← Back to home

Privacy Policy

Last updated: April 25, 2026

Template — under counsel review. We will publish the final counsel-reviewed version before activating any paid Pilot. Emaildsovan2004@gmail.com with questions or data requests.

1. Who We Are

DefendML is an offensive AI red team testing service operated by Sareth Dustin Sovan trading as DefendML (“DefendML”, “we”). Contact: dsovan2004@gmail.com.

2. What We Collect

We collect three categories of data:

  • Account data — email address, full name, organization name, and authentication identifiers (via Supabase Auth and optionally Google OAuth). Stored in our Supabase database.
  • Test configuration data — AI endpoint URLs you submit, custom headers, environment labels (production/staging/development), and any custom attack objectives you supply.
  • Test result data — adversarial prompts sent to your endpoint, your endpoint's responses, decision labels (blocked / flagged / allowed), latency metrics, and the resulting evidence reports (PDF / CSV / JSON formats).

3. What We Do With It

  • Operate the Service — run scans, generate evidence reports, support customers.
  • Improve our attack library — using anonymized aggregate signal (e.g. category-level success rates). We do not use customer prompts or responses for AI model training.
  • Send transactional email — scan completions, account notifications, recovery links — delivered via Resend (a third-party email service operating under their own privacy terms).
  • Respond to legal process — only when required by law and only after evaluating the request.

4. What We Do NOT Do

  • We do not sell, rent, or barter your data.
  • We do not share your data with other DefendML customers.
  • We do not use your prompts, responses, or evidence reports to train AI models.
  • We do not run advertising trackers, third-party analytics SDKs, or behavior-mining cookies on the application surface.

5. Service Providers (Sub-Processors)

We use the following third-party services to operate DefendML:

  • Supabase — Postgres database, authentication, storage. Hosted in US region.
  • Cloudflare — application hosting (Cloudflare Pages), API workers, edge networking.
  • Resend — transactional email delivery for scan notifications and account recovery.
  • AI inference providers — used to evaluate adversarial responses and generate AI-powered remediation playbooks. Data sent to inference providers is the test prompt and target AI's response, not your account data. We will publish the current provider list on request.

Each sub-processor operates under its own privacy and security terms. We review them annually and require contractual confidentiality commitments where the sub-processor handles Customer Confidential Information.

6. Where Data Is Stored

Account data and test results are stored in Supabase's US region. Cloudflare edge caching may briefly hold static assets in the region nearest your visitors. We do not have a data-residency option outside the US at this time. If you require EU-only or other regional data residency for an Enterprise engagement, contact us before signing.

7. Retention

  • Account data — retained for the life of your account, plus 90 days after deletion for audit-trail continuity.
  • Test result data — retained for the life of your account; you can request earlier deletion.
  • Evidence reports — retained for 90 days post-account-termination, then deleted unless you request earlier removal.
  • Email logs — retained for 30 days for delivery troubleshooting.

8. Your Rights

Subject to applicable law (including GDPR for EU residents and CCPA for California residents), you have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete your data
  • Object to or restrict processing
  • Receive a portable copy of your data

To exercise these rights, email dsovan2004@gmail.com. We aim to respond within 30 days.

9. Security

We use industry-standard practices including TLS for data in transit, encrypted storage at rest via Supabase, Row Level Security policies on multi-tenant tables, and JWT-based authentication. We test our own AI endpoint via DefendML weekly (dogfooding) to find vulnerabilities before adversaries do.

No security control is perfect. If you discover a vulnerability, email dsovan2004@gmail.com and we will respond within 5 business days.

10. Children

DefendML is a B2B service. We do not knowingly collect data from anyone under 18 and our service is not directed at children.

11. Changes

We may update this Privacy Policy with material changes posted at this URL. Material changes will be communicated to active customers via email at least 30 days before they take effect.

12. Contact

Privacy questions or data requests: dsovan2004@gmail.com