Privacy Policy
Effective date: 2026-05-27
Last updated: 2026-05-27
This Privacy Policy describes how Standard Forensics, Inc. ("Standard Forensics," "we," "us," or "our") collects, uses, and discloses information when you use our website at standardforensics.com (the "Site"), our Cloud Service (the "Service"), or otherwise interact with us.
Standard Forensics provides an AI-assisted forensic data analytics platform used by forensic accounting firms, law firms, and corporate investigations teams (our "Customers") to analyze financial records and related materials for forensic accounting and financial investigation purposes.
This Policy is divided into two parts:
- Part A addresses information we collect directly from individuals who visit our Site, sign up for the Service, or otherwise interact with us. In these contexts, Standard Forensics is the controller of personal data.
- Part B addresses information our Customers upload to the Service for analysis. Our Customers control this data; we process it on their instructions as their processor. The terms governing this processing are set forth in the Cloud Service Agreement and the Data Processing Agreement signed with each Customer, not in this Policy.
Part A — Information we collect about you directly
1. Information we collect
Account information. When you or your organization signs up for the Service, we collect your name, email address, organization affiliation, password (stored as a one-way hash), and the authentication tokens issued by our authentication provider.
Communications. When you contact us at support@standardforensics.com, legal@standardforensics.com, notices@standardforensics.com, security@standardforensics.com, or any other Standard Forensics email address, we collect the content of your communications and any information you choose to share with us.
Usage information. When you use the Service, we automatically collect information about your activity, including:
- Pages visited within the Service, including engagement and workspace identifiers
- Actions taken within the Service (e.g., creating engagements, running analyses, reviewing findings)
- Authentication events (sign-ins, sign-outs, MFA enrollment)
- Source IP address, user agent, and timestamps associated with these actions
- Approximate session duration and request volume
We retain this information in a structured audit log as a forensic-defensibility feature of the Service.
Site and Service analytics. We use Vercel Web Analytics on the public Site and the Service to understand traffic patterns, page usage, and product navigation. Vercel Web Analytics is a privacy-focused analytics product that uses aggregated data and does not use cookies. We do not use Google Analytics, advertising trackers, or third-party marketing pixels.
Cookies and similar technologies. The Service uses strictly necessary cookies for authentication and session management — these enable you to remain signed in and authenticated as you navigate the Service. We do not use advertising, tracking, or analytics cookies. Strictly necessary cookies are exempt from consent requirements under EU/UK ePrivacy rules and the California Consumer Privacy Act, but we describe them here so you understand what the Service uses.
We do not collect payment card numbers, government-issued identifiers (other than as Customers may upload data subject to Part B), health information about Site visitors, biometric data, or precise location data.
2. How we use information
We use the information described above to:
- Provide, maintain, and improve the Service and the Site
- Authenticate you and protect against unauthorized access
- Communicate with you about your account, the Service, and our security practices
- Detect, investigate, and prevent fraud, abuse, and security incidents
- Comply with legal obligations and respond to lawful requests
- Maintain the structured audit log that is core to the Service's forensic-defensibility properties
We do not use information collected under Part A to train artificial intelligence or machine learning models, to inform advertising, or to sell to third parties.
3. How we share information
We share information described in Part A only as follows:
Subprocessors. We use a small set of subprocessors to operate the Service. Each subprocessor is contractually obligated to process personal data only on our instructions, to maintain appropriate security measures, and to comply with applicable data protection laws. Our current subprocessor list is published at standardforensics.com/subprocessors. We provide advance notice of subprocessor changes to Customers in accordance with the change-notification process described on that list.
Legal compliance. We may disclose information if we believe in good faith that disclosure is required by law, legal process, or to protect the rights, property, or safety of Standard Forensics, our Customers, or others. If we receive a subpoena, court order, or other legal process targeting Customer Content uploaded to the Service, we will notify the affected Customer before responding, except where we are legally prohibited from doing so or where prompt response is necessary to protect against imminent harm. The notified Customer may seek a protective order or otherwise object to the legal process at its own cost.
