Sudory

Privacy Policy

Last updated·

This Privacy Policy explains how Sudory collects, uses, and shares information, and the choices you have in relation to that information. Sudory is the joint product of Luit Italianer (Noordwijk, Netherlands) and Aleksej Dix (Männedorf, Switzerland). Customer contracts and data-controller obligations are handled through Italianer Consultancy (eenmanszaak, Luit Italianer), KVK 72768924, registered in Noordwijk, Netherlands.

1. Scope

This Privacy Policy applies to:

  • Sudory's products and services, including any web, mobile, and desktop applications (collectively, the "Services");
  • Sudory's websites, including sudory.com and related pages (collectively, the "Websites"); and
  • other interactions you may have with Sudory, including demo requests, customer support, events, webinars, and sales conversations.

If you do not agree with this Privacy Policy, do not use the Services or Websites.

This Privacy Policy does not apply to third-party applications or services that integrate with the Services ("Third-Party Services"). Your use of Third-Party Services is governed by their own terms and privacy policies.

2. Who we are and how to contact us

Controller (for "Other Information", defined below): Italianer Consultancy (eenmanszaak, Luit Italianer), KVK 72768924, registered in Noordwijk, Netherlands.

Privacy contact: privacy@sudory.com
Support: support@sudory.com
Legal notices: legal@sudory.com

Sudory has not appointed a Data Protection Officer. If that changes, we will publish the contact here.

3. Controller vs. Processor (two-party model)

Data protection law distinguishes between a controller (who determines why and how personal data is processed) and a processor (who processes personal data on behalf of a controller).

3.1 When Sudory is the processor (Service Data)

When a company (our "Customer") uses the Services, that Customer controls its instance or workspace and the data submitted or made available through the Services ("Service Data"). In that case:

  • Customer is the controller of Service Data; and
  • Sudory is the processor of Service Data.

Our processing of Service Data is governed by the agreement with the Customer (for example master agreement or order form) and the Data Processing Addendum, available on request by email to legal@sudory.com.

If you are an employee, contractor, or user of a Customer and you want to exercise rights regarding Service Data, you should contact the Customer (your employer or the organization that gave you access). Sudory supports Customers in responding to requests as required by the DPA and applicable law.

3.2 When Sudory is the controller (Other Information)

Sudory is the controller for information we process for our own business operations ("Other Information"), such as:

  • website visitor data (logs, where applicable),
  • sales and marketing data (demo requests, contact details),
  • account administration and billing contacts,
  • security and fraud-prevention logs for our own systems, and
  • communications with you (support, email, events).

Service Data and Other Information together are "Information".

4. What we collect (categories)

We collect Information in the following ways:

4.1 Service Data (processor role)

Customers and their authorized users may submit Service Data when using the Services. Depending on how the Customer configures the Services, Service Data may include:

  • user identifiers (name, email, role, group),
  • evidence records (policies, tickets, logs, screenshots, exports),
  • access and permission metadata (OAuth scopes, IAM attributes),
  • security and compliance posture signals, and
  • system inventory information (apps, vendors, resources) linked to identities and access.

4.2 Account and contact information (controller role)

When you or a Customer creates or administers an account, we may collect:

  • name, business email, phone (optional),
  • company name, domain, role or title,
  • login details (for example password hash, SSO identifiers where applicable),
  • administrative workspace settings and user management data.

4.3 Billing and transaction information (controller role)

If a Customer purchases paid Services, Sudory or its payment providers process billing details such as:

  • billing contact details,
  • invoice address and VAT details,
  • payment status and transaction metadata.

Sudory does not store full payment card details. Where payment processors are used, they handle card data directly.

4.4 Usage, metadata, and logs

When you use the Websites or Services, Sudory may generate or receive:

  • product usage events (feature usage, clicks, page views within the app),
  • services metadata (for example which integrations are connected, sync status),
  • audit logs (admin actions, permissions changes),
  • diagnostic logs (errors, crash reports),
  • server logs including IP address, timestamps, user agent, and referrer URLs.

4.5 Device and approximate location information

Sudory may collect information about the device and approximate location, such as:

  • device type, operating system, browser settings,
  • unique device identifiers (where applicable),
  • approximate location inferred from IP address or business address provided by the Customer.

4.6 Cookies and similar technologies

Sudory uses strictly necessary cookies for authentication and session management. Sudory uses privacy-friendly, cookie-less analytics (Umami) for aggregate website usage, which does not identify individual visitors. Sudory does not use third-party advertising cookies.

4.7 Third-Party Services (integrations)

A Customer may connect Third-Party Services. When enabled, the Third-Party Service provider may share certain information with Sudory (for example usernames, emails, group membership, ticket metadata), depending on permissions granted by the Customer. Sudory does not receive or store Third-Party Service passwords when connecting integrations.

4.8 Additional information you provide

Sudory receives additional information when you:

  • request a demo or submit a form,
  • contact support,
  • attend an event or webinar,
  • participate in research, feedback sessions, or beta programs,
  • apply for a job (if applicable).

4.9 Information from third parties (controller role)

Sudory may receive business contact data and campaign performance data from partners, affiliates, or providers (for example CRM enrichment, event platforms), and combine it with Information we collect.

5. How we use Information

5.1 Service Data (processor role)

Sudory uses Service Data only:

  • to provide and operate the Services as instructed by the Customer,
  • to secure and maintain the Services (for example troubleshooting, integrity),
  • to provide support at the Customer's request, and
  • as required by applicable law.

