LLM instances must independently agree that an alert meets “Absolutely Urgent” criteria before an escalation call is triggered.

4.4 Voice Delivery: Twilio

Automated outbound voice calls are delivered via Twilio, Inc. (San Francisco, CA). Twilio processes the destination phone number and the audio content of the escalation call as a data processor on CritAlertResponse’s behalf, subject to Twilio’s Data Protection Addendum. Twilio’s privacy information is available at twilio.com/en-us/legal/privacy.

5. Subprocessors

The following third parties process data on CritAlertResponse’s behalf in connection with the Platform. CritAlertResponse maintains data processing agreements with each subprocessor.

Anthropic (Claude API)

OpenAI (GPT API)

Twilio, Inc.

We will notify Members of material changes to our subprocessor list with at least [30] days’ written notice.

6. Data Sharing and Disclosure

CritAlertResponse does not sell, rent, or license Member Data or Alert Content to any third party. We disclose data only in the following circumstances:

  • To subprocessors: As described in Section 5, solely to deliver the Service.
  • Legal process: If required by valid legal process (court order, subpoena, or applicable law), we will comply. Where permitted by law, we will notify the affected Member prior to disclosure.
  • Public records law: Members that are public agencies acknowledge that records CritAlertResponse holds on their behalf may be subject to disclosure under applicable public records laws. Both parties agree to promptly notify each other upon receipt of any public records request implicating data shared under their agreement.
  • Incident response: If alert content is relevant to a confirmed or suspected security incident affecting the Member, we may share that content with the Member’s designated contacts or, at the Member’s direction, with their incident response team or law enforcement.
  • Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, Member Data and Alert Content may be transferred to the successor entity. Members will be notified in advance and the successor will be bound by the privacy commitments in this Policy.

7. Data Retention

We retain different categories of data for different periods, as described below:

Alert email content (forwarded emails)

[365] days from receipt

Audit logs (triage decisions, notifications)

[3] years

Member contact information

Life of contract + [2] years

Account management and post-termination dispute resolution

Billing and invoicing records

[7] years

Tax and financial recordkeeping requirements

Website visitor analytics

[13] months (rolling)

Standard web analytics retention

Upon termination of a Member’s agreement, we will delete or return Alert Content and Member Data within [30] days of written request, subject to any legal hold obligations. Audit logs will be retained for the periods above and made available to the Member upon written request.

8. Security

CritAlertResponse implements reasonable and appropriate technical and organizational security measures to protect data against unauthorized access, disclosure, loss, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher
  • Access to alert content restricted to authorized personnel and automated processing systems only
  • Role-based access controls for all Platform systems
  • Logging and monitoring of system access events
  • An incident response plan covering detection, containment, notification, and remediation

In the event of a data breach involving Member Data or Alert Content, CritAlertResponse will notify affected Members within [72 hours] of becoming aware of the breach, or as otherwise required by applicable law, including the Washington State Data Breach Notification Law (RCW 19.255.010) to the extent applicable to the Member’s jurisdiction.

9. FERPA and Student Data

CritAlertResponse is not an educational institution and does not seek to collect student education records. However, because Members include K–12 school districts, the Company acknowledges the following:

  • Members should configure alert forwarding rules to prevent transmission of student or staff PII to the Platform.
  • If student PII is incidentally received in a forwarded alert email, it will not be used for any purpose other than triage of the associated alert and will be deleted in accordance with the retention schedule in Section 7.
  • To the extent student education records are incidentally transmitted, CritAlertResponse agrees to operate consistent with the requirements of the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g.

10. Cookies and Website Tracking

The critalertresponse.org website uses minimal cookies limited to:

  • Essential cookies: Required for basic website functionality and security. These cannot be disabled.
  • Analytics cookies: Used to understand aggregate website usage patterns (e.g., pages visited, time on site). We use [analytics provider, e.g., privacy-friendly analytics]. No cross-site tracking or advertising cookies are used.

We do not sell or share website visitor data with advertising networks. You may disable analytics cookies via your browser settings or a cookie consent banner without affecting your ability to use the website.

11. Member Rights and Requests

As our Members are organizations rather than individual consumers, the following rights apply at the organizational level:

  • Access: Members may request a copy of their organization’s data held by CritAlertResponse, including audit logs for their alerts, by written request to cybersecurity@critalertresponse.org.
  • Correction: Members may update their contact information and configuration data at any time through their account or by contacting support.
  • Deletion: Upon contract termination, Members may request deletion of their organization’s data subject to the retention periods in Section 7 and any applicable legal holds.
  • Portability: Members may request their audit log data in a structured, machine-readable format.
  • Dispute: Members have [30] days to dispute an overage charge or triage decision by submitting a written request with supporting information. Audit logs will be provided to support dispute resolution.

To submit a data request, contact: cybersecurity@critalertresponse.org. We will respond within [30] business days

12. Children’s Privacy

The SOC-lite Platform and the critalertresponse.org website are not directed to children under the age of 13 and are not intended for use by minors. We do not knowingly collect personal data from children under 13. As noted in Section 9, any student data incidentally received through alert forwarding is handled in accordance with FERPA and is not used for any commercial purpose.

13. Changes to This Policy

CritAlertResponse reserves the right to update this Privacy Policy from time to time. For material changes, we will:

  • Post the updated policy on critalertresponse.org with a new “Last Updated” date
  • Send direct written notice to the designated contact for each active Member organization at least [30] days before the change takes effect

Continued use of the Service after the effective date of a material change constitutes acceptance of the updated policy. If a Member does not agree to a material change, they may terminate their agreement in accordance with their service agreement terms.

15. Contact and Complaints

For privacy questions, data requests, or complaints, contact:

Privacy Officer, CritAlertResponse, Inc.

Email: cybersecurity@critalertresponse.org

We will acknowledge receipt of all privacy inquiries within [5] business days and provide a substantive response within [30] business days. If you believe your privacy rights have been violated and we have not adequately addressed your concern, you may contact your state’s Attorney General office or applicable regulatory authority.

CritAlertResponse, Inc. © [2026]. All rights reserved.