01Who this policy covers
CmdNOC MSP Control Center LLC ("CmdNOC," "we," "us") operates this website and provides managed IT, security-testing, and compliance-readiness services. This policy applies to two groups:
- Website visitors — anyone browsing cmdnoc.com.
- Clients — organizations who engage us, and the data we handle while delivering services to them.
CmdNOC's readiness and security-testing services assess the technical controls that protect regulated data; they do not require us to store, receive, or process the regulated data itself (see Section 2 and Section 12). Our work for each client is also governed by that client's written engagement agreement. Where this policy and a signed client agreement differ, the signed agreement controls.
02Information we collect
From website visitors
This site is intentionally lightweight. We do not use cookies, advertising pixels, analytics trackers, or web forms.
- Server and security logs — when you load a page, our infrastructure records standard technical details: IP address, browser/user-agent, the pages requested, and timestamps. These are used for security, abuse prevention, and reliability.
- Messages you send us — the site's contact links open your own email client. If you email us, we receive whatever you choose to include (typically your name, email address, and your message).
From clients (during an engagement)
To deliver monitoring, security testing, and compliance-readiness work, we collect and process:
- Technical control and telemetry data — device and configuration state, security and access logs, network and endpoint signals, and identity and cloud posture.
- Vulnerability assessment and penetration-test results — findings, severities, and supporting evidence from authorized scans.
- Compliance questionnaire responses and documents you provide for a readiness engagement.
- Contact and account details for authorized client personnel.
- Regulated data: CmdNOC does not store, receive, or process protected health information (ePHI) or payment cardholder data. Our readiness work assesses the technical controls that protect regulated data — it does not require access to the regulated data itself.
The specific data in scope for any engagement is defined and authorized in that engagement's written scope.
03How we use information
- To deliver the services a client has engaged us for — monitoring, security testing, and compliance-readiness evidence.
- To secure our systems and our clients' environments, and to detect and respond to threats.
- To respond to inquiries you send us.
- To meet legal, regulatory, and contractual obligations.
We do not sell personal information, and we do not use client data to train any third-party AI model (see Section 5).
04How information is stored and protected
- In transit: all traffic to this site and to our client systems is encrypted with TLS/HTTPS.
- At rest: stored data resides on company-managed infrastructure in a controlled hosting environment, with access restricted to authorized personnel and protected by the host, network, and access controls described here.
- Where it lives: client and operational data is held on company-controlled infrastructure, a managed database, and the secure client portal, separated by client.
- Access controls: access requires multi-factor authentication and is granted on a least-privilege, role-based basis. Activity against client systems is logged.
- Third-party processors: a limited set of service providers process data on our behalf, under their respective data-processing terms: Anthropic (AI processing — see Section 5), Resend (email delivery), and cloud infrastructure and content-delivery providers. Each is authorized to process data only as needed to provide its service to us.
We deliberately do not publish the internal makeup of our authentication and security stack.
05AI processing
CmdNOC uses AI assistants to help operate the platform. They run under explicit governance, are restricted from making production changes without human confirmation, and every action is logged.
To answer questions, our AI assistants process operational and technical data — which may include limited account identifiers, such as the usernames in a sign-in log — through our AI provider, Anthropic. This is governed by Anthropic's commercial API terms: the data is not used to train models, and it is handled under Anthropic's data-processing and retention terms. We do not send protected health information or payment cardholder data to the AI provider.
06Who has access
Access to client data is limited to authorized CmdNOC personnel who need it to deliver services, on a least-privilege basis.
- Internal access: limited to authorized CmdNOC personnel on a least-privilege, role-based basis.
- AI assistants: operate within scoped, least-privileged credentials and cannot change production state without human approval.
- Third parties: only the processors described in Section 4, and certified assessors during an engagement — see Section 7.
08Data retention
We keep information only as long as needed to provide services, meet legal and contractual obligations, and maintain a defensible compliance-evidence trail.
- Engagement data & evidence: retained for the duration of the engagement plus six years, to support audit defensibility.
- Server/security logs: retained for 12 months.
- Email inquiries: retained as long as needed to respond and for our records.
When data is no longer needed, it is deleted or de-identified.
09Your rights
Depending on your jurisdiction and your relationship with us, you may have the right to access the personal information we hold about you, request corrections, request deletion, or object to certain processing. To exercise any of these, contact us (Section 15). For data we process on behalf of a client (as a service provider or Business Associate), we will direct your request to that client, who controls the data.
10How to request deletion
To request deletion of your information:
- Email contact@cmdnoc.com with the subject "Data Deletion Request," and tell us who you are and what you'd like removed.
- We will verify the request and respond within 30 days.
- For data we hold under a client engagement or Business Associate Agreement, deletion follows the terms of that agreement and applicable law; we will coordinate with the client where required.
- Some data may be retained where the law or a binding contract requires it (for example, compliance-evidence records); we will tell you if that applies.
11Data breach notification
We maintain an incident-response process. In the event of a security incident affecting personal information, we will investigate, contain, and notify affected parties and the appropriate authorities as required by applicable law — including the HIPAA Breach Notification Rule where protected health information is involved, and applicable state breach-notification laws. Where notice is required, we will provide it without unreasonable delay and no later than 60 days after discovery.
12HIPAA and PCI-regulated data
For clients with obligations under HIPAA or PCI DSS:
- CmdNOC provides compliance readiness, monitoring, and evidence — not certification. Formal attestation (a PCI ASV scan, a QSA Report on Compliance, or a HIPAA assessment) is performed by a certified third party.
- CmdNOC's readiness work is designed to assess the technical controls that protect regulated data without creating, receiving, maintaining, or transmitting protected health information or cardholder data. We are not engaged to process that regulated data itself.
- Our current readiness services are scoped so that CmdNOC does not create, receive, maintain, or transmit protected health information, so they do not call for a Business Associate Agreement (BAA). CmdNOC does not enter into BAAs at this time; BAA-backed engagements are on our roadmap. Clients whose obligations require a BAA today should contact us to discuss scope.
13Personal Privacy
Personal information collected directly through this website is limited to the business contact details you send us and the standard server and security log data described in Section 2 (such as IP address and user-agent). The contact details are used to respond to your inquiries and provide services; the log data is used for security, abuse prevention, and reliability. We do not collect protected health information or cardholder data through this website. Where we deliver services involving client systems, any regulated data — including PHI or cardholder data — remains the property and responsibility of the client, who acts as the covered entity or merchant of record. To the extent any such data is ever within scope, our handling of it would be governed by a separate service agreement and any applicable Business Associate Agreement, together with the relevant HIPAA and PCI DSS safeguards, rather than by this policy.
14Changes to this policy
We may update this policy as our services and obligations evolve. We will revise the "Last updated" date above, and for material changes we will take reasonable steps to notify affected clients.
15Contact us
Questions about this policy or your data:
- Email: contact@cmdnoc.com
- Entity: CmdNOC MSP Control Center LLC
- Mailing address: 5725 S Valley View Blvd, Ste 5, PMB 274965, Las Vegas, Nevada 89118-3122
- Governing law: State of Nevada, USA