Business transfers. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections and continued application of this Policy or a successor policy.
We do not sell personal data, share personal data with third parties for advertising purposes, or disclose personal data to data brokers.
4. Security
We maintain a written information security program with administrative, technical, and physical safeguards designed to protect personal data from unauthorized access, disclosure, alteration, and destruction. These safeguards include encryption of data in transit and at rest, role-based access controls, multi-factor authentication for authorized users, comprehensive audit logging, network-isolated execution of customer-data analytical code, and documented incident response procedures.
Additional detail on our security architecture is available upon written request to security@standardforensics.com, subject to confidentiality protections.
5. Data retention
We retain account information for the duration of your relationship with Standard Forensics and for a reasonable period thereafter, subject to applicable legal retention obligations.
We retain audit log entries for seven years to support the forensic defensibility of the Service. Audit log entries describe platform actions (authentication events, tool executions, finding creation, and similar events) and reference identifiers (user IDs, engagement IDs, source IP addresses, user agents, action timestamps). Audit and workflow records do not store raw uploaded source files or DuckDB table files, but they may contain Customer-derived metadata, file names, finding text, document citation quotes, query or script result previews, and similar snippets needed to make the analytical record reviewable and defensible.
The seven-year retention period reflects the contractual obligations Standard Forensics undertakes to Customers under their Cloud Service Agreements, which require Provider to maintain a defensible record of platform actions for the duration of legal-hold and post-engagement-review windows applicable to forensic work. For data subjects in the European Economic Area or the United Kingdom, this processing is performed in reliance on GDPR Article 6(1)(c) (compliance with a legal obligation arising under the Agreement) and Article 6(1)(f) (legitimate interest in forensic defensibility, balanced against data subjects' rights given the regulated nature of the work and the limited categories of personal data retained).
Engagement-data destruction described in Part B applies to Customer-uploaded analytical materials and does not require deletion of audit log entries.
We retain Vercel Web Analytics data only in aggregated form.
6. Your rights
Depending on where you reside, you may have rights with respect to your personal data, including:
- The right to access the personal data we hold about you
- The right to correct inaccurate personal data
- The right to delete personal data (subject to retention obligations described above)
- The right to object to certain processing or to restrict processing
- The right to portability of your personal data in a structured, machine-readable format
- The right to withdraw consent where processing is based on consent
- The right to lodge a complaint with your local data protection authority
To exercise any of these rights, contact us at legal@standardforensics.com. We will respond within the timeframe required by applicable law, generally within 30 days.
If you are a user of the Service authorized by a Customer (e.g., an analyst employed by a forensic firm), some of these rights may be most directly exercised through your organization's administrator. We will assist you and your organization in fulfilling data subject requests as required by applicable law.
7. California residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA") provide you with specific rights.
In the past 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email, IP address | Yes |
| Customer records | Name, contact information | Yes |
| Commercial information | Service-usage history | Yes |
| Internet activity | Browsing within the Service, login events | Yes |
| Geolocation | Approximate location from IP address | Yes |
| Professional or employment information | Organization affiliation | Yes |
| Sensitive personal information | Account log-in credentials (used solely to authenticate users to the Service) | Yes |
We do not collect biometric information, health information, racial or ethnic origin, religious beliefs, philosophical beliefs, union membership, sexual orientation, or genetic data about Site visitors or Service users in Part A.
Use of sensitive personal information. We collect account log-in credentials solely for the purposes permitted under Cal. Civ. Code § 1798.121(a)(1) — to authenticate users to the Service and to detect, prevent, and respond to security incidents and fraud. We do not use or disclose sensitive personal information for purposes other than these. Accordingly, the CPRA "right to limit use of sensitive personal information" does not change our processing.
We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising. We have not done so in the preceding 12 months.
California residents have the right to:
- Know what personal information we have collected and how we use it
- Request deletion of personal information
- Correct inaccurate personal information
- Limit the use of sensitive personal information
- Opt out of any sale or sharing of personal information for cross-context behavioral advertising (we do not engage in these activities)
- Non-discrimination for exercising privacy rights
To exercise any of these rights, contact us at legal@standardforensics.com. You may also authorize an agent to make a request on your behalf, in accordance with CCPA regulations.
