Privacy Policy

▌▌▌ SUMMARY ▐▐▐

• // MINIMAL We only collect what you submit through the intake form, plus security telemetry from our Sentry, Vault, and Interceptor systems.
• // NO TRACKING No third-party analytics. No advertising trackers. No tracking cookies.
• // NO SHARING We do not sell, rent, or share your information with third parties for marketing.
• // ENCRYPTED OPTION Click “Activate Encryption” on the intake form to send your message end-to-end encrypted via DXX Vault.
• // YOUR RIGHTS You can ask us to access, correct, or delete the information we hold about you at any time.

▌▌▌ DETAIL ▐▐▐

This Privacy Policy describes how DXX Systems (“DXX,” “we,” “us,” or “our”) collects, uses, and protects information in connection with your use of dxxsystems.com (the “Site”). It applies to visitors to the Site and people who contact us through it. It does not apply to engagement-specific data we process on behalf of a client under an executed Statement of Work — that processing is governed by the applicable SOW and, where appropriate, a Data Processing Addendum.

Information you provide. If you contact us through the intake form, you provide:

• // NAME Used to address you in our reply.
• // EMAIL ADDRESS Used solely to respond to your inquiry.
• // SUBJECT & MESSAGE Whatever you choose to send us.
• // OPTIONAL ATTACHMENT If you attach a file, it is security-scanned by DXX Interceptor before reaching us.

Information collected automatically. When you load a page or submit the intake form, our security stack records:

• // IP ADDRESS For abuse prevention and rate-limiting only. Retained no longer than necessary.
• // USER AGENT Browser type and version, used by DXX Sentry to detect automated abuse.
• // REQUEST METADATA Timestamp, page requested, HTTP status, and similar server-log fields.
• // SENTRY TELEMETRY Proof-of-work solve time and aggregated behavioral signals used to distinguish humans from bots.

We do not use third-party analytics, advertising networks, social-media trackers, fingerprinting libraries, session-recording tools, or tracking cookies.

• // RESPOND To reply to your inquiry and discuss a potential engagement.
• // SECURE To detect, prevent, and respond to abuse, fraud, and security threats against the Site.
• // OPERATE To maintain, debug, and improve the Site and its security systems.
• // COMPLY To meet legal obligations and enforce our Terms of Service.

We do not use submission data for marketing. We do not build advertising profiles. We do not enrich your data with information purchased from data brokers.

We do not sell, rent, or share your personal information with third parties for their own purposes. Limited disclosures may occur only in the following circumstances:

• // SMTP RELAY Intake emails travel through an authenticated SMTP relay to reach our inbox. The relay carries the message envelope and contents in transit and is not used for marketing.
• // HOSTING Site files and security state are stored on a hosting provider acting as a processor. The provider does not have rights to access submission contents for its own purposes.
• // LEGAL If required by law, court order, or a binding government request, we may disclose information as legally compelled. We will narrow the disclosure and notify you where lawful to do so.
• // PROTECTION To investigate, prevent, or address fraud, security incidents, or violations of our Terms.
• // SUCCESSORS In connection with a merger, acquisition, or sale of assets, information may transfer to a successor entity subject to equivalent privacy protections.

The intake form includes a “Click to Activate Encryption” option that engages DXX Vault. When engaged, your message is encrypted in your browser using X25519 key exchange and AES-256-GCM authenticated encryption. Only DXX can decrypt the resulting ciphertext. The SMTP relay, hosting provider, and any intermediate network see only opaque bytes. Your reply-to email address is kept in cleartext so we can respond to you without first decrypting the message.

DXX runs its own security stack to protect Site infrastructure and submission data:

• // SENTRY Proof-of-work plus behavioral biometrics block automated abuse before submissions ever reach our processing pipeline.
• // INTERCEPTOR Every uploaded attachment is structurally validated and scanned for embedded payloads.
• // VAULT End-to-end encryption available on request for any submission.
• // THREAT-ID A read-only operations dashboard aggregates events across the security stack with anomaly detection and ranked recommendations.
• // TRANSPORT HTTPS (TLS) is used for all communication with the Site.
• // ACCESS Administrative interfaces are protected by HTTP Basic Authentication backed by bcrypt-hashed credentials, plus IP-based rate limiting.

No system is unbreachable. We design defensively, log conservatively, and act quickly when something looks wrong.

• // INQUIRIES Intake messages are retained for the period necessary to discuss and, if appropriate, execute a Statement of Work, plus a reasonable archival period for legal and operational reference. Closed leads are pruned periodically.
• // SECURITY LOGS Sentry, Vault, and Interceptor event logs are retained for a rolling window sufficient to investigate abuse patterns — typically thirty (30) to ninety (90) days — then pruned.
• // HOSTING LOGS Standard web-server access logs are retained by the hosting provider per their policy.

Extended retention. The retention windows above describe our default practice. DXX reserves the right, at its sole discretion and for any reason, to retain any of the foregoing information beyond the stated period — including, without limitation, for ongoing security investigations, abuse-pattern analysis, dispute resolution, defense of legal claims, regulatory or audit needs, business continuity, or other legitimate operational purposes. Where information is retained beyond the default window, it remains subject to the same access controls, security safeguards, and use limitations described in this Policy.

You may ask us to delete personal information we hold about you at any time, subject to legal-retention obligations and to any extended retention DXX has elected to maintain as described above.

The Site itself does not set tracking cookies, advertising cookies, or analytics cookies. We may use strictly functional localStorage for purposes such as remembering a UI preference (e.g., theme selection) and short-lived browser storage for Sentry challenge state. These do not leave your browser, are not shared with any third party, and do not identify you.

Depending on where you live, you may have the right to access, correct, port, delete, or restrict our use of the personal information we hold about you, and to object to certain processing. To exercise any of these rights, contact us at contact@dxxsystems.com. We will respond within a reasonable time and will not discriminate against you for exercising any privacy right.

DXX is based in the United States. If you contact us from outside the United States, your information will be transferred to and processed in the United States. By using the Site, you consent to such transfer and processing.

The Site is not directed to children under sixteen (16) and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be posted to this page with an updated Effective Date. Your continued use of the Site after changes become effective constitutes acceptance of the updated Policy.

DXX continuously develops, deploys, and iterates on the software, security systems, and infrastructure that power this Site — including, without limitation, the Sentry, Vault, Interceptor, and Threat-ID systems, and the rest of the underlying stack. Releases and configuration changes ship on a rolling basis.

While we make a good-faith effort to keep this Policy current, there may be periods during which a newly deployed feature, telemetry signal, log field, security countermeasure, or operational behavior is not yet fully reflected in this Policy. Any such gap is inadvertent — an artifact of release cadence outpacing documentation — and not a deliberate omission.

To the maximum extent permitted by law, DXX disclaims responsibility and liability for any such documentation lag or oversight, and for any inference drawn from the temporary absence of a description in this Policy. When we become aware that a meaningful aspect of our processing is not adequately described here, we will update this Policy and revise the Effective Date. The presence or absence of a particular description at a given moment does not, by itself, constitute a representation, warranty, or commitment by DXX regarding the underlying behavior.

Nothing in this section limits any non-waivable rights you may have under applicable data-protection law, nor does it relieve DXX of obligations expressly imposed by such law. If you have a specific question about what data we process, how it is used, or how a particular system on the Site behaves, contact us using the information in Section 14 and we will respond to the best of our knowledge at that time.

For any privacy question, access request, deletion request, or complaint, contact us at contact@dxxsystems.com with the subject line PRIVACY REQUEST. We aim to respond within thirty (30) days.