Privacy Notice

This notice explains how Altius IT, Inc. ("Altius IT," "we," "us") collects, uses, stores, and shares information when you use the secure client portal at portal.altiusit.com (the "Portal"). The Portal is a separate service from our marketing website at altiusit.com; the privacy policy on that site addresses general visitor data and is incorporated here by reference where the practices overlap.

This Portal is the receiving and delivery channel for Altius IT engagements: security audits, red team assessments, and compliance audits. Material processed here often includes sensitive technical and security information about your organization. We treat it accordingly.

1. Data Controller & Contact

Altius IT, Inc. acts as the data controller for personal data processed through the Portal.

For privacy questions, data-subject requests, or breach notifications, use the email address above.

2. Information We Collect

While you use the Portal, we collect:

• Account identity: name, email address, and the organization you belong to. Provided by you (or by an Altius IT administrator who invited you) and stored in our authentication provider, Clerk.
• Authentication data: session tokens, password hashes (if you sign in with a password), and multi-factor authentication metadata. Managed by Clerk; we do not see your plaintext password.
• Files you upload: any document, screenshot, configuration export, attestation, or other artifact you provide through the Portal, plus reports we publish to you.
• Engagement data: findings, vulnerability descriptions, recommended solutions, and any comments you add to a finding.
• Audit log: for every upload, download, deletion, and similar action we record the actor, action type, target file or engagement, timestamp, IP address, and user-agent string. The audit log is forensic; it survives the deletion of the underlying file or the offboarding of the actor.
• Email metadata: when the Portal sends a notification (file activity, comment, report ready), the recipient address and delivery status are processed by our email provider, Resend.

3. How We Use the Information

• To provide the Portal: authentication, file storage, engagement tracking, notifications.
• To meet professional and contractual obligations as your auditor.
• To maintain a forensic record of who accessed what and when. This is a core purpose of an audit firm's portal and is not optional.
• To detect, investigate, and respond to security incidents or unauthorized access.
• To comply with legal, regulatory, and professional standards applicable to information systems auditors.

We do not use Portal content for marketing, do not sell it, and do not share it with parties outside the engagement except as required by law or as expressly authorized by you.

4. Sub-processors

The Portal relies on the following third-party processors:

Sub-processors are bound by contractual data protection terms with Altius IT. We review their security posture periodically. Material changes to this list will be reflected in this notice.

5. Encryption & Security

• All Portal traffic is served over HTTPS (TLS 1.2 or higher).
• Files at rest in Vercel Blob and database content in Neon Postgres are encrypted by the providers.
• Access to your scope is authenticated on every request; revoking access in our authentication provider takes effect immediately.
• File URLs are proxied through the Portal so the underlying storage URLs are never exposed to the browser.
• Internal access to a client scope by Altius IT staff is limited to personnel assigned to your engagement plus authorized administrators, and every such access is recorded in the audit log.

6. Retention

Audit log entries are retained indefinitely. The forensic record of who uploaded, downloaded, deleted, or otherwise interacted with your engagement persists even after a file is removed or a user account is deleted. This retention is appropriate for a security-audit firm and is unlikely to change without notice.

Files remain in the Portal for the duration of the engagement and a reasonable retention period thereafter, unless you request earlier deletion. Engagement metadata (findings, reports published, comments) is retained alongside the audit log.

Account information is retained while your account is active and for a period thereafter to support audit-trail integrity, then anonymized or deleted on request subject to legal and professional retention obligations.

7. Your Rights

Depending on where you reside, you may have rights to access, correct, delete, or export your personal data, or to object to or restrict certain processing. To exercise any of these rights, contact info@altiusit.com. We will respond within the time frame required by applicable law.

Note that audit-log entries are retained for forensic and regulatory purposes; deletion of those entries is generally not possible without compromising the integrity of the audit record.

8. Cookies

The Portal uses strictly necessary cookies to keep you signed in and to enforce security controls (CSRF, session continuity). These cookies are essential to the service and cannot be disabled without rendering the Portal unusable. We do not use marketing, advertising, or analytics cookies on the Portal.

9. International Transfers

Our infrastructure providers may process data in regions including the United States. Where applicable, transfers are governed by appropriate safeguards in our contracts with those providers (e.g., Standard Contractual Clauses).

10. Breach Notification

In the event of a security incident affecting your data, we will notify the affected scope's primary contact without undue delay and in any case within the time frame required by applicable law, identifying the nature of the incident, the data involved (to the extent known), and the steps we are taking in response.

11. Changes to This Notice

We may update this notice from time to time. The "Last updated" date at the top of the page reflects the most recent revision. Material changes will be communicated to active Portal users by email.

12. Contact