Do small businesses really need cybersecurity?

Yes. 43% of cyberattacks target small businesses, and 60% of small businesses that suffer a breach close within 6 months. Even basic security measures like email authentication, SSL certificates, and security headers can dramatically reduce your risk.

How much does cybersecurity cost for a small business?

Vigil starts with a free security scan and offers paid plans from $79/month. Compare that to hiring a full-time CISO ($200k–$400k/year) or a traditional security consultant ($150–$300/hour). Vigil gives you automated, always-on cybersecurity leadership at a fraction of the cost.

What is a vCISO and why do SMBs need one?

A virtual CISO (vCISO) provides the cybersecurity leadership of a Chief Information Security Officer without the full-time hire. For small and mid-sized businesses that can't justify a $300k salary, a vCISO delivers security strategy, compliance guidance, risk management, and incident response planning on demand.

What compliance frameworks does Vigil support?

Vigil maps your security controls to NIST CSF, SOC 2, HIPAA, CIS Controls, and ISO 27001. It tracks compliance gaps, generates audit-ready reports, and provides specific remediation steps to help your small business meet regulatory requirements.

How does Vigil's security scan work?

Enter your domain and Vigil automatically checks your email security (SPF, DKIM, DMARC), SSL/TLS configuration, security headers, DNS settings, exposed services, and known vulnerabilities. You get a 0-100 security score with prioritized, plain-English remediation steps.

Privacy Policy

Vigil vCISO Platform

Effective Date: March 29, 2026

1. Introduction

This Privacy Policy describes how Parity Labs LLC ("Vigil," "we," "our," or "us") collects, uses, discloses, and protects information when you access or use the Vigil vCISO Platform (the "Service"), including our website, APIs, and related applications. By using the Service, you agree to the collection and use of information in accordance with this policy.

Vigil is an automated virtual CISO advisory platform that provides security assessments, compliance tracking, and risk management tools. The Service generates automated recommendations and reports based on technical scanning data and is not a substitute for professional legal, regulatory, or cybersecurity counsel.

2. Information We Collect

2.1 Account and Organization Information

When you create an account, we collect:

Name and email address (via OAuth authentication through third-party identity providers)
Organization name, domain, and industry
Account type (Business or MSP) and team role (Viewer, Admin)
Billing information processed through Stripe (we do not store credit card numbers directly)

2.2 Domain and Infrastructure Scan Data

When you initiate security scans, we collect and analyze:

Domain DNS records (MX, SPF, DKIM, DMARC, TXT records)
SSL/TLS certificate details and configuration
HTTP response headers and website security configurations
Web technology fingerprints (server software, frameworks, CMS platforms, libraries, CDNs)
Email provider information derived from MX record analysis
CVE (Common Vulnerabilities and Exposures) matching data based on detected software versions

2.3 Workspace Integration Data

If you connect Microsoft 365 or Google Workspace environments, we access the following via read-only OAuth tokens:

MFA and security policy configurations
Administrator account counts and roles
Email forwarding and sharing policy settings
Audit logging and data loss prevention configurations
SharePoint/Drive external sharing settings
Security score and compliance posture data

We do not access email content, files, documents, or personal communications within connected workspaces. Access is limited to security configuration metadata.

2.4 Cloud Infrastructure Data

If you connect cloud environments (AWS, Azure, GCP) at the vCISO tier, we collect:

Cloud resource configuration metadata (storage access settings, IAM policies, network rules)
Security configuration status (logging, encryption, firewall rules)

We access cloud environments using read-only credentials and do not access the contents of stored data, compute workloads, or application code.

2.5 Compliance and Risk Data

If you use compliance features, we store:

Framework control status and notes (NIST CSF, SOC 2, HIPAA)
Risk register entries including risk descriptions, scores, owners, and mitigation plans
Evidence files uploaded to the evidence locker (stored in Azure Blob Storage)
AI-generated security policy drafts and roadmap documents

2.6 Vendor Information

If you use vendor risk management, we store vendor names, domains, criticality ratings, and security scores derived from external domain scanning.

