Privacy Policy

A LEGAL DISCLAIMER

Zivis, LLC ("Zivis", "we", "our", or "us") is a U.S.-based AI security services firm specializing in adversarial testing, red teaming, and risk assessment of large language models (LLMs), retrieval-augmented generation (RAG) systems, and related GenAI deployments.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information in connection with our services. It also outlines your rights and our obligations under applicable privacy laws, including:

General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
Health Insurance Portability and Accountability Act (HIPAA)
NIST AI Risk Management Framework (AI RMF)
SOC 2 Trust Services Criteria

By using our services or interacting with our website, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, please refrain from using our services.

ETHICAL ALIGNMENT

Zivis operates under a strict ethical charter:

We only conduct testing with informed, explicit client consent.
We never exploit, retain, or weaponize vulnerabilities discovered.
All findings are reported transparently and privately to authorized stakeholders.
We will not engage with clients or actors who intend to use AI systems for surveillance, disinformation, or unethical use of data.

INFORMATION WE COLLECT

CLIENT PROVIDED INFORMATION:

Contact information (name, email, phone, job title)
Organization name and system architecture details
Engagement scope documentation
Access credentials or test environments (temporary, client-controlled)

SYSTEM DATA DURING TESTING

Logs, prompts, model outputs, and response traces
Vulnerability reports, error messages, and model behavior
All data collected is limited to the scope of the engagement

We do not knowingly collect any personal health information (PHI) unless the client engagement involves systems that process PHI and HIPAA controls are in place.

HOW WE USE INFORMATION

We use collected information solely for:

Conducting agreed-upon red teaming or testing engagements
Generating risk assessments and final reports
Communicating findings and recommendations to the client
Ensuring internal quality and process improvements (in anonymized, aggregate form)

We do not sell, lease, or share client data with any third parties.

DATA PROTECTION & SECURITY

Zivis follows best practices for security and access control, including:

Role-based access with least privilege
Encryption in transit and at rest (TLS 1.2+/AES-256)
Secure handling and expiration of credentials post-engagement
Device hardening, VPN access, and endpoint protection
No use of public LLMs without explicit approval (e.g., OpenAI API, Anthropic, etc.)

All report data is stored securely and deleted after a 90-day retention period, unless otherwise agreed upon in the contract.

USE OF AGENTIC AI IN OPERATIONS

Zivis may use agentic AI systems—intelligent software agents designed to operate autonomously within defined scopes—to support internal operations and enhance service delivery. These agents may assist in:

Pre-processing or organizing logs, prompts, or test data during client engagements
Summarizing findings, generating draft reports, or highlighting anomalies
Anonymizing or labeling test data for internal security review
Responding to inquiries submitted through our website or intake forms
Workflow automation and time-boxed task execution

Key Principles:

Agentic AI is used only under human oversight, and its outputs are reviewed by qualified experts before being shared with clients.
We do not train or fine-tune AI models on client data.
Any third-party AI services used (e.g., via API) will be disclosed and governed by data processing agreements or will require explicit client opt-in.
Agentic AI usage is strictly scoped to operational and analytical support, and never replaces the ethical responsibility or decision-making of a human consultant.

YOUR RIGHTS

Depending on your jurisdiction, you may have the following rights:

UNDER GDPR (EU/EEA)

Right to access, correct, or delete your data
Right to restrict or object to processing
Right to data portability
Right to lodge a complaint with a supervisory authority

UNDER CCPA (California)

Right to know what personal data we collect
Right to request deletion
Right to opt-out of the sale (we do not sell personal data)
Right to non-discrimination

UNDER HIPAA (if applicable)

All PHI is handled in accordance with HIPAA Security and Privacy Rules
We are willing to sign a Business Associate Agreement (BAA) if required

To exercise your rights, please contact us at privacy@zivis.ai

DATA TRANSFERS

If you are located outside the United States, please note that your information may be processed and stored in the U.S. or other countries where we operate. We ensure such transfers comply with GDPR and other legal safeguards (e.g., Standard Contractual Clauses).

THIRD-PARTY TOOLS

Zivis does not use third-party analytics, tracking, or cookies for client interactions. We do not outsource testing to third parties without consent.

Any tools or LLM APIs used during testing will be documented and opt-in only, based on client risk posture.

NO LEGAL ADVICE

Zivis LLC is not a law firm and does not provide legal advice. While our security assessments may align with regulatory frameworks such as GDPR, HIPAA, or SOC 2, any references to these standards are for informational purposes only. Clients are advised to consult with qualified legal counsel for formal compliance determinations.

CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect operational, legal, or regulatory changes. When we do, the revised policy will be posted with an updated “Last Updated” date. We encourage you to review this policy periodically. Material changes will be communicated via direct email where appropriate.

CONTACT INFORMATION

If you have any questions about this policy or how we handle your data:

privacy@zivis.ai
PGP key available upon request for secure communication