Micantis Privacy Statement

Effective Date: August 1, 2025
Last Updated: July 28, 2025

1. Introduction

Micantis, Inc. ("Micantis," "we," "us," or "our") is committed to protecting the privacy and security of our customers' data. This Privacy Statement explains how we collect, use, protect, and handle information when you use the Micantis WorkBook platform and related services ("Service").

This Privacy Statement applies to all users of our Service, including visitors, registered users, and administrators. By using our Service, you acknowledge that you have read and understood this Privacy Statement.

2. Our Data Philosophy

We operate under a fundamental principle: Your data is yours. We do not claim ownership of any data you upload, process, or store on our platform. We act solely as a data processor and service provider, handling your data only as necessary to provide our services.

3. Information We Collect

3.1 Account Information

• User login names (email addresses)
• Authentication credentials (securely hashed using industry-standard algorithms)
• Organization/company association
• User roles and permissions
• SSO identifiers (when applicable)

3.2 Usage Information

• User activity logs for security, compliance, and enterprise licensing purposes
• Feature usage patterns and metrics
• System performance metrics
• Session information (duration, IP address, user agent)
• API usage statistics

3.3 Technical Data

• Battery test data and results
• Test configurations and parameters
• Analysis results and reports
• File uploads and attachments
• System-generated metadata

3.4 Audit Logs

We maintain comprehensive audit logs that capture:

• Authentication events (login/logout, password changes)
• Data access events (views, exports, API calls)
• Data modification events (create, update, delete)
• Administrative actions (user management, configuration changes)
• Security events (access denials, suspicious activities)
• (fully implementing audit logs is in progress)

3.5 Cookies and Tracking Technologies

• Session cookies for authentication
• Preference cookies for user settings
• Analytics cookies (anonymized) for service improvement
• No third-party advertising cookies

4. How We Use Information

4.1 Primary Uses

• Service Delivery: To provide the WorkBook platform functionality
• Authentication and Security: To verify user identity, manage access, and ensure platform security
• Quality Control: To monitor system performance and improve our services
• Support: To assist with technical issues and customer inquiries
• Licensing Compliance: To track usage for enterprise licensing agreements
• Legal Compliance: To comply with applicable laws and regulations

4.2 Limited Data Access

We may access customer data ONLY:

• When explicitly authorized by the customer for bug fixing or support
• When required by law or legal process with appropriate safeguards
• To enforce our terms of service or protect rights and safety
• For security monitoring to detect and prevent threats
• During scheduled maintenance with appropriate notifications

4.3 What We DON'T Do

• We do NOT sell, rent, or share your data with third parties for their marketing purposes
• We do NOT train AI models on your data without explicit opt-in consent
• We do NOT use your data for any purpose other than providing our services
• We do NOT commingle customer data across different customer instances
• We do NOT access your data for competitive purposes

5. Data Architecture and Isolation

5.1 Data Isolation

• Customer data is logically separated and isolated
• No cross-contamination between customer environments
• Dedicated storage containers per customer

5.2 Data Residency Options

Customers may choose from the following deployment options:

• Micantis-Hosted: In specified Azure regions (US, EU, UK, Canada, Australia, Asia-Pacific)
• Customer-Hosted: Within customer's own Azure tenant
• On-Premises: Deployed within customer's data center
• Hybrid: Combination of cloud and on-premises components

6. AI Assistant Feature

6.1 Optional Service

The AI Assistant is an optional feature that enterprise customers may enable for their organization. When enabled:

• The enterprise customer (data controller) consents to data processing for AI assistance on behalf of all authorized users
• Individual users do not need to provide separate consent
• Users can view which AI features are enabled for their organization
• Only the specific data included in queries is processed
• All AI processing follows the same data ownership principles

6.2 Third-Party Processing

• We deploy Anthropic's AI system for natural language processing
• Anthropic acts as the AI developer and we act as the AI deployer under applicable AI regulations
• Anthropic acts as our sub-processor under strict data protection terms
• Anthropic does not train their models on customer API data
• All data transmission is encrypted using TLS 1.3 or higher
• Customers may, at their expense, engage with Anthropic for private Enterprise API deployment from Anthropic

