Privacy Policy
Effective: 2026-05-15
1. Who we are
Compliance Assessment Tool, LLC ("CAT", "we", "us") is a Delaware limited liability company at 1111B S Governors Ave, #39128, Dover, DE 19904. We provide a compliance-as-a-service platform that helps acquiring banks, ISOs, and payment service providers ("Partners") complete PCI DSS Self-Assessment Questionnaires ("SAQs") on behalf of their merchants ("End Users").
2. Our role
For most processing of End User personal data, we act as a data processor (or "service provider" under CCPA terminology) on behalf of our Partners, who are the data controllers. Our processing of Partner data is governed by our Data Processing Addendum. For data collected directly from you when you visit this site (e.g., website analytics), we are the controller.
3. Personal data we collect
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Partner contact info | Name, work email, phone, role | Partner provides at onboarding | Account management, support, billing |
| Merchant business info | Legal name, DBA, address, website, contact details, payment-method descriptions, acquirer/processor identifiers, locations | Partner provides via API / iframe | SAQ + AoC completion |
| SAQ responses | Free-text answers to PCI DSS controls, attestation status (In Place / Not In Place / N/A / In Place with CCW), remediation plans | Merchant provides via Partner's surface | SAQ + AoC generation |
| Signature data | Signatory name, title, attestation acknowledgement, signed-at timestamp | Merchant provides via Partner's surface | Rendered on AoC attestation page |
| Web logs | IP address, user agent, request path, response status, timestamp | Server-side via AWS CloudWatch | Security monitoring, debugging |
We do not collect cardholder data (CHD). Our platform is engineered to keep CHD outside our scope; we only collect merchants' descriptions of their payment flows, not the card numbers themselves.
4. Cookies & tracking
This site uses a small number of strictly-necessary, first-party cookies for session and API-key persistence in the demo portal. We use no third-party analytics, no advertising cookies, no marketing pixels, no Google Analytics, no Meta Pixel. Strictly-necessary cookies are exempt from consent under GDPR and ePrivacy.
5. How we use personal data
- Delivering the service per the Partner's instructions (SAQ + AoC completion).
- Generating compliance documents (SAQ PDF, AoC PDF) and delivering them by email to addresses you designate.
- Sending operational webhooks to Partner-configured URLs (event types include
saq.submitted,merchant.compliant,payment_method.added). - Detecting and preventing security incidents.
- Complying with legal obligations (e.g., responding to lawful subpoenas).
We do not: sell personal data, share it for cross-context behavioral advertising, use it to train AI models for other customers, or use it for any purpose outside the scope of the Partner's instructions.
6. Disclosures & sub-processors
We disclose personal data only to: (a) our sub-processors under written contracts containing data-protection terms equivalent to those in our DPA; (b) the Partner you arrived from; (c) competent authorities when legally compelled.
7. International transfers
We host customer data in AWS us-east-1 (N. Virginia). For data subjects in the European Economic Area, United Kingdom, or Switzerland, transfers to the United States are governed by the European Commission's Standard Contractual Clauses (2021/914) and, for UK data, the UK International Data Transfer Addendum (IDTA / UK Addendum).
8. Data retention
- SAQ attempts and responses: retained for the term of the Partner agreement plus 7 years (matching PCI DSS evidence-retention practice).
- Generated PDFs (S3): retained for the term of the Partner agreement plus 7 years.
- Audit log events: retained for the term of the Partner agreement plus 7 years.
- Web logs: 90 days.
- OpenAI API context: not used for model training; retained by OpenAI up to 30 days for abuse monitoring, then deleted (per OpenAI API data controls and our DPA).
On Partner request after termination we will return or delete personal data per Section 2.11 of the DPA.
9. Your rights
Depending on where you are located, you may have rights to access, correct, delete, or port your personal data, to object to or restrict processing, and to lodge a complaint with your supervisory authority. Because we typically act as a processor, please direct rights requests to the Partner that gave you access to our platform. We will assist the Partner in responding within the timeframes required by law (typically 30 days for GDPR, 45 days for CCPA).
If you cannot reach the Partner, email chris.larson@complianceassessmenttool.com and we will route the request appropriately.
10. California residents (CCPA / CPRA)
Categories of personal information collected: identifiers (name, email, phone), commercial information (merchant business descriptions), internet activity (web logs), professional information (signatory title). We have not "sold" or "shared" personal information in the prior 12 months. We are a service provider for our Partners; we do not retain, use, or disclose personal information except to perform the services specified in our written contracts.
11. Children
This service is for businesses and is not directed at children under 16. We do not knowingly collect personal data from children.
12. Changes
We will post any material changes to this policy at least 30 days before they take effect. The "Effective" date above reflects the most recent version.
13. Contact
Compliance Assessment Tool, LLC
1111B S Governors Ave, #39128, Dover, DE 19904
Privacy: chris.larson@complianceassessmenttool.com
Security: chris.larson@complianceassessmenttool.com