Privacy Policy
Draft — pending legal review
This privacy policy is a working draft authored from standard SaaS templates and Concura's known data flows as of 2026-05-14. It has not yet been reviewed by counsel. Treat it as a basis for a lawyer-finalized version, not a binding statement.
Effective date: to be set once finalized Last drafted: 2026-05-14
Concura.AI is a product of Consultant Works, LLC (referred to as "Consultant Works," "we," "us," or "our"). Consultant Works provides senior-assessor-driven CMMC compliance content and SSP authoring tools to Department of Defense Industrial Base (DIB) contractors through the Concura product. This Privacy Policy describes what personal data we collect, why, who we share it with, and the choices you have about it.
1. Scope
This policy applies to:
- The Concura.AI public marketing site (
concura.ai), including the lead-capture form on the prospectus page. - The Concura authenticated dashboard (
concura.ai/dashboard/) accessible to active Reference and Interview subscribers. - The Concura Interview SSP-authoring environment, where customer SSP content is stored in Microsoft Azure Government (GCC High).
- Concura Consult booking and session content.
It does not apply to third-party websites you reach via outbound links from Concura.
2. Data we collect
2.1 Information you give us directly
- Lead-capture form (prospectus page): name, work email, phone number, and any optional free-text notes you include.
- Subscription sign-up: name, work email, billing address, company name, and payment-card details. The card itself is collected and stored by Stripe, not by Concura — we retain only the Stripe customer token and the last 4 digits for receipt purposes.
- Interview authoring (subscribers only): your authored SSP narrative content, optional voice transcripts, your company profile (organization name, IT admin names, CISO name, employee count, system name), your uploaded logo image, and your inheritance / architecture configuration choices.
- Concura Consult bookings: calendar information you provide for scheduling, plus any contextual information you share during the session.
- Support requests and direct emails: content you send to
sales@concura.ai,support@concura.ai,privacy@concura.ai, orassessor@concura.ai.
2.2 Information collected automatically
- Server logs: IP address, browser user-agent, timestamp, requested URL, response code. Retained 90 days for security and abuse prevention, then rotated.
- Authentication events: Microsoft Entra business-to-business sign-in events are logged by Microsoft (subject to Microsoft's privacy terms) to confirm your identity when accessing the dashboard.
- Bookmarker / Completion Tracker (optional, dashboard-only): if you enable the tracker, we store per-objective status (not started / in progress / completed), inheritance flag, and timestamp. No SSP content, evidence, or policy text is stored in the tracker.
2.3 What we deliberately do not collect
- We do not run web-analytics scripts (no Google Analytics, no Segment, no Hotjar, no equivalent).
- We do not track you across the web.
- We do not collect biometric data, precise location, or device-fingerprint data.
- We do not collect personal data from anyone under 18. Concura is not directed at minors.
3. Why we collect it
| Purpose | Lawful basis |
|---|---|
| Respond to lead inquiries you submit via our form | Legitimate interest |
| Provide the subscribed Concura service | Performance of contract |
Generate your personalized SSP .docx (Interview subscribers) |
Performance of contract |
| Process payments | Performance of contract |
| Send service notices and trial-conversion reminders | Performance of contract |
| Protect Concura against fraud, abuse, and security threats | Legitimate interest / legal obligation |
We do not sell your personal data, do not share it for cross-context behavioral advertising, and do not run advertising tracking on the Concura site.
4. Retention
| Data | Retention |
|---|---|
| Lead-form submissions | 24 months, then deleted unless you become a customer |
| Active subscription account data | Duration of subscription + 30 days after cancellation, then moved to cold storage |
| Cold-storage authored SSP content | 12 additional months, then purged; we notify you before purge |
| Payment records (via Stripe) | 7 years (US tax-record obligation) |
| Server logs | 90 days |
| Bookmarker / tracker state | While your subscription is active; deleted on cancellation |
| Email correspondence | As long as operationally needed |
You may request earlier deletion of your data at any time (see Section 8).
5. Subprocessors
Concura uses the following service providers ("subprocessors") to deliver the service. Each has signed appropriate data-processing terms with us. We choose providers whose security posture matches the audience we serve.
| Subprocessor | Purpose | Data accessed | Location |
|---|---|---|---|
| Microsoft Corporation (Azure Government — GCC High) | Hosts subscriber-authored SSP content for Concura Interview | Interview-tier customer SSP data only | US (FedRAMP High–authorized environment) |
| Microsoft Corporation (Entra B2B) | Sign-in authentication (one-time-passcode email) | Email address, sign-in events | US |
| Anthropic, PBC | AI cleanup and refine of Interview-authored narratives | Submitted SSP narrative text only | US |
| Stripe, Inc. | Payment processing | Name, email, billing address, card details | US |
| Akamai Technologies (Linode) | Hosts the public Concura marketing site and lead-form endpoint | Server-log data, lead-form submissions in transit | US |
| Zoho Corporation Pvt. Ltd. | Email delivery for *@concura.ai mailboxes (including lead notifications) |
Inbound and outbound email content | US (Zoho .com data center) |
| Let's Encrypt (ISRG) | TLS certificates for the public site | Domain ownership only | US |
We maintain a current subprocessor list and will notify active customers via email at least thirty (30) days before adding a new subprocessor that materially processes customer data, giving you an opportunity to raise concerns or terminate before the change takes effect.