6.3 Enterprise Control

• AI features are enabled at the enterprise level through contractual agreement
• Enterprises may enable:
  • Documentation Access: AI can access platform documentation and battery knowledge
    • A roadmap feature will optionally allow the AI to make the changes for the user
  • Data Access: AI can analyze the organization's battery test data
• Enterprises maintain control over which features are available to their users

6.4 AI Data Minimization and Responsible Deployment

When using the AI Assistant:

• Cell names and identifiers are anonymized before processing
• No customer names or company information is transmitted
• Only aggregated metrics necessary for the query are sent to Anthropic (the AI developer)
• Query results are not retained by Anthropic
• Queries and results may be retained by Micantis for up to 30 days for AI Assistant performance improvement and responsible AI deployment practices
• Queries are not used by Anthropic for model training or improvement
• Micantis acts as the AI deployer and implements appropriate safeguards for responsible AI use

7. Data Storage and Security

7.1 Storage Infrastructure

• Customer data is stored in dedicated Azure cloud resources
• Data is encrypted at rest using AES-256 encryption
• Data is encrypted in transit using TLS 1.2 or higher
• Encryption keys are managed using Azure Key Vault with HSM protection

7.2 Security Measures

• Access Controls: Role-based access control (RBAC) with principle of least privilege (RBAC feature is due in Q4 2025)
• Authentication: Multi-factor authentication (MFA) available for all accounts
• Network Security: Firewalls, intrusion detection, and DDoS protection
• Vulnerability Management: Regular security scans and penetration testing
• Software Composition Analysis: Continuous scanning of open source components for vulnerabilities
• Incident Response: Security monitoring and incident response procedures
• Employee Security: Background checks, security training, and signed confidentiality agreements

7.3 Compliance and Certifications

We maintain compliance with applicable data protection laws including:

• GDPR (General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)
• PIPEDA (Personal Information Protection and Electronic Documents Act)
• Colorado Privacy Act
• Other applicable privacy laws based on our customers' locations

Additional security certifications including SOC 2 Type II and ISO 27001 in progress, status upon request.

7.4 Backup and Disaster Recovery

• Deployment Dependent: Backup and DR are responsibility of customer if deployed on their resources (e.g. Tenant)
• Opt In: Geographic Redundancy and High Availability are opt-in features available at additional cost
• Backup Frequency: Point in time recovery set up in SQL Server
• Retention Period: 30 days of backup retention
• Recovery Objectives: We aim to restore services within 4 hours with minimal data loss
• Geographic Redundancy: Backups stored in geographically separate regions

7.5 Data Retention

• Active Customer Data: Retained for the duration of your subscription
• Post-Termination: 30-day grace period for data export
• Backup Data: Retained according to backup schedule
• Audit Logs: Retained for 2 years
• Usage Analytics: Retained for 13 months
• Deleted Data: Permanently removed within 30 days of deletion request

8. Legal Basis for Processing

8.1 GDPR Legal Basis

For customers in the European Economic Area, we process data based on:

• Contract Performance: To deliver the services you've subscribed to
• Legitimate Interests: For security, fraud prevention, and service improvement
• Consent: For optional features like the AI Assistant and marketing communications
• Legal Obligations: When required by law or court order
• Vital Interests: In rare cases to protect someone's life

8.2 International Compliance

We comply with applicable data protection laws based on where we operate and where our customers are located.

9. Your Rights

9.1 Universal Rights

Regardless of location, you have the right to:

• Access your personal data
• Correct inaccurate data
• Export your data in standard formats (JSON, CSV)
• Object to certain processing activities
• Request information about our data practices

9.2 Jurisdiction-Specific Rights

GDPR Rights (EU/UK):

• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to automated decision-making

CCPA Rights (California):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (we do not sell personal information)
• Right to non-discrimination

9.3 Exercising Your Rights

To exercise any of these rights:

• Contact your organization's administrator for data within the platform
• Email privacy@micantis.io for account-related requests
• We will respond within 30 days (or as required by applicable law)

10. International Data Transfers

When customer data crosses borders, we ensure appropriate safeguards including encryption and contractual protections in compliance with applicable privacy laws.

