Privacy Policy
Last Updated: January 15, 2026
1. Introduction
This Privacy Policy explains how Solsphere AI Inc. ("Solsphere", "we", "our", or "us") collects, uses, processes, stores, and protects personal data in connection with our websites, applications, products, services, integrations, and related activities (collectively, the "Services"). The policy is intended to be compatible with major global data protection regimes (including European and U.S. laws) and to provide clear, practical information about how we handle personal data across jurisdictions. It describes what data we may process, why we process it, how long we retain it, and the choices and rights available to individuals whose data we process. Our goal is to be transparent about our practices and to ensure that personal data is handled responsibly and securely.
2. Company Information & Business Model
Legal Entity:
Solsphere AI Inc.
Registered Address:
8 The Green Ste R
Dover, DE 19901
United States
Solsphere is an end-to-end Governance, Risk, and Compliance (GRC) solutions provider that focuses on cybersecurity controls and IT General Controls (ITGC). Our flagship product, Regodit, combines a cloud-hosted SaaS platform and AI-enabled tooling with the professional services required to plan, collect evidence, assess controls, and complete audits. We operate as a business-to-business (B2B) provider, partnering with organizations, their authorized personnel, and their external auditors or consultants to deliver tailored compliance and risk-management outcomes that reflect each client's operational needs and regulatory obligations.
3. Scope of This Policy
This Privacy Policy applies to personal data processed by Solsphere in connection with our Services and customer relationships. It covers data that Solsphere processes when organizations register for or use our Services, when authorized users access our platforms and dashboards, when users connect third-party services and integrations, when users upload files or documents to the platform, and when we communicate with customers for operational, security, or contractual reasons. All collection, access, and reading of customer data by Solsphere and our authorized subprocessors is performed only to deliver the GRC, compliance, evidence-collection, audit support, and related services that the client requests and to operate, maintain, and support the Services. We will not access, read, or otherwise process customer data for unrelated business purposes.
4. Personal Data We Collect
We collect personal data only to the extent necessary to provide and operate the Services and to fulfill client-specified compliance and audit objectives. We strive to minimize the personal data we process and to restrict use to what is needed for legitimate operational and contractual purposes.
4.1 Account and Identity Information
We may collect account and identity details such as a user's name, business email address, job title or role, and organization name. These details are used to create and manage accounts, authenticate and authorize users, enable role-based access controls within Regodit, and to support collaboration and communications between customers and Solsphere teams.
4.2 Service and Integration Data
With explicit customer authorization, we may access service and integration data in order to perform compliance tasks at the client's direction. This can include email content and metadata, file metadata and authorized access links, and documents uploaded by users. Access to such data is limited to read-only operations unless the customer explicitly authorizes otherwise, and it is used solely for the compliance, evidence-collection, assessment, reporting, and remediation activities the client requests.
4.3 Limited Personal Data / PII
Solsphere does not retain personal data or personally identifiable information beyond what is required to provide Services, support account access, or perform client-requested compliance activities. PII retained may be limited to account and login information (secured and protected using appropriate controls), business contact details, and the minimum contextual data needed for identity verification, authentication, and audit reporting. We do not collect or retain additional PII for unrelated purposes.
4.4 Cached and Derived Data
To support performance and processing of tasks, we may temporarily store extracted or structured representations of authorized data and system-generated internal outputs. These temporary representations are encrypted, access-restricted, and retained only for the minimum time necessary to complete the relevant compliance or operational task.
4.5 Logs and Operational Data
We collect system and application logs for reliability, performance troubleshooting, and security monitoring. Logs are designed to avoid storing sensitive personal data whenever feasible. Access to logs is restricted to authorized personnel and is subject to audit and retention controls.
4.6 Analytics and Usage Data
We may collect limited analytics and usage information (for example, IP address, device type, browser, and general geographic region) to operate, secure, and improve the Services. When possible we use aggregated or de-identified analytics to reduce the presence of personal data in product analytics and reporting.
5. How We Use Personal Data
We use personal data to provide, operate, and improve our Services and to deliver the compliance and audit outcomes our clients request. Typical uses include account administration, authentication and authorization, evidence collection and organization, control assessment and reporting, coordinating professional services activities, communicating essential service notices, and responding to support, legal, or regulatory requests. We also use de-identified or aggregated data to analyze product performance and to improve functionality. We do not use customer content to train machine learning models or for unrelated research or commercial initiatives; customer data is processed only in accordance with client instructions and this Policy.
6. Legal Basis for Processing
Where applicable, Solsphere relies on appropriate legal bases to process personal data. These may include performance of a contract with the customer (for example, to deliver Services), compliance with legal obligations, legitimate business interests balanced against data subject rights, or consent where required by local law. We will identify the relevant legal basis as required by applicable privacy laws in contractual documents and customer communications.
