Privacy Policy

Information We Collect

• Account Information: name, email address, company name, job title, and credentials you provide when creating an account.
• Billing Information: payment card details and billing address, processed by our third-party payment providers.
• Scan & Attack Surface Data: target domains, subdomains, IP addresses, URLs, SSL/TLS certificates, exposed services, cloud account metadata, configurations, and vulnerability findings generated by the Platform.
• Usage Data: log files, device identifiers, browser type, operating system, referring URLs, pages viewed, and interaction timestamps.
• Communications: content of messages, support requests, and demo inquiries submitted through our forms or via email.
• Cookies & Similar Technologies: information collected through cookies, pixels, and local storage.

How We Use Information

• provide, operate, maintain, and improve the Services;
• authenticate users and secure accounts;
• process payments and manage subscriptions;
• deliver scan results, reports, and notifications;
• respond to requests, provide customer support, and communicate updates;
• detect, prevent, and address technical issues, fraud, or abuse;
• comply with legal obligations and enforce our agreements.

Data Retention

We retain personal information for as long as needed to provide the Services, meet our legal and accounting obligations, resolve disputes, and enforce our agreements. Scan data is retained for the duration of your subscription and may be deleted upon account closure in accordance with our data retention schedule.

Legal Bases for Processing

As a Quebec-based organization, we comply with Law 25 and PIPEDA. Where the EU/UK GDPR or other laws apply, we rely on: performance of a contract, compliance with legal obligations, our legitimate interests (including securing the Services and informing customers about relevant features), and your consent where required.

How We Share Information

We do not sell personal information. We may share information with:

• Service Providers that host, maintain, or support our Services under contractual confidentiality obligations;
• Payment Processors to complete transactions;
• Professional Advisors such as auditors, legal counsel, and insurers;
• Authorities when required by law, subpoena, or to protect rights, property, or safety;
• Business Transfers in connection with a merger, acquisition, financing, or sale of assets.

International Transfers

Oriso is headquartered in Brossard, Quebec, Canada, and our entire infrastructure is located in Canada. Customer data and personal information processed by the Platform are stored and handled in Canadian datacenters. Limited personal information (such as billing details) may be processed by third-party service providers in other jurisdictions; where that occurs, we implement appropriate safeguards such as Standard Contractual Clauses and, in accordance with Law 25, assess the adequacy of protections in the destination jurisdiction before transferring personal information outside Quebec.

Our Infrastructure

Vullify operates on its own dedicated infrastructure. Production workloads and customer data are hosted in datacenters operated by providers that maintain current SOC 2 Type II and PCI DSS certifications. At the datacenter level, physical access, environmental controls, network security, and operational auditing are covered by those third-party certifications.

Our Certification Status

Oriso Solutions Inc., as the operator of Vullify, is ISO/IEC 27001 certified, covering our information security management system. We are also actively pursuing SOC 2 certification and will update this policy once that audit is complete. Our internal controls — access management, encryption, logging, change management, and incident response — are aligned with both the ISO 27001 standard and the trust services criteria used in the SOC 2 framework.

Technical Safeguards

• Encryption in transit using TLS, and encryption at rest for databases and object storage;
• Role-based access controls, least-privilege provisioning, and mandatory multi-factor authentication for privileged accounts;
• Centralized logging, monitoring, and alerting for security-relevant events;
• Continuous vulnerability management — we use the Vullify Platform to scan our own infrastructure;
• Formal change-management, peer-reviewed deployments, and staged rollouts to production.

No system is perfectly secure. We cannot guarantee absolute security, but we continuously review and improve our controls.

Use of AI and Large Language Models

Vullify uses artificial intelligence and large language model (“LLM”) technologies, including models that are locally hosted on our own infrastructure and models provided by third parties through APIs. These technologies help power features such as vulnerability analysis, report generation, and product guidance.

We only work with third-party AI and LLM providers that explicitly guarantee customer data is not used for model training. We maintain contractual agreements with those providers to ensure that neither the data you submit nor any content generated by the models is used to train, fine-tune, or otherwise improve their models.

Your Rights

Depending on where you live, you may have the right to:

• access the personal information we hold about you;
• request correction or deletion of your information;
• object to or restrict certain processing;
• request portability of your information;
• withdraw consent at any time, without affecting prior processing;
• lodge a complaint with a data protection authority.

To exercise these rights, contact us at [email protected].

Cookies

We use strictly necessary cookies to operate the Services and, with your consent where required, analytics cookies to understand usage. You can manage cookies through your browser settings.

Children’s Privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date.

Contact Us & Privacy Officer

Pursuant to Law 25, we have designated a person in charge of the protection of personal information. To ask questions about this Privacy Policy, exercise your rights, or submit a complaint, please contact: