CrestNode Compliance — legal
Privacy Statement
How CrestNode Compliance collects, uses, retains, and protects personal data. Written for the institutions and individuals whose data passes through the platform.
1. Retention
Personal data is retained only for as long as it is necessary to deliver the platform and meet our regulatory and contractual obligations. Account-holder data is retained for the duration of the active subscription plus 24 months for audit traceability, then deleted on a fixed quarterly schedule. Endpoint telemetry that contains personally identifiable elements is retained for the audit window applicable to your jurisdiction — typically 5 years for KR financial institutions — unless you request a shorter retention. Evidence records are stored under WORM controls so retention cannot be silently shortened. Backup copies follow the same schedule with a 30-day rolling window; deletions in production propagate to backup within that window. Where local law mandates a