Privacy Policy
Effective Date: July 1, 2024
Introduction
HoundDog.ai Inc. is a software company operating in the data security and privacy space. We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Notice describes HoundDog.ai’s policies and practices regarding its collection and use of your personal data and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility and so we will update this Privacy Notice from time to time as we undertake new personal data practices or adopt new privacy policies.
Use of the HoundDog.ai Website (https://hounddog.ai)
HoundDog.ai collects personal information about website visitors and customers when they complete web forms like Start Free, Contact Us, and Book a Live Demo. This information includes:
- Name
- Employer Name
- Work Email
We use this data to provide services to prospects and customers. We do not sell personal information and only share it with third parties who facilitate our services.
Occasionally, we receive personal information from third parties, including details about your employer or industry, and may collect your data from third-party websites (e.g., LinkedIn).
Collected personal information is stored in databases hosted by third parties in the United States, used only for cloud storage and retrieval. We may engage third parties to send information about our products, services, and events.
Our third-party sub-processors include:
- HubSpot – see HubSpot Privacy Policy
We do not share your personal data with non-HoundDog.ai entities unless: (1) you request or authorize it; (2) it’s for HoundDog.ai-hosted/co-sponsored events; (3) required by law; (4) to enforce agreements or protect rights; (5) for emergencies or acts of God; (6) to resolve disputes or for authorized persons. We may also share aggregated, non-personally identifiable data with partners and service providers for marketing or promotional purposes.
Use of the HoundDog.ai Cloud Platform (https://app.hounddog.ai/)
The cloud-hosted platform provides customers with on-demand access to findings and reports related to PII leaks and sensitive data flows across the codebases for which the scanner is activated as part of a continuous integration (CI) workflow.
The cloud platform processes minimal personal data for the employees who need access to this platform to triage and address discovered issues and generate Records of Processing Activities or other types of privacy-related reports. This information is restricted to
- Name
- IP Address
- Profile Picture (which is optional)
The platform does not process any other type of sensitive information for the employees who access the platform. This personal data is collected and stored any time there is a new employee who needs access to the platform. This information is collected to provide the required services to the data subjects and is retained for as long as the user exists on the platform.
The company supports data subject access requests and the ability to provide customer data about a data subject in a readable and easily transferable format when required. The company can permanently delete/erase an individual’s information if the customer receives a request from the individual for removal. Individuals can log into the platform using enterprise single sign-on (SSO) – including Google Workspace, Microsoft Entra Single Sign-On (SSO), Microsoft Azure AD, Okta, and others. The company uses a third-party (PropelAuth) for user management (registration & login), authentication, and authorization. User first name, last name, email, and profile photo (optional) are sent to PropelAuth – see PropelAuth’s privacy notice for reference.
The cloud platform has no access to the customers’ source code. The HoundDog.ai scanner, which is available as a Docker container and will be available in other types of Linux packages in the future, can run either locally or as part of a continuous integration (CI) workflow. By default, the output of the scanner is stored locally in supported formats such as markdown, JSON, or SARIF. However, if the HOUNDDOG_API_KEY is used as part of the scanner command, the output will be sent to the cloud platform unless explicitly disabled using the –no-upload-scan-results flag.
The output of the scanner includes a vulnerability report listing all instances within a codebase where PII data is leaking in mediums such as logs, files, cookies, tokens, or third-party systems, as well as a sensitive data flow report listing all detected sensitive data elements and the associated code segments where PII data is collected, processed, or stored. Only the scanner output, which includes a minimal subset of tokens (e.g., variable names, class names, function names) and code segments from customers’ source code repositories, is sent to the HoundDog.ai Cloud Platform for analysis. Full source code is NEVER sent.
Downstream Systems
As for the downstream systems where customer data is sent for additional processing, these include:
- AWS: This is our cloud hosting service where data is securely stored and encrypted.
- PropelAuth: This is used for user management (registration & login), authentication, and authorization.
Transferring Personal Data to the U.S.
HoundDog.ai has its headquarters in the United States. Information we collect about you will be processed in the United States. By using HoundDog.ai’s services, you acknowledge that your personal information will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. Pursuant to Article 46 of the GDPR, HoundDog.ai is providing for appropriate safeguards by entering binding standard data protection clauses enforceable by data subjects in the EEA and the UK. These clauses have been enhanced based on the guidance of the European Data Protection Board and will be updated when the new draft model clauses are approved.
Depending on the circumstance, HoundDog.ai also collects and transfers to the U.S. personal data with consent; to perform a contract with you; or to fulfill a compelling legitimate interest of HoundDog.ai in a manner that does not outweigh your rights and freedoms. HoundDog.ai endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with HoundDog.ai and the practices described in this Privacy Statement. HoundDog.ai also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate. Since it was founded, HoundDog.ai has received zero government requests for information. For more information or if you have any questions, please contact us at [email protected].
Data Subject Rights
The European Union’s General Data Protection Regulation (GDPR) and other countries’ privacy laws provide certain rights for data subjects. Data Subject rights under GDPR include the following:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right of data portability
- Right to object
- Rights related to automated decision making, including profiling
This Privacy Notice is intended to provide you with information about what personal data HoundDog.ai collects about you and how it is used. If you wish to confirm that HoundDog.ai is processing your personal data or to have access to the personal data HoundDog.ai may have about you, please contact us.
You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside HoundDog.ai might have received the data from HoundDog.ai; what the source of the information was (if you didn’t provide it directly to HoundDog.ai); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by HoundDog.ai if it is inaccurate. You may request that HoundDog.ai erase that data or cease processing it, subject to certain exceptions. You may also request that HoundDog.ai cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how HoundDog.ai processes your personal data. When technically feasible, HoundDog.ai will—at your request—provide your personal data to you.
Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, HoundDog.ai will provide you with a date when the information will be provided. If for some reason access is denied, HoundDog.ai will provide an explanation as to why access has been denied. For questions or complaints concerning the processing of your personal data, you can email us at [email protected]. Alternatively, if you are located in the European Union, you can also have recourse to the European Data Protection Supervisor or with your nation’s data protection authority.
Security Certifications and Measures in Place
The company achieved SOC-2 Type 2 certification – see Trust Center for details. Examples of security and organizational measures include:
- ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing
- enforcing multi-factor authentication (MFA) for all remote access environments, including email systems
- user identification and authorization
- protecting data during transmission and storage
- encrypting personal data
- conducting regular penetration testing
- applying a vulnerability and patch management program that includes procedures for patching systems, applications, and devices regularly and as needed
- ensuring event logging
- ensuring that system configurations are deployed consistently throughout the environment
- internal IT and IT security governance and management
- conducting access reviews at least quarterly for in-scope system components
- enforcing a vendor management program that includes vendor security and privacy requirements and reviewing critical third-party vendors at least annually
- ensuring data minimization
- ensuring accountability
- allowing data portability and ensuring erasure
Questions, Concerns, or Complaints
If you have questions, concerns, complaints, or would like to exercise your rights, please contact us at [email protected].