2.7 Usage and Log Data

We automatically collect:

IP addresses, browser type, and device information
Feature usage patterns and scan history
API request logs and error data
Alert acknowledgment and task management activity

3. How We Use Your Information

We use collected information for the following purposes:

Service Delivery: To perform security scans, generate reports, track compliance, manage tasks, and deliver the advisory features of the platform.
Workspace and Cloud Scanning: To assess security configurations of connected environments and, where enabled, to execute auto-remediation actions you explicitly authorize.
Continuous Monitoring: To perform scheduled rescans and generate alerts when security posture changes are detected.
AI-Generated Content: To generate security policies, roadmaps, budget estimates, and remediation guidance tailored to your organization's profile and scan results.
Reporting: To produce PDF reports, executive dashboards, client reports (for MSPs), and white-label branded deliverables.
Brand Protection: To monitor Certificate Transparency logs for look-alike domains that may impersonate your brand.
Account Administration: To manage subscriptions, enforce seat limits, process team invitations, and handle billing through Stripe.
Platform Operations: To maintain service reliability, monitor system health, enforce security, and troubleshoot issues.
Communication: To send security alerts, monitoring notifications, and essential service communications.

4. Auto-Remediation and Write Access

At the Compliance tier and above, the Service offers optional auto-remediation capabilities for certain workspace security settings (e.g., enabling Security Defaults in Microsoft 365, blocking legacy authentication, disabling anonymous sharing links).

Auto-remediation actions:

Are never performed without your explicit confirmation via an in-app dialog
Use existing OAuth credentials you have already granted
Are logged for audit trail purposes, including what was changed and when
Are limited to a defined set of supported actions as documented in the platform

You are solely responsible for reviewing and approving any auto-remediation action before it is executed. Vigil is not liable for any disruption or unintended consequences resulting from auto-remediation actions you authorize.

5. How We Share Information

We do not sell your personal information or scan data. We may share information in the following limited circumstances:

Service Providers: We use third-party services to operate the platform, including Stripe (billing), Azure (hosting and storage), and OAuth identity providers (authentication). These providers access only the data necessary to perform their services.
MSP Client Relationships: If your organization is managed by an MSP using Vigil, the MSP organization may access your scan results, security scores, and reports through the managed clients and client reporting features.
White-Label Reports: MSP organizations may generate reports under their own branding that include your security data, as part of the managed security services they provide to you.
Legal Compliance: We may disclose information if required to do so by law, regulation, legal process, or enforceable governmental request.
Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
With Your Consent: We may share information with your explicit consent for purposes not described in this policy.

6. Data Security

We implement reasonable technical and organizational measures to protect your information:

OAuth tokens for workspace and cloud integrations are encrypted at rest using AES-256-GCM
All data is scoped by organization through multi-tenant architecture; users can only access data belonging to their own organization
API endpoints enforce authentication and authorization checks on every request
Platform administrators can suspend accounts and enable maintenance mode to respond to security incidents
Health monitoring ensures service availability and rapid recovery from failures

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information as follows:

Account and organization data is retained for the duration of your active subscription and for a reasonable period thereafter for legal and operational purposes.
Scan results and security findings are retained as long as your account is active to support trend analysis, continuous monitoring, and compliance tracking.
Evidence locker files are retained until you delete them or your account is terminated.
Workspace and cloud integration tokens are revoked and deleted when you disconnect an integration or close your account.
Expired invite tokens and orphaned records are automatically cleaned up by scheduled maintenance processes.

Upon subscription cancellation, your organization is downgraded to the free tier. Data associated with paid-tier features may be retained in a read-only state for a limited transition period before deletion.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information, subject to legal retention requirements.
Portability: Request your data in a structured, commonly used format.
Objection: Object to certain processing activities.
Withdraw Consent: Withdraw consent for processing where consent is the legal basis.

To exercise any of these rights, contact us at the address provided in Section 12. We will respond to requests within the timeframe required by applicable law.

9. Domain Verification and Scanning Restrictions

To prevent unauthorized scanning, we require domain verification before full scan data is accessible. Verification is accomplished either through email-based validation (signing up with a matching business email) or DNS TXT record verification. Free-tier scans are limited to one scan of a verified domain, with technical details hidden. These restrictions exist to prevent misuse of the scanning engine and to protect the privacy of domain owners.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 16, we will take steps to delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on our website and updating the effective date. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Parity Labs LLC

Email: security@paritylabs.ai

Phone: 813.323.1231

Web: paritylabs.ai