Dura Cyber, LLC ("Dura Cyber," "we," "us") provides the Fortify cybersecurity automation platform.
Controller vs. Processor
Data-Processing Addendum (DPA). Our standard DPA-incorporating the EU SCCs and UK Addendum-is available at duracyber.tech/dpa and becomes binding when you execute an Order.
This Policy applies to:
It does not govern third-party services that integrate with Fortify; those have their own privacy notices.
| Category | Examples | Source | Purpose (Legal Basis) | Retention |
|---|---|---|---|---|
| Identifiers | Name, business email, phone, company, job title, login credentials | You / Partner | Account creation, authentication, customer support (Contract) | Life of account + 12 mo backups |
| Billing & Commercial Info | Billing contact, address, transaction history, tokenized payment card | You / Payment processor | Invoicing, fraud prevention, tax compliance (Contract / Legal Obligation) | Life of relationship + 7 yrs (tax/audit) |
| Device/Internet Activity | IP, browser, OS, referring URLs, pages/API calls, config metadata | Automated via cookies, logs | Security monitoring, service functionality, analytics (Legitimate Interest / Consent where required) | 12 mo logs; 18 mo security logs |
| Support & Communications | Chat transcripts, emails, and survey responses | You | Resolve issues, improve services (Legitimate Interest) | 24 mo after ticket closure |
| Marketing Preferences | Newsletter opt-in, events, referral info | You / Cookies | Send B2B updates & offers (Consent / Legit. Interest) | Until unsubscribed or 24 mo of inactivity |
We do not intentionally collect "sensitive personal information" (CPRA) such as precise geolocation or health data, nor do we use any personal information to infer characteristics. Therefore, the CPRA *right to limit* does not apply.
We grant you a limited, non-exclusive, non-transferable license to access and use the Service during your paid subscription for your internal business purposes.
Partners may deploy Fortify for Authorized Clients, provided they:
We process personal data to:
Automated Decision-Making: Fortify does not make any decision producing legal or similarly significant effects solely by automated processing.
Legal bases under GDPR/UK GDPR: contract performance; legitimate interests (service improvement, security, B2B marketing); compliance with legal obligations; consent (for non-essential cookies & marketing).
No Sale or Sharing for Advertising. Dura Cyber does not sell personal information for monetary value or share it for cross-context behavioral advertising, and has not done so in the past 12 months.
We disclose personal data only:
In the past 12 months, we disclosed Identifiers, Billing Info, and Device/Internet Activity to Service Providers for business purposes; we have not sold or shared personal information.
We implement commercially reasonable technical and organizational measures-including encryption in transit and at rest and strict access controls-to protect personal data against loss, misuse, or unauthorized access. If we confirm a personal-data breach likely to pose a risk to individuals, we will notify affected customers and regulators without undue delay, and within 72 hours where GDPR requires, with relevant facts and remediation steps.
We retain personal data only as long as necessary for the purposes stated above or as required by law. When retention periods end, we delete or anonymize data securely. Specific periods are shown in the table in Section 3.
Depending on your location, you may have the following rights:
How to submit a request: Email privacy@duracyber.tech to initiate a privacy request. We will verify your identity and respond within 30 days; we may extend once by 30 days and will explain any delay.
Appeals (U.S. states): If we deny your request, you may appeal by emailing privacy@duracyber.tech with "Appeal" in the subject. We will respond within 45 days. If unsatisfied, Colorado residents may contact the Colorado AG; Virginia residents may contact the Virginia OAG.
EU/UK complaints: You may lodge a complaint with your local supervisory authority. Our primary EU authority (until we appoint an Art. 27 representative) is the Dutch Data Protection Authority.
We store and process personal data primarily in the United States. If you access the Service from outside the U.S., you understand and agree that your information may be transferred to, stored, and processed in the United States, where our servers and central database are located.
If we begin servicing customers in jurisdictions that require specific cross-border transfer safeguards (such as the EU/EEA or United Kingdom), we will implement the appropriate legal mechanisms-such as Standard Contractual Clauses or their successors-and update this Policy accordingly.
Our website and Service are not directed to children under 13 and we do not knowingly collect personal data from them. If we learn that we have inadvertently received data from a child under 13, we will delete it promptly. Individuals under 16 should only use Fortify with parental or guardian consent. We do not knowingly sell or share the personal data of anyone under 16.
We may update this Policy from time to time. Material changes become effective 30 days after we notify admin users by email or in app message. The "Last updated" date reflects the most recent revisions. Continued use after the effective date constitutes acceptance.
Questions or concerns?
Dura Cyber, LLC - Privacy Team PO Box 354 Camas, WA 98607, USA Email: privacy@duracyber.techEU/UK residents may also contact the Dutch Data Protection Authority if concerns are not resolved.
Thank you for trusting Dura Cyber with your data.
