Privacy Policy.
This Privacy Policy explains how Centuric LLC ("Centuric," "we," "us") collects, uses, protects, and shares information when you visit MyCMMC.ai, request information, become a client, or interact with us in connection with our CMMC compliance practice.
We collect what we need to evaluate fit, scope an engagement, and deliver our services. We never sell personal information. Where we receive client environment data — including any Controlled Unclassified Information — we handle it under the same NIST 800-171 controls we recommend to clients.
1. Information We Collect
Lead and contact information
When you submit a form on MyCMMC.ai or otherwise contact us, we collect your name, business email address, business phone number, company name, role, your responses to qualifying questions (such as whether you handle CUI), and the notes you provide. We also record the date and time of submission, the page URL, and your IP address and country code as reported by our infrastructure provider.
Engagement information
During an engagement, we collect and process information about your environment necessary to perform the services. This may include network diagrams, asset inventories, user lists, system configurations, policy documents, evidence artifacts, and, in scoped circumstances, Controlled Unclassified Information ("CUI"). Specific handling of engagement information is governed by the executed Statement of Work and these Terms.
Billing information
For paying clients we collect billing contact name, billing email, billing address, the legal name of the contracting entity, and tax identification information where required. We do not store full payment card numbers; payment instruments are processed by a third-party processor under PCI DSS controls.
Website analytics
The MyCMMC.ai marketing site collects standard web telemetry including IP address, browser type, pages viewed, referrer, and timestamps. We use this to operate and improve the site. We do not use third-party advertising or behavioral-tracking cookies.
2. How We Use Information
We use the information we collect to:
- Respond to inquiries, scope potential engagements, and provide proposals
- Deliver the services described in an executed Statement of Work, including assessment, remediation, and managed compliance work
- Communicate about active engagements, including reports, evidence requests, scheduling, and incident notifications
- Invoice and collect for services provided
- Detect, investigate, and prevent fraud, abuse, and security incidents in our own environment
- Comply with legal obligations, including tax reporting and lawful requests from regulators
- Improve our service offerings through aggregated, de-identified analytics
We do not use client engagement data to train third-party artificial intelligence models. Where we use Microsoft 365 or other allowed tooling that incorporates AI features, we configure those services to keep tenant data within Microsoft's commercial or government cloud boundary, and we disable model-training options where they exist.
3. Controlled Unclassified Information
Most engagements are scoped so that we never directly receive CUI — we work with descriptions, diagrams, and metadata. When an engagement requires direct CUI handling, we receive and process it inside a Microsoft GCC or GCC High enclave, restricted to U.S.-citizen personnel where required by contract or ITAR, with audit logging on every access.
Where Centuric receives CUI in the course of an engagement, we apply the controls of NIST SP 800-171 in our own environment, including encryption in transit (TLS 1.2 or higher) and at rest (AES-256), least-privilege access, multi-factor authentication, audit logging, and incident response. CUI received during an engagement is returned or destroyed at the end of the engagement upon client request, subject only to legal retention obligations.
4. Data Sharing
We share information only as necessary to operate the practice or comply with law:
| Recipient | Purpose |
|---|---|
| Microsoft (commercial, GCC, or GCC High) | Operating client enclaves and our own production environment under the applicable Microsoft data processing terms |
| Cloud infrastructure providers | Hosting the MyCMMC.ai site and lead-handler function within U.S.-based data centers under standard data processing agreements |
| Email delivery service | Sending transactional notifications, lead acknowledgements, and routine client communications |
| Payment processor | Processing billing under PCI DSS controls; the processor receives card data directly from your browser and returns a non-sensitive token to us |
| Subcontractors and Registered Practitioners | Augmenting Centuric staff on specific engagements, bound by written confidentiality and security obligations |
| Law enforcement, regulators, and government auditors | Only in response to a valid subpoena, court order, or other lawful request, or as required by an active government contract |
| Acquirers | In the event of a merger, acquisition, or sale of substantially all of Centuric's assets, subject to continued application of this policy |
We do not sell personal information. We do not share client engagement information with advertisers, data brokers, or any party outside the categories listed above.
5. Data Retention
We retain information for the periods reasonably necessary to operate the business and comply with legal obligations:
- Inquiry and lead records: up to 24 months unless converted to an engagement, after which engagement-related retention applies
- Engagement deliverables and work papers: 7 years after engagement close, subject to client direction to delete earlier where permitted
- Client environment data received during delivery: returned or destroyed at engagement end upon client request, subject to legal retention
- Billing records and invoices: 7 years for tax and audit purposes
- Account profile and contact information: for the life of the relationship plus 24 months
- Website analytics: retained in aggregated form for up to 26 months
After the applicable retention period, data is deleted from production systems and purged from backups in the next backup rotation cycle.
6. Security
We protect personal data and engagement data with administrative, technical, and physical safeguards appropriate to their sensitivity, including:
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
- Role-based access controls and least-privilege principles for our personnel
- Multi-factor authentication on all administrative and client-facing systems
- Continuous logging and monitoring of administrative access
- Annual third-party security assessment and quarterly internal review
- Vendor due diligence on subprocessors handling Centuric or client information
- Documented incident response with defined timelines for client notification
No system is perfectly secure. In the event of a confirmed breach affecting client engagement data or personal data, we will notify affected parties and the appropriate authorities within the timeframes required by applicable law and any executed Statement of Work.
7. Your Rights
Depending on where you reside, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request that we correct inaccurate or incomplete data
- Deletion: Request that we delete personal data, subject to legal and contractual retention obligations
- Portability: Request export of your data in a portable format where applicable
- Restriction or objection: Restrict certain processing activities
- Withdrawal of consent: Where we rely on consent, withdraw it at any time
To exercise any of these rights, contact helpdesk@centuric.com. We will respond within 30 days. California residents have additional rights under the CCPA/CPRA; we do not sell or share personal information for cross-context behavioral advertising.
8. HIPAA, Other Sectoral Frameworks
Some clients are also subject to HIPAA, GLBA, FERPA, or other sectoral privacy laws. Where Centuric is engaged to operate or advise on environments that process protected information under any of these regimes, the obligations are set out in a separate Business Associate Agreement or comparable document. We do not assume those obligations by default without an executed agreement.
9. Cookies and Tracking
The MyCMMC.ai marketing site uses minimal first-party cookies necessary for functionality. We do not use third-party advertising or behavioral-tracking cookies. We do not embed third-party social-media trackers or marketing pixels.
10. International Users
The Services are operated from the United States and are intended for use by businesses with operations in or connected to the United States and its defense supply chain. If you access this site or engage Centuric from outside the United States, you consent to the transfer of your data to the United States, where data protection laws may differ from those in your jurisdiction.
11. Children
This site and our services are not directed to children under 18 and we do not knowingly collect personal data from minors. If you believe a minor has provided personal data through this site, contact us at helpdesk@centuric.com and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes affecting how we use or disclose personal data will be communicated by email to active clients at least 30 days before they take effect. The effective date at the top of this policy indicates the most recent version.
13. Contact Us
For privacy questions, data subject requests, or to report a concern:
Centuric LLC — Privacy Office
13798 NW 4th St., Suite 311
Sunrise, Florida 33325
helpdesk@centuric.com