5.2 Other Information (controller role)

Sudory uses Other Information for its legitimate business purposes, including:

  • Providing and improving the Websites and Services (support delivery, bug fixes, performance);
  • Security and abuse prevention (monitoring, fraud prevention, investigating incidents);
  • Customer relationship management (sales, demos, onboarding, account management);
  • Communications (responding to requests, service messages, administrative notices);
  • Marketing (newsletters, product updates, event invites, where permitted; opt-out available);
  • Billing and finance (invoicing, collections, accounting);
  • Legal compliance and enforcement (auditability, dispute resolution, enforcing agreements).

If Sudory creates aggregated or de-identified information so it is no longer reasonably linked to an individual, Sudory may use it for any business purpose (for example analytics, benchmarking, security insights).

6. Legal bases (GDPR / Dutch law)

Where Sudory acts as controller, Sudory processes personal data under one or more of the following legal bases:

  • Performance of a contract (for example providing Services, support, billing administration);
  • Legitimate interests (for example operating and securing our business, improving Services, B2B marketing where permitted, balanced against your rights);
  • Consent (for example non-essential cookies; certain marketing where required);
  • Legal obligation (for example tax retention, lawful government requests).

Where Sudory acts as processor, the Customer is responsible for identifying the legal basis for processing Service Data.

7. How we share Information

7.1 Displaying and operating the Services

Because of how the Services function, Service Data may be displayed within a Customer's workspace to that Customer's authorized users (for example evidence status, access findings, control mappings).

7.2 Service providers (processors and sub-processors)

Sudory uses vendors to support its business and deliver the Services (for example hosting, monitoring, customer support tooling, CRM, payments). They process Information under contractual confidentiality and data-protection obligations.

Technical operations of the Services are performed by Dix Consulting (Einzelunternehmen, Lidia Dix, CHE-397.600.688, registered in Männedorf, Switzerland), acting as a sub-processor.

The current list of sub-processors is available on request by email to privacy@sudory.com.

7.3 Third-Party Services (integrations)

At the Customer's direction, the Services may exchange information with Third-Party Services. Third-Party Services are not owned or controlled by Sudory. Customers and users should review Third-Party Services' privacy settings and notices.

7.4 Affiliates and corporate transactions

Sudory may share Information with affiliates, or as part of corporate transactions (for example financing, acquisition, reorganization), subject to appropriate safeguards.

7.5 Legal requests and protection

If Sudory receives a request from a public authority for Customer-related Service Data, Sudory will (where appropriate and permitted) seek to redirect the requesting party to the Customer. If Sudory is legally compelled to disclose Information, Sudory may do so and will provide notice to the Customer where legally permitted.

Sudory may share Information to enforce its rights, prevent fraud, and protect the safety of Sudory, Customers, users, and the public.

7.6 With consent

Sudory may share Information with third parties where you have given consent.

8. International transfers

Sudory may process Information in the EEA and, where necessary, in other countries. When personal data is transferred outside the EEA to a country without an adequacy decision, Sudory uses appropriate safeguards such as the European Commission Standard Contractual Clauses ("SCCs") and additional measures where required.

Transfers to Switzerland (Dix Consulting as Swiss sub-processor) are covered by the EU-Switzerland adequacy framework. For robustness, the SCCs are also incorporated into the DPA.

9. Security

Sudory implements technical and organizational measures designed to protect Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include access controls, encryption in transit, logging and monitoring, vulnerability management, and least-privilege principles.

No method of transmission or storage is perfectly secure. Sudory cannot guarantee absolute security, but continuously improves safeguards.

10. Data retention

10.1 Service Data (processor role)

Sudory retains Service Data according to the Customer agreement and DPA, and based on Customer configuration. After termination, Sudory provides export options and then deletes or returns Service Data in line with the agreement, unless retention is legally required.

10.2 Other Information (controller role)

Sudory retains Other Information as long as necessary for the purposes described, including to operate our business, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention ranges:

  • Website and server logs: up to 90 days, longer if needed for a security investigation.
  • Sales and prospect records: up to 24 months after the last meaningful interaction.
  • Customer account administration records: duration of the relationship plus 12 months.
  • Billing and tax records: retained for 7 years as required by Dutch tax and accounting rules.
  • Support tickets: up to 24 months.
  • Job applicants: up to 4 weeks after rejection, or up to 1 year with the applicant's consent.

11. Your rights (GDPR)

If Sudory is the controller of your personal data, you may have the right to:

  • access your personal data,
  • correct inaccuracies,
  • request deletion,
  • restrict or object to processing (including direct marketing),
  • data portability (where applicable), and
  • withdraw consent where processing is based on consent.

Sudory may need to verify your identity and request additional information to process your request. Sudory responds within GDPR timelines (generally one month, extendable in certain cases).

Important: If you are using Sudory through your employer or another Customer, and your request relates to Service Data, please contact that Customer first. Sudory will assist the Customer where required under the DPA.

You can contact Sudory at privacy@sudory.com.

You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens.

12. Cookies and similar technologies

Sudory uses cookies and similar technologies in line with Dutch and EU rules (GDPR and the cookie rules under Dutch telecom legislation). Strictly necessary cookies are used for authentication and session management. Sudory's analytics (Umami) is cookie-less. Sudory does not use advertising cookies or third-party tracking cookies. Consent banners are not required for strictly necessary cookies; Sudory will request consent if that position changes.

13. Marketing communications

Sudory may send service-related communications that are necessary for providing the Services. You cannot opt out of those.

For marketing communications, you can opt out at any time using the unsubscribe link or by contacting privacy@sudory.com.

14. Children

Sudory's Websites and Services are not intended for children, and Sudory does not knowingly collect personal data from children.

15. Changes to this Privacy Policy

Sudory may update this Privacy Policy from time to time to reflect changes in law, technology, or our practices. Updates are posted on this page with the "Last updated" date refreshed. If changes materially affect Customers, Sudory may provide additional notice.

16. Contact

Questions or requests: privacy@sudory.com.