8. EU and UK residents (GDPR and UK GDPR)
If you are located in the European Economic Area or the United Kingdom, the General Data Protection Regulation ("GDPR") and the UK GDPR provide you with specific rights.
Legal bases for processing. We rely on the following legal bases:
- Contract performance: to provide the Service to Customers and authenticated users
- Legitimate interests: to maintain security, prevent fraud, and improve the Service
- Legal obligation: to comply with applicable laws
- Consent: where required and where you have given consent
International transfers. Our infrastructure is located in the United States (us-east-1). Where we transfer personal data from the EEA or the UK to the United States, we rely on the Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum, supplemented by the technical and organizational measures described in Annex II of our Data Processing Agreement.
Your rights. EU and UK residents have all rights described in Section 6 above, including the right to lodge a complaint with a supervisory authority. Because Standard Forensics is established in the United States and does not have a "main establishment" in the EEA or the UK, no single lead supervisory authority is designated for our processing. EEA data subjects may lodge complaints with the supervisory authority of their habitual residence, place of work, or place of the alleged infringement. UK data subjects may lodge complaints with the Information Commissioner's Office (ICO).
9. Children's privacy
The Service is intended for use by professionals in forensic accounting, legal, and corporate investigations contexts. It is not directed to children. We do not knowingly collect personal information from children under 13 (the U.S. COPPA threshold). For data subjects in the European Economic Area or the United Kingdom, the applicable age threshold under the GDPR / UK GDPR is the higher of 13 or the threshold established by the relevant Member State (which ranges from 13 to 16). If you believe we have collected information from a child below the applicable threshold, please contact us at legal@standardforensics.com and we will delete it.
10. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date and, where appropriate, by providing prominent notice on the Site or by direct communication to your registered email address. Your continued use of the Service after a change takes effect constitutes your acceptance of the updated Policy.
11. Contact
Privacy questions, requests to exercise your rights, or complaints:
legal@standardforensics.com
Part B — Customer-uploaded data
When our Customers use the Service, they upload financial records, communications, and other materials for forensic analysis. This Customer-uploaded data may contain personal data about individuals other than our direct users (e.g., employees, vendors, counterparties, or subjects of an investigation).
Our Customers control this data. We process Customer-uploaded data only on our Customers' documented instructions, in accordance with the Cloud Service Agreement and the Data Processing Agreement signed with each Customer.
Important commitments we make to all Customers, contractually:
- We do not train AI or ML models on Customer-uploaded data, Customer-generated analytical outputs, or Customer methodology. This commitment is set forth in our AI Addendum and applies to our subprocessors, including our AI inference provider (Amazon Bedrock).
- We do not aggregate Customer-uploaded data, methodology, or analytical outputs across Customers to improve the Service for other Customers.
- We isolate Customer data at the database level (row-level security tied to organization-scoped authentication tokens) and at the execution level (analytical code runs in a network-isolated sandbox with no credentials).
- We retain Customer-uploaded data only for the duration of the Customer's engagement. Upon engagement closure or termination of the Service, and at the Customer's instruction, we destroy Customer-uploaded data via cascade-deletion across our systems, with a signed destruction record retained in the audit log.
If you are an individual whose personal data appears in materials uploaded to the Service by one of our Customers, please contact that Customer directly to exercise your data subject rights — they are the controller of that data. We will assist our Customers in responding to your request as required by applicable law and by our Data Processing Agreement with them. You can also contact us at legal@standardforensics.com and we will route your request to the appropriate Customer.
Definitions
- "Customer" means an organization that has executed an agreement with Standard Forensics to use the Service.
- "Service" means the Standard Forensics Cloud Service accessed at
app.standardforensics.com(or successor URL). - "Site" means the public marketing website at
standardforensics.com. - "Personal data" and "personal information" have the meanings given in applicable data protection laws (GDPR, CCPA, CPRA, etc.).