Privacy Policy

Your data.
Your control.

Last updated: April 8, 2026

After Action is a cyber crisis readiness platform used by security teams, facilitators, and insurance carriers. We take privacy seriously because our customers trust us with sensitive tabletop exercise data, readiness scores, and participant decisions during crisis simulations. This policy explains what we collect, how we use it, and how we protect it.

01

What we collect

We collect three categories of data:

  • Account data — name, work email, organization, role (from signup and Supabase Auth).
  • Exercise data — scenario selections, inject decisions, participant responses, gaps, action items, and readiness scores. This is the core data generated by using the platform.
  • Usage data — request logs, error traces (via Sentry when enabled), and anonymized analytics. No cross-site tracking, no advertising cookies.

We do not collect biometric data, facial recognition data, typing cadence, audio recordings, or any telemetry the participant did not explicitly submit.

02

How we use it

  • Deliver the platform functions you pay for (exercises, scoring, deliverables, certificates).
  • Compute benchmarks — all benchmarking uses aggregated, anonymized data across orgs.
  • Send transactional email (invitations, AAR-ready notifications, onboarding sequence).
  • Generate carrier-facing readiness certificates when clients explicitly request them.
  • Improve the product — internal analysis only, never sold.

We do not sell your data. We do not share identifiable client data with carriers, investors, or third parties without explicit written consent.

03

Carrier data sharing

When a client explicitly requests an insurance certificate, After Action generates a signed artifact containing the readiness score, scope, and exercise metadata. This is shared only with the carrier the client directs us to share it with, and only under the terms the client accepts at the time of issuance.

Carriers who subscribe to the field intake dataset receive aggregated and de-identified data only. Individual client names, participants, and decision text are never included in carrier exports unless the client has separately signed a data sharing addendum.

04

Where it lives

  • Database: Supabase (Postgres) in the region you select during org setup. Row-level security is enforced on every table.
  • Files (AARs, PDFs, evidence packs): Supabase Storage, private bucket, signed URLs only.
  • Backups: encrypted at rest, retained for 30 days.
  • Hosting: Vercel, HTTPS enforced, HSTS preload enabled.
05

Retention

We retain client data for the life of the engagement and 7 years after for audit and compliance evidence purposes (SOC 2, ISO 27001, HIPAA, PCI). You can request earlier deletion at any time — see Section 07.

06

Security controls

  • TLS 1.3 in transit, AES-256 at rest (Supabase default).
  • Row-level security (RLS) on every database table.
  • SHA-256 hashed API keys (never stored in plain text).
  • Service-role keys never used in client-side code.
  • CSP, HSTS, X-Frame-Options, strict CORS on the web app.
  • Mandatory code review and type-checking before deployment.
07

Your rights — GDPR, CCPA, and data subject requests

These rights apply to all customers. They satisfy the data subject rights granted under the General Data Protection Regulation (GDPR, Art. 15–22) and the California Consumer Privacy Act (CCPA, §1798.100–1798.150). You can, at any time:

  • Right of access — request a copy of all data we hold about you or your organization.
  • Right of rectification — request correction of inaccurate data.
  • Right to erasure (“right to be forgotten”) — request deletion of your account and associated data.
  • Right to data portability — receive your data in a structured, machine-readable format (JSON or CSV).
  • Right to restrict processing — revoke consent for carrier data sharing or pause processing while a dispute is resolved.
  • Right to object — opt out of the onboarding email sequence at any time (unsubscribe link in every email) and decline any non-essential processing.
  • Right not to be subject to automated decision-making — readiness scores are advisory; no engagement, insurance, or compliance outcome is determined solely by automation.

Email privacy@afteraction.dev for any request. We respond within 5 business days. A signed Data Processing Agreement (DPA) is available on request for customers subject to GDPR, UK GDPR, or other regulated-jurisdiction obligations.

07b

Subprocessors

We share customer data with the following subprocessors to deliver the platform. The authoritative list with purpose, data classes, and region is published at /security: Vercel (hosting), Supabase (database + auth + storage), Stripe (payments), Resend (transactional email), and Anthropic (optional AI coaching — only invoked when an org configures its own API key). Material changes are announced 30 days in advance via email to org owners.

08

Cookies

We use only strictly necessary cookies (authentication session, stealth-gate access). We do not use advertising cookies or cross-site tracking. We do not load Google Analytics, Facebook Pixel, or any behavioral tracking scripts.

09

Changes to this policy

Material changes are announced via email to org admins at least 30 days before taking effect. The "last updated" date at the top of this page tracks all revisions.

10

Contact

Questions about this policy, data requests, or security reports: privacy@afteraction.dev

After Action, LLC — Scott Alford, Founder. A California limited liability company.