Data Privacy
TIDALBAY is committed to protecting the privacy of your employees' data. This document outlines what data we collect, how we process it, and the controls available to you.
Data We Collect
Employee Data
- Identity: Name, email address, department, job title, manager
- Security events: Authentication logs, phishing simulation results, training records
- Scores: Calculated risk scores and score history
- Device data: Device compliance status (no personal files or content)
Data We Do NOT Collect
- Email content or message bodies
- Personal files or documents
- Browsing history (TidalBay Coach only intercepts on known-bad URLs)
- Biometric data
- Personal social media activity
Data Minimization
TIDALBAY follows the principle of data minimization. We only collect security-relevant event metadata, never the content of communications or personal files.
Data Processing
Employee data is processed for the following purposes:
- Score calculation: Computing and updating security risk scores
- Automated actions: Triggering training, notifications, or access controls
- Reporting: Generating aggregate security posture reports
- Platform improvement: Improving scoring accuracy (anonymized and aggregated only)
Data Residency
| Region | Data Center Location | Availability |
|---|---|---|
| United States | AWS us-east-1 (Virginia) | All plans |
| European Union | AWS eu-west-1 (Ireland) | All plans |
| Asia Pacific | AWS ap-southeast-1 (Singapore) | Enterprise only |
Region Lock
Data residency is selected during tenant provisioning and cannot be changed. All employee data is stored and processed exclusively within the selected region.
Data Retention
- Security events: Configurable (6–36 months, default 12)
- Score history: Retained for the duration of the subscription
- Audit logs: Minimum 24 months (immutable)
- Terminated employees: Data retained for the configured period, then purged
Data Subject Rights
TIDALBAY supports data subject rights as required by GDPR and other privacy regulations:
- Right to access: Employees can view their data via the Employee Portal
- Right to rectification: Incorrect data can be corrected via the admin dashboard or disputes
- Right to erasure: Employee data can be deleted upon request (admin action)
- Right to portability: Employee data can be exported in standard formats
- Right to object: Employees can opt out of certain processing (where applicable)
Sub-Processors
TIDALBAY uses the following sub-processors:
- AWS: Cloud infrastructure and data storage
- Datadog: Application monitoring (no employee PII)
- SendGrid: Transactional email delivery
A complete list of sub-processors is maintained in our Data Processing Agreement (DPA), available upon request.