7. Data Sharing and Disclosure
Solsphere does not sell personal data. We disclose personal data only as necessary to provide the Services and fulfill client instructions: to subprocessors and service providers acting on our behalf under confidentiality and data-protection obligations; to respond to lawful requests from public authorities where required by law; and at the direction of our customers. Subprocessor access is limited to the specific, documented purposes instructed by Solsphere and controlled by contract. Where legally permissible and practicable, Solsphere will consult or notify customers before disclosing their data to third parties in response to government or law enforcement requests.
8. Third-Party Services and Subprocessors
To deliver the Services reliably and securely, Solsphere relies on reputable third-party providers. These subprocessors process data only according to our instructions and under contractual safeguards requiring appropriate technical and organizational measures. Solsphere maintains a current record of subprocessors and provides notice to customers of material changes in accordance with contractual commitments.
Current subprocessors include:
- Amazon Web Services, Inc. (AWS) — cloud infrastructure and platform services used to host and operate Regodit and related services.
- Truto — third-party service provider supporting Solsphere's operational or service-delivery needs.
Each named subprocessor is contractually required to process personal data only as instructed by Solsphere, to implement reasonable security measures, and to assist Solsphere in meeting its contractual and legal obligations.
9. Data Storage, Residency, and Security
Primary Storage Location: We primarily store and process customer data in secure cloud environments in the United States, using cloud providers with robust operational and security controls.
Regional Data Residency: When a client requires that storage or processing occur in a particular jurisdiction for regulatory or contractual reasons, we will work with the client and our cloud providers to implement regionally appropriate storage and processing. This may include provisioning services within a specified cloud region or applying lawful transfer mechanisms where data must cross borders. Solsphere documents and implements transfer safeguards consistent with applicable law.
Security Measures: Solsphere implements industry-standard technical and organizational security measures, including encryption in transit and encryption at rest, strong identity and access management (including least privilege and multi-factor authentication where appropriate), regular vulnerability scanning and penetration testing, logging and monitoring, incident response procedures, and periodic security assessments. Access to customer data is limited to authorized personnel and subprocessors who require it to perform their duties, and such access is governed by contractual confidentiality obligations and internal auditing.
10. Data Retention and Deletion
We retain personal data only as long as necessary to provide the Services, to fulfill the specific compliance and audit objectives requested by the client, or to meet legal or contractual requirements. Retention periods are driven by customer agreements and applicable law; as a general guideline, customer data is deleted within a defined period after account termination or integration disconnection (for example, up to 180 days), unless a longer retention period is required by contract or law. Temporary backups or archival copies are subject to the same deletion policies as operational data.
11. Data Subject Rights
Subject to applicable law, individuals may have rights with respect to their personal data, including the right to access, correct, delete, restrict processing, or request portability. Customers acting as data controllers are typically the primary point of contact for these requests; Solsphere will assist customers in fulfilling data subject requests in accordance with contractual commitments and legal obligations. Requests for information about how Solsphere processes data, or requests submitted directly by an individual, may be routed through the customer or handled in coordination with the customer.
12. International Data Transfers
Because we operate globally and rely on cloud infrastructure with an international footprint, personal data may be transferred to and processed in countries other than the data subject's country of residence, including the United States. For cross-border transfers, Solsphere will implement appropriate safeguards — such as contractual mechanisms or other lawful transfer solutions — to provide appropriate protection for personal data in accordance with applicable law and customer agreements.
13. Data Breach Notification
Solsphere maintains an incident response program designed to detect, contain, and remediate security incidents. In the event of a security incident that affects personal data, we will notify affected customers and any required supervisory authorities or individuals within the timeframes required by applicable law and customer contracts (for example, within 72 hours where applicable). Notifications will describe the nature of the incident, the types of data impacted, the likely consequences, and the corrective actions taken or planned.
14. Children's Data
Our Services and offerings are intended for adult users and for use in organizational contexts. We do not knowingly collect or solicit personal data from individuals under the age of 18. If we learn that we have collected such data without appropriate consent, we will take steps to delete it in accordance with applicable law.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the Services. The "Last Updated" date at the top of this policy indicates when the policy was last revised. For material changes that affect customers' rights or processing activities, we will provide notice to customers by email or through the Regodit platform as required by law and contract.
16. Contact Us
If you have questions about this Privacy Policy, or if you would like to submit a request related to personal data, please contact us:
- Email: privacy@solsphere.ai
- Company: Solsphere AI Inc.
- Address: 8 The Green Ste R, Dover, DE 19901, United States