11. Third-Party Services and Sub-Processors

11.1 Infrastructure Providers

• Microsoft Azure: Cloud infrastructure and services (Global)
  Privacy Statement | Data Processing Agreement
  Data processed: All customer data, backups, system logs

11.2 Service Providers

• Anthropic: AI developer for AI Assistant feature (US)
  Privacy Policy | Data Processing Addendum
  Data processed: Anonymized battery test data and user queries (only when AI Assistant is enabled). Micantis acts as AI deployer.
• Microsoft Entra: Authentication services for SSO (US/EU)
  Privacy Statement | Data Processing Agreement
  Data processed: User authentication tokens, login credentials, session data
• Google: Authentication services for SSO (US/EU)
  Privacy Policy | Data Processing Amendment
  Data processed: User authentication tokens, email addresses for SSO
• Okta: Authentication services for SSO (US/EU)
  Privacy Policy | Data Processing Addendum
  Data processed: User authentication tokens, login credentials, session data

11.3 Sub-Processor Management

• All sub-processors provide contractual data protection commitments through their standard service agreements and data processing addendums
• Current sub-processor list is maintained in Section 11 of this Privacy Statement
• 30-day notice for new sub-processors with right to object
• Annual security assessments of all sub-processors

12. Security Incident Response

12.1 Breach Notification

In the event of a data breach:

• Customer Notification: Within 72 hours of discovery
• Regulatory Notification: As required by applicable law
• Public Notification: If required by law or if individual notification is not feasible

12.2 Incident Information

Breach notifications will include:

• Nature and scope of the breach
• Types of data affected
• Measures taken to address the breach
• Recommended actions for affected users
• Contact information for questions

13. Children's Privacy

Our Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected information from a child, we will promptly delete it.

14. Cookies and Tracking Technologies

14.1 Types of Cookies We Use

• Essential Cookies: Required for platform functionality
• Performance Cookies: To improve service performance
• Preference Cookies: To remember user settings
• Analytics Cookies: To understand usage patterns (anonymized)

14.2 Managing Cookies

• Browser settings can be used to control cookies
• Essential cookies cannot be disabled while using the Service
• Cookie preferences can be managed in account settings

15. Marketing and Communications

15.1 Marketing Communications

• We send service-related communications to all users
• Marketing communications require opt-in consent
• Unsubscribe options in all marketing emails
• Preference management in account settings

15.2 Customer References

• We may request to use your company name as a reference
• Requires separate written consent
• Can be revoked at any time

16. Privacy Statement Updates

16.1 Notification of Changes

• Material changes notified via email 30 days in advance
• Non-material changes posted to our website
• Version history maintained at micantis.io/privacy-updates

16.2 Acceptance of Changes

• Continued use after notice period constitutes acceptance
• Right to terminate if you disagree with material changes

17. Data Protection Contacts

Privacy Inquiries

Micantis, Inc.
1245 Pearl Street, Suite 200
Boulder, Colorado 80302
United States
Email: privacy@micantis.io
Phone: +1-303-827-8931

Note: As a small business processing limited personal data, we are exempt from certain GDPR requirements including the appointment of EU/UK representatives and Data Protection Officers.

18. Software Transparency

18.1 Open Source Components

• We use open source software components in our platform
• A complete Software Bill of Materials (SBOM) is available upon request
• All components are regularly scanned for security vulnerabilities
• License compliance is validated for all third-party software

18.2 Third-Party Software Disclosure

• Full inventory of third-party components maintained
• Security vulnerability status tracked and updated
• No customer data is exposed to third-party component risks
• Regular updates applied to address discovered vulnerabilities

18.3 Supply Chain Security

• Software Composition Analysis (SCA) performed on all releases
• Continuous monitoring for newly disclosed vulnerabilities
• Automated alerting for critical security issues
• Transparent disclosure of component vulnerabilities when relevant to customers

19. Jurisdiction-Specific Provisions

19.1 California Residents

Under the California Consumer Privacy Act (CCPA), you have additional rights including the right to know, delete, and opt-out of sale of personal information. We do not sell personal information. Contact privacy@micantis.io to exercise your rights.

19.2 EU/UK Residents

You may lodge a complaint with your local data protection supervisory authority if you believe we have violated your data protection rights.

19.3 Canadian Residents

Under PIPEDA, you have additional rights regarding your personal information. Contact privacy@micantis.io for questions about our privacy practices or to exercise your rights.

---

Your Privacy, Our Commitment: We are dedicated to protecting your privacy and maintaining the highest standards of data protection. This Privacy Statement reflects our commitment to transparency and your rights.