Privacy Policy

Last updated: 2026-05-11  ·  ← back to home

This Policy describes what Viridis North LLC collects, how we use it, and your rights. It applies to the Viridis MCP services at mcp.viridis-security.com.

1. What we collect

• Account data: email, tier, API keys (stored as SHA-256 hashes), Stripe customer ID, billing address (via Stripe).
• API usage: per-request metadata (timestamp, endpoint, tier, cost) for billing and rate-limiting. Stored 90 days.
• Detection inputs: the input field of /v1/injection/detect calls is processed in-memory and not persisted by default. Optional reasoning traces (referenced by explainabilityToken) are retained 30 days for audit access.
• Canon registrations: envelope specs, agent IDs, and customer-defined patterns retained for account lifetime.
• Server logs: standard HTTP access logs (IP, user-agent, request path) retained 30 days for security and operations.

2. What we do not collect

We do not collect, store, or analyze the bodies of API responses you return to your end-users. We do not track end-users of your AI agent. We do not sell or share your data with third parties for advertising or marketing.

3. How we use it

• To provide the Service (authenticate keys, route requests, enforce quotas).
• To bill you accurately via Stripe.
• To improve the canon (aggregated, anonymized pattern statistics; no individual customer inputs are used).
• To detect and respond to abuse of the Service.

4. Subprocessors

We use the following subprocessors to operate the Service:

• DigitalOcean (United States) — compute, database, object storage.
• Stripe, Inc. (United States) — payment processing, subscription billing.
• ZeroSSL / Let's Encrypt — TLS certificate issuance.

Each subprocessor has its own privacy practices; we maintain Data Processing Agreements where applicable.

5. Data location

Customer data is stored in the United States (DigitalOcean NYC1 region). Stripe payment data is processed per Stripe's Privacy Policy. We do not transfer customer data outside the US.

6. Security

We employ industry-standard controls: HTTPS everywhere, API keys stored as SHA-256 hashes, encrypted-at-rest databases, restricted access to production credentials, and Stripe-grade signature verification on inbound webhooks. We do not have SOC 2 attestation yet; Enterprise customers may request a security questionnaire response.

7. Your rights

You may request access to, correction of, or deletion of your account data at any time by emailing privacy@viridis-security.com. We respond within 30 days. EU/UK/CA residents have additional rights under GDPR / UK-GDPR / PIPEDA respectively.

8. Children

The Service is not intended for users under 18; we do not knowingly collect data from children.

9. Changes

Material changes will be announced via email and reflected in the "Last updated" date.

Contact

Viridis North LLC · 1721 South Hill Road, Moretown, VT 05660, USA · privacy@viridis-security.com