Privacy

What we collect

When you submit an email address through a form on this site, we record:

• The email address you submit
• A consent timestamp
• A source tag identifying which form you used (e.g., hero CTA, footer)
• Your browser user-agent string
• The page that referred you (HTTP referrer)
• A one-way SHA-256 hash of your IP address combined with a server-side salt. We do not store your raw IP.

If you download the worksheet without submitting an email, we do not collect any personal data on this site.

Why we collect it

To send you DIBGuard Foundation early-access updates and to detect form abuse.

Where it goes

Submissions are stored in a Supabase Postgres database under DIBGuard's control. Confirmation emails are sent via Resend. We do not sell, rent, or share your email with third parties.

Unsubscribe and deletion

Every email DIBGuard sends includes an unsubscribe link or a clear deletion/contact path. You can opt out at any time. To request deletion of your record, email hello@dibguard.com.

Cookies

dibguard.com uses Vercel Web Analytics, which records anonymous, aggregated page-view data without persistent cookies. We do not run third-party advertising trackers on this site at this time.

CUI and Security Protection Data

DIBGuard Foundation is designed and operated to prevent Controlled Unclassified Information (CUI) and Security Protection Data (SPD) as defined in 32 CFR §170.4 from entering DIBGuard-controlled cloud systems. The Foundation product app collects only categorical, non-SPD scoping facts (asset categories, role functions, process cadences, abstract flow descriptions). Generated SSP starter content includes {{SPD:...}} local-fill placeholders for any element that would reproduce vendor names, configurations, IP addresses, MFA factor types, encryption modules, scan results, or other SPD-bearing details. Customers complete those placeholders in their own authorized environment, outside DIBGuard.

Cloud paths covered by this design: the application database, LLM prompts and completions, application logs, analytics events, support email, lead capture, crash and error reports, backups, audit logs, and any document or export that returns to DIBGuard's cloud after a customer has worked on it. The Foundation web app does not provide fields for entering SPD content, even client-side-only.

Intentional submission is blocked. Accidental submission is handled through a documented rejection, deletion, and incident-review workflow: detection within 24 hours, purge from live systems, customer notification within 72 hours, and a written postmortem. Material aggregate patterns of incidents will be summarized here once they exist; as of this writing, no such patterns have been recorded.

ESP determination is the OSA's call per 32 CFR §170.19(c)(2). DIBGuard's claim is about the architecture, not the conclusion: bring this page to your Registered Practitioner, MSP, or assessor for their independent read.