6. Where your data is stored and processed
- Concura Interview customer SSP data is stored exclusively in Microsoft Azure Government (GCC High) in the United States, in regions described by Microsoft as FedRAMP-High-authorized. This isolation is intentional: customers handling Controlled Unclassified Information (CUI) regulated by DFARS / CMMC expect Concura's authoring environment to live where their own CUI lives.
- Concura Reference content, the public marketing site, the lead-form endpoint, and the Bookmarker / Completion Tracker are hosted on Akamai (Linode) infrastructure in the United States. These surfaces do not store CUI; they hold the Concura-authored reference text, your bookmark state, and standard server logs.
- Stripe processes payment data on its own US-based infrastructure under its own data-processing terms.
- Anthropic processes Interview-authored narrative text submitted for AI cleanup on its US-based infrastructure under its commercial terms with Concura, which prohibit use of submitted content for model training.
We do not transfer subscriber data outside the United States as a matter of routine operation. If you sign in from outside the United States, the sign-in event reaches our US-hosted services and Microsoft Entra; that transfer is necessary to provide the Service you requested.
7. How we secure your data
We take commercially reasonable technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, and destruction. These include:
- Transport encryption. All connections to Concura services use TLS 1.2 or higher.
- Access controls. Access to subscriber data within Consultant Works is restricted to the operators who need it to deliver or support the Service. Where possible, access is mediated by managed-identity tokens rather than long-lived credentials.
- Authentication. Concura Interview requires sign-in through Microsoft Entra B2B; the marketing dashboard requires sign-in through Google identity via oauth2-proxy. Concura does not store, see, or process your account password.
- Audit logging. Sensitive operations against subscriber data (settings changes, user roster changes, exports) are logged.
- Subprocessor hardening. We choose subprocessors whose security posture matches the audience we serve — most notably Microsoft Azure Government for the Interview SSP environment.
- Vulnerability response. We monitor advisories for the third-party software we run, and patch on a risk-prioritized basis.
No system is perfectly secure. While we take these precautions, we cannot guarantee absolute security. If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in accordance with applicable law.
8. Your rights and choices
Depending on where you live, you may have one or more of the following rights with respect to your personal data:
- Access. Request a copy of the personal data we hold about you.
- Correction. Ask us to correct inaccurate personal data.
- Deletion. Ask us to delete your personal data, subject to retention obligations described in Section 4.
- Export. Receive a machine-readable copy of your personal data, including your authored SSP content.
- Restriction. Ask us to limit certain processing (for example, pause use of your authored narratives for AI cleanup).
- Objection. Object to processing we carry out under our legitimate interests.
- Withdraw consent. Where processing is based on your consent, withdraw it (without affecting processing already carried out).
- Complaint. Lodge a complaint with a supervisory authority in your jurisdiction (for EU/UK residents, your national data-protection authority; for California residents, the California Privacy Protection Agency).
To exercise any of these rights, email privacy@concura.ai from the email address on your Concura account, or contact us at the postal address in Section 12. We will respond within a reasonable period (and within any period required by applicable law — generally 30 days under GDPR, 45 days under CCPA, extendable once with notice).
We do not "sell" personal data and we do not engage in "cross-context behavioral advertising" as those terms are defined under U.S. state privacy laws. We therefore have no opt-out-of-sale or opt-out-of-targeted-advertising mechanism to provide, but if your jurisdiction recognizes a Global Privacy Control signal we will honor it as a confirmation that we should not sell or share your data — which is already our practice.
9. Cookies and similar technologies
Concura uses cookies sparingly and only for purposes that are essential to delivering the Service you asked for:
| Cookie / storage | Purpose | Set by |
|---|---|---|
_oauth2_proxy (or similar) |
Maintains your authenticated session on concura.ai/dashboard/ and related authenticated pages. |
oauth2-proxy |
concura_arch |
Remembers your selected CUI-handling architecture so reference pages render the right variant without a fresh API call. | Concura |
sessionStorage flag for the login-acknowledgment banner |
Suppresses the banner within a single browser session after you have acknowledged the current Terms once. | Concura |
| Microsoft Entra B2B session cookies (Concura Interview only) | Maintains your authenticated session in the Interview app. | Microsoft |
| Stripe session / fraud-prevention cookies (checkout pages only) | Process payment, detect fraud. | Stripe |
We do not use any cookie for advertising, analytics, retargeting, or cross-site tracking. We do not load Google Analytics, Segment, Hotjar, Meta pixel, or any equivalent. You can clear or block these cookies in your browser; doing so will sign you out and may break authenticated features.
10. Children's privacy
Concura is a business product directed at Department of Defense Industrial Base contractors. It is not directed at, marketed to, or intended for use by children. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected such data, contact privacy@concura.ai and we will delete it.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our subprocessors, or applicable law. When we make a material change, we will:
- Update the "Effective date" at the top of this page.
- For active subscribers, send notice to the email address on your account at least thirty (30) days before the change takes effect when the change materially expands the processing we do or the parties we share data with.
- Post a summary of the change at the top of this page for a reasonable period after it takes effect.
For non-material changes (typos, formatting, clarifications), we will update the page without notice but the change history is recorded in our public source repository.
12. Contact
For privacy-related questions, requests to exercise your rights, or any other matter covered by this Policy, contact us:
- Privacy requests: privacy@concura.ai
- General + billing: support@concura.ai
- Postal: Consultant Works, LLC, St. Petersburg, Florida, U.S.A.
For EU / UK residents who prefer a postal address that resembles a representative for GDPR purposes: we do not currently have an in-region representative. You may continue to direct correspondence to the U.S. postal address above; we will respond.
End of Privacy Policy.