Privacy policy

How Defender IT Consulting handles the information you share with us through this assessment.

Last updated: 2026-05-28

This privacy policy explains how Defender IT Consulting ("Defender IT", "we", "our") collects, uses, and protects the information you provide when using the NIST CSF 2.0 self-assessment tool at nist-csf.com.

What we collect

When you take the assessment, we collect:

  • Contact details you submit: first name, last name, work email, company name, employee count band.
  • Assessment responses: your answers to the 10 multiple-choice questions about your cybersecurity posture.
  • Computed results: the maturity score derived from your responses and the supplier categories matched to your gap areas.
  • Basic technical data: IP address, browser type, and timestamp, captured automatically when you load a page on nist-csf.com. We use this for fraud prevention and to keep the site running.

We do not collect, and never ask for: passwords, payment information, social security numbers, government identifiers, health information, or other sensitive personal data.

How we use it

  • To generate your assessment report. Your responses feed directly into the scoring engine. The report you see is computed from the data you provide.
  • To match suppliers to your gaps. We compare your gap areas to Defender's supplier network and surface relevant matches.
  • To follow up. If you opt into the complimentary review with our team, we will email you to schedule, send a summary of your report, and discuss next steps.
  • To improve the assessment. We review aggregated, anonymized response patterns to refine the questions and scoring over time.

We do not sell your data. We do not share it with third parties for marketing purposes. We do not use it to train AI models outside the assessment system itself.

Where it lives

  • HubSpot CRM (US data centers): your contact details and assessment results are stored as a Contact record in our HubSpot instance. HubSpot is SOC 2 Type II audited.
  • Defender IT internal systems: assessment results may be referenced by our consulting team during follow-up engagements.
  • Operational logs: we keep server logs for 30 days for security and operational purposes.

We do not transfer your data outside the United States.

How long we keep it

  • Active prospects: as long as we're actively working together or you've opted into future communications.
  • Inactive contacts: purged from HubSpot after 24 months of no engagement.
  • Server logs: 30 days.

You can request faster deletion at any time using the contact details below.

Your rights

If you are in the United States, you can:

  • Ask what data we have about you (we'll send you the contact record).
  • Ask us to correct anything that's wrong.
  • Ask us to delete your data entirely.
  • Opt out of follow-up emails (every email we send includes an unsubscribe link).

If you are in the European Union, the United Kingdom, or California, additional rights may apply under GDPR or CCPA. We honor all such requests on the same terms above.

How to reach us

Send any privacy-related question or request to:

Defender IT Consulting
alana@defenderit.consulting

We respond to verified requests within 30 days.

Updates to this policy

We may update this policy as the assessment evolves or as laws change. The "last updated" date at the top will reflect any changes. Material changes will be communicated by email to active prospects.

What this tool is not

This assessment is a self-reported scorecard, informational only. It is not a certified NIST audit, and Defender IT Consulting is not a certified NIST auditor. Results should not be used to make compliance claims to insurance carriers, regulators, or auditors.

Self-assessment, informational only. Not a certified audit. Defender IT Consulting is not a certified NIST auditor.
© 2026 Defender IT Consulting. All rights reserved.
AboutPrivacyTerms
alana@defenderit.consulting
Alana Haney, CMMC RP