Privacy Policy
Introduction
This Privacy Policy (“Policy”) explains how Tenchi Security (“Tenchi”, “we”), as Personal Data Controller, collects, uses, shares, handles and processes the information and personal data of individuals, including users, customers and commercial partners, for the purpose of our activities, either through Zanshin Portal, website or services offering.
Furthermore, this Policy presents information about your Rights in relation to your personal data, in accordance with LGPD (Brazilian General Data Protection Law), Law No. 13.709/18.
Privacy Policy Updates
Whenever necessary, Tenchi Security reserves the right to change this Policy to comply with current legislation or to reflect other changes in our data processing, policies, or privacy and risk management strategy.
Glossary
The terms below are used in this Policy:
Tenchi or Tenchi Security: company providing cloud security services.
LGPD: Brazilian General Data Protection Law, No. 13.709/2018 or “Lei Geral de Proteção de Dados”.
National Data Protection Authority (ANPD): The Brazilian public administration entity responsible for regulating, supervising and applying administrative penalties related to data protection.
Data Controller: Any natural or legal person, public or private, who processes personal data for any purposes provided in LGPD are considered processing agents. In this case, LGPD lists the Data Controller and Data Processor as processing agents.
Data Processor: Any natural or legal person, public or private, who processes personal data on behalf of the Controller.
Data Protection Officer (DPO): An individual formally appointed as responsible for the privacy and protection of regulated personal data managed by Tenchi and also responsible for responding to requests from the Data Owner and for communicating and reporting to the privacy regulation authorities.
Personal data: information related to an identified or identifiable natural person.
Sensitive personal data: personal data about racial or ethnic origin, religious conviction, political opinion, union affiliation or religious, philosophical or political organization, data referring to health or sex life, genetic or biometric data when linked to a natural person.
Data Owner: natural person to whom the personal data resulting from processing refers.
Data Treatment/Processing: operations carried out involving personal data, which may include the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, assessment or control of the information, modification, communication, transfer, diffusion or extraction.
Website and Portal: Tenchi websites and Zanshin Portal that can be accessed by users and/or customers.
User: person who visits Tenchi Security websites.Customer: person who contracts Tenchi Security services and/or uses the Zanshin Portal.
Customer: person who contracts Tenchi Security services and/or uses the Zanshin Portal.
Security and Privacy of Personal Data
Tenchi is committed to safeguarding the information of our Data Owners using measures aimed at the protection, integrity, availability and confidentiality of personal data processed in our environment, since there is no privacy without security.
Tenchi also implements mechanisms to prevent, detect and minimize the probability and impact of incidents in our technological environment through a variety of security controls.
Data We Collect
Tenchi collects the following categories of personal data:
Contact data:
In order to establish proper communication with our users, customers and commercial partners and facilitate communication, we may collect data such as name and contact details (Email, Phone, etc.).
Marketing and event information:
To provide you with information about our products or services, newsletters, and event invitations, we may collect your name, email address, phone number and current employer using our own or a third-party platform.
Hiring:
From the application process to hiring and onboarding, some information is required, such as: full name, identity documents, email, phone number, date of birth, marital status, full address, LinkedIn, current or last annual remuneration, certifications, information about previous jobs, bank account information and authorization for background checks.
We may request additional personal information if necessary.
Services data (Zanshin):
Personal data may be provided to us by customers in order to contract our service, such as name and email to register and enable authentication. Once registered, our service can collect the IP address and link to customer photos used by email or authentication providers (Gmail, Outlook, etc.).
Navigation data on Tenchi websites:
Visitors to Tenchi websites may have certain data collected, such as their IP address, the sequence of pages they visit, details related to how they interact with those pages. For more information about the data collected by our websites, read our Cookie Policy, which is also available on our website.
Treatment and Processing of Personal Data
Tenchi Security performs the treatment and processing of personal data manually and electronically, allowing employees access to the information only on a need-to-know basis. For further safety, Tenchi provides security and privacy training to the professionals involved and intended for this activity.
Tenchi may process personal data in accordance with several legal requirements and purposes provided for in the LGPD, with some examples highlighted below:
To perform contracted services:
- To perform actions related to the contract, including previous and subsequent steps of contracting the service provided.
- Activities such as public bids or evaluation of requests for proposal (RFP).
- Interact with our customers, prospects and commercial partners.
When processing is necessary to improve products or services for existing customers:
- Conduct customer surveys to improve our products and services.
- Evaluate browsing behaviors and the profile of users and customers, including adding instrumentation to Zanshin Portal, that is, understanding if there is any failure in our websites according to the path that led the user to access a certain page.
To comply with regulatory duties:
- Fulfill legal, regulatory and/or self-regulatory obligations, for example, internal audit and compliance activities.
- Comply with judicial, administrative and arbitration orders and decisions, from privacy regulation authorities, for example.
For marketing purposes:
- To perform marketing campaigns and use information technologies and online advertising solutions.
- Measure and evaluate interactions with us, for example on our social media.
- Promote and carry out in-person or webinars events, sponsorships and similar activities.
Based on your consent:
- Tenchi processes your data for other purposes if you give us specific consent to do so, where these will be clearly specified and provided to you at the time you do so.
Use of Artificial Intelligence
Tenchi Security uses Artificial Intelligence (“AI”) features within the Zanshin platform to support activities related to security information analysis and third-party risk management.
Purpose of AI use:
AI features are used to support the analysis of third-party responses within security questionnaires. Once the user deliberately requests the AI-based summary, the system will automatically summarize uploaded evidence such as SOC2 reports, ISO certifications, and internal policies to verify they actually support the answers provided in the SAQ.
AI does not perform automated decision-making that produces legal or similarly significant effects for data subjects and is used solely as a support tool for human analysts.
Usage and Human oversight:
AI functionalities are activated manually by authorized users and operate on an on-demand basis.
All AI-generated outputs are subject to review and validation by a human analyst, who remains fully responsible for the final analysis and decision-making.
AI Processing Overview:
To provide AI functionalities, Tenchi Security utilizes third-party sub-processors. The data processed by these features is strictly limited to the information contained within security assessments, risk analyses, and associated evidence provided by the customer or publicly available. Tenchi Security ensures that all business-confidential information and personal data are processed within secure, enterprise-grade environments that ensure logical isolation from other customers and from the provider’s own general-purpose models.
Data Processing:
The adoption and use of AI features are strictly on-demand. Processing is never automated or performed in bulk, occurring only when an authenticated and authorized user manually triggers a request for a specific response.
To ensure data integrity and privacy, this process is entirely stateless and isolated. Each request is handled via an independent AWS Lambda function, and no data from the prompt or the resulting output is stored by the provider or used to train the underlying models.
Third-Party Sharing:
To facilitate advanced analysis, specific data provided within Third-Party Questionnaire responses may be processed using Anthropic base models hosted via AWS Bedrock. This integration is limited to the specific text and documents submitted for the assessment in question.
The AI models do not have access to any broader customer data environments or external public data.
Under our agreement with the service provider, all inferences are executed in a secure, private environment where data is not retained post-inference.
Furthermore, these third-party models are strictly prohibited from utilizing any customer-submitted data (including inputs and outputs) for model training or improvement. This ensures that sensitive security information remains confidential and is used only for the immediate purpose of generating the requested analysis.
Model training and data retention:
Tenchi does not use customer, user, or third-party data processed through AI functionalities to train or improve AI models.
Data shared with AI providers is processed in a transient manner and is not retained or reused for other purposes, according to the configurations and guarantees of the services used.
Security and Automated Decisions:
Tenchi adopts appropriate technical and organizational measures to protect data processed through AI, including access control mechanisms, encryption in transit, and logical segregation of processing environments.
Tenchi does not carry out automated decisions based solely on AI processing that produce legal or relevant effects for data subjects.
Your Rights as a Data Subject
Depending on the jurisdiction, data protection laws (such as the LGPD in Brazil, the LFPDPPP in Mexico, or the GDPR in Europe) guarantee certain rights to you as a Data Subject, including:
Right of Access: You have the right to confirm if your data is being processed and to access the personal data that Tenchi stores about you.
Rectification/Correction: You have the right to request updating and correction of your data if it is incomplete, inaccurate, or out of date.
Erasure: You have the right to request the total or partial deletion of your personal data, without the need to explain the motivation, except in the event that maintaining the data is necessary for regulatory purposes and current legislation and to prevent unwanted future processing.
Data Portability: You have the right to request the transfer of the data you provided to Tenchi where processing is based on consent granted or services performed under contract. Tenchi must allow you to obtain and reuse your personal data for your own purposes in a safe and secure way without this affecting the usability of your data.
Opposition to Processing: Where processing is based on Legitimate Interests, you have the right to object to Tenchi processing your data. Pending a review of your request, Tenchi will stop processing your data, unless we can demonstrate compelling legitimate reasons for continuing to do so.
Revoke Consent: You have the right to revoke consent you provide at any time by requesting revocation through our DPO standard communication channel.
To exercise your Rights over your personal data, contact our Data Protection Officer.
Storage of Personal Data
Tenchi will keep your personal data only while doing so is necessary to provide products and services under contract. In addition, it may be necessary to keep some of your data for compliance with current legislation and legal purposes.
Disclosure or Sharing of Information
Tenchi only shares your personal data with your Consent or in accordance with this policy. Tenchi does not otherwise share, sell or distribute any of the information you provide to us.
Cookies
Cookies enable us to gather navigation-related data depending on the type of device used, the authorizations granted by you through your device settings and the functionality used in each application. We may use our own and/or third-party cookies on our website.
For more information regarding Cookies, consult the Cookies Policy available on our website
Data Protection Impact Assessment
Whenever a personal data processing operation seems likely to generate risks to the Data Owner, Tenchi may produce a Data Protection Impact Assessment (DPIA), a report designed to analyze, identify and minimize the data protection risks of a project or plan.This document is for Tenchi internal use, but may be requested and made available to privacy regulation authorities at any time.
Cross-border Data Transfer
Tenchi may manage, access or process your personal data in Brazilian and foreign territories, provided they have legislation similar or equivalent to Brazilian law
Data Protection Officer
For more information about this Policy, about how we manage and process your personal data, or exercise your Rights, you can contact us at dpo@tenchisecurity.com
General Matters
If you choose not to provide certain personal information to Tenchi, it may not be possible to provide some of our services or perform them fully or optimally.
We are not responsible for the privacy practices of any websites, mobile applications or other digital services not operated by Tenchi, including those that may be linked to Tenchi, and we encourage you to review their privacy policy.
Third-party Services
Tenchi uses the following commercial partners to provide its services:
- Amazon Web Services: infrastructure service provider. Privacy Policy
- Slack: Corporate communication solution. Privacy Policy
- Auth0: Identity management solution for Zanshin. Privacy Policy
- LogRocket: Website usage pattern and error analysis (Tenchi and Zanshin). Privacy Policy
- Figma: Design tool for creating UI/UX, prototypes, and design systems. Privacy Policy
- Github: Platform for version control, collaboration, and code management. Privacy Policy
- Semgrep: Static application security testing (SAST). Privacy Policy
- Probely: Dynamic application security testing (DAST). Privacy Policy
- Betterstack: Status page platform for communicating service availability. Privacy Policy
- Hubspot: Customer relationship sales solution and ticket management. Privacy Policy
- Webflow: Tenchi website CMS solution. Privacy Policy
- EmailOctopus: Email marketing solution. Privacy Policy
- LinkedIn: Events and newsletter solution. Privacy Policy
- Sympla: Event ticketing solution. Privacy Policy
- Google: Corporate solution (email, docs, meeting, etc.). Privacy Policy
Note: If you use Zanshin application available on Google Marketplace, we collect personal data from your authenticated user, such as full name, primary and secondary email, phone number and authentication method, and we keep them as long as you are our user.
To perform the scans in Google Workspace, we connect to Google APIs through read-only OAuth2 credentials and collect only metadata to further notify our userabout alerts issued by Zanshin. The metadata is stored encrypted and remains there until the user requests that the Google Workspace scanning and historical results are removed.
Zanshin’s use and transfer of information received from Google APIs to any other app comply with Google API Services User Data Policy, including the Limited Use requirements.