Privacy Policy

Vigil LLC ("Vigil", "we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and your rights regarding it. It applies to our website at vigil.com, our software-as-a-service platform, and any other services we operate (collectively, the "Services"). By using our Services you agree to the terms of this Privacy Policy. If you do not agree, please do not access or use our Services.

We collect information in three ways: Account & Registration Data — When you create an account, request a demo, or contact us, you provide information such as your name, email address, job title, company name, phone number, and billing details. Usage & Log Data — We automatically collect information when you use our Services, including IP addresses, browser type and version, operating system, pages visited, time spent on pages, links clicked, and referring URLs. This data is collected via cookies, web beacons, and server logs. Third-Party Integrations — If you connect third-party services (such as your SIEM, ticketing system, or identity provider) to Vigil, we collect the data required to operate those integrations as configured by you. Customer Data — Data you or your users upload or input into the Vigil platform (evidence files, control documentation, risk registers, etc.) is processed on your behalf as a data processor. Vigil does not access this data except to provide the Services or as required by law.

For users in the European Economic Area and United Kingdom, our legal bases for processing personal data are: • Contract performance — to deliver the Services you've signed up for. • Legitimate interests — to improve our Services, prevent fraud, and communicate about product updates important to you. • Legal obligation — to comply with applicable laws and regulations. • Consent — for marketing communications (you may withdraw consent at any time).

We use the information we collect to: • Provide, maintain, and improve our Services • Create and manage your account • Process payments and send billing receipts • Respond to your inquiries and provide technical support • Send transactional and operational communications (e.g., password resets, security alerts) • Send marketing and promotional communications where you have opted in • Conduct research and analytics to understand how our Services are used • Monitor for and prevent security incidents, fraud, and abuse • Comply with legal obligations and enforce our agreements

We do not sell your personal data. We share your information only in the following limited circumstances: Service Providers — We engage trusted third-party vendors to help us deliver the Services (e.g., cloud hosting, payment processing, email delivery, analytics). These vendors are contractually obligated to process data only on our behalf and in accordance with our instructions. Business Transfers — If Vigil is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify affected users before their data is subject to a different privacy policy. Legal Requirements — We may disclose information if required by law, subpoena, court order, or government authority, or to protect the rights, property, or safety of Vigil, our users, or the public. With Your Consent — We may share information in other ways when you have provided explicit consent.

We retain personal data for as long as your account is active or as needed to provide the Services. After account termination, we retain data for up to 90 days to allow for reactivation or data export, after which it is permanently deleted or anonymized. Aggregated, anonymized analytics data may be retained indefinitely. Some information may be retained longer if required by law or for legitimate business purposes such as fraud prevention.

Vigil is SOC 2 Type II certified. We employ industry-standard safeguards including: • Encryption at rest using AES-256 • Encryption in transit using TLS 1.3 (TLS 1.0 and 1.1 are disabled) • Mandatory multi-factor authentication for all employees • Role-based access controls with quarterly privileged access reviews • Continuous vulnerability scanning and annual third-party penetration testing • Security incident response procedures with 72-hour breach notification capability Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. We encourage you to use a strong, unique password and to notify us immediately if you suspect unauthorized access to your account.

Vigil is headquartered in the United States. If you are accessing our Services from outside the U.S., your information may be transferred to and processed in the U.S. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Data Processing Agreements (DPAs) are available upon request at info@vigilgrc.com.

Depending on your jurisdiction, you may have the following rights regarding your personal data: • Access — Request a copy of the personal data we hold about you. • Correction — Request correction of inaccurate or incomplete data. • Deletion — Request deletion of your personal data ("right to be forgotten"). • Portability — Request a machine-readable export of your data. • Objection — Object to processing based on legitimate interests. • Restriction — Request restriction of processing in certain circumstances. • Opt-Out of Sale/Sharing — California residents have the right to opt out of the sale or sharing of personal information (Vigil does not sell personal data). To exercise any of these rights, submit a request to info@vigilgrc.com. We will respond within 30 days. We may need to verify your identity before fulfilling the request.

We use cookies and similar tracking technologies to operate and improve our Services. See our Cookie Policy at vigilgrc.com/legal/cookies for full details, including how to manage and opt out of cookies.

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly. Contact us at info@vigilgrc.com if you believe we have inadvertently collected such data.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website or by sending an email to the address associated with your account at least 30 days before the change takes effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, please contact us: Vigil LLC — Data Privacy Atlanta, Georgia info@vigilgrc.com EU/UK Data Protection Officer: info@vigilgrc.com