Privacy Policy

Last updated: April 2026

Who we are

RepliSec is operated by The Impact CTO Limited, an Irish company. We build open-source, self-hostable security questionnaire automation software for MSSPs, vCISOs, and security consultancies. Our registered address is in Ireland.

For any privacy-related questions, contact us at hello@replisec.com.

What this policy covers

This policy covers the replisec.com website — the marketing site you are currently reading and its alpha-access sign-up form. The RepliSec software itself is open-source and self-hosted; when you deploy it on your own infrastructure, you are the data controller for the data you process through it, and this policy does not apply.

What we collect

Website visitors

We do not set cookies, run analytics scripts, or use any tracking tools on this website. We do not collect IP addresses, geo-IP data, or visit-level information about you.

Alpha-access sign-ups

When you submit the alpha-access form, we collect:

• Your email address (required)
• Your job role (optional)
• Your company name (optional)

How we use your data

• Alpha-access data: To contact you about RepliSec alpha access, installation instructions, and directly related product updates. We will not email you about anything else.

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

Legal basis for processing

Under GDPR, we process your data on the following basis:

• Consent: Alpha-access sign-up — by submitting the form, you consent to receiving communications about RepliSec.

Where your data is processed

Alpha-access submissions are processed through Netlify Forms. Netlify's servers are located in the United States. Netlify acts as a data processor on our behalf and operates under Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers.

Cookies and tracking

This website does not use tracking cookies, analytics scripts, or third-party advertising tools. No cookies are set when you visit our site. If this changes in the future, we will update this policy and implement a cookie consent mechanism.

Data retention

Alpha-access data is retained until we launch the product and you either sign up for a production account or ask to be removed. If you do not sign up within 12 months of launch, we will delete your alpha-access data. You can request deletion at any time.

The RepliSec software

The following describes how the RepliSec software handles data. Since it is self-hosted, these properties are inherited by your own deployment — we do not process this data ourselves.

• Self-hosted: You deploy RepliSec on your own infrastructure. The source code is MIT-licensed and public at alpha. What runs in your environment is what you can read.
• No phone-home: The software does not send telemetry, usage data, or documents back to us. In air-gapped compliance mode it runs under --network none.
• Your choice of AI provider: You configure which LLM and embedding provider RepliSec uses — Anthropic, OpenAI, Azure OpenAI, Gemini, or local via Ollama / vLLM / LM Studio. Your data goes only to the provider you pick, under the terms you have with them.
• Tenant isolation: Each organisation's data is logically isolated within a single deployment. No tenant can access another tenant's documents, knowledge base, or questionnaire responses.
• Encryption: Provider credentials are encrypted at rest (AES-GCM). You are responsible for disk-level and transport encryption in your deployment environment.

Your rights

Under GDPR, with respect to data we hold about you via this website, you have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your data ("right to be forgotten")
• Withdraw consent at any time for alpha-access communications
• Lodge a complaint with the Irish Data Protection Commission (dataprotection.ie)

To exercise any of these rights, email hello@replisec.com. We will respond within 30 days.

Changes to this policy

We may update this policy from time to time. Material changes will be noted with a revised "Last updated" date at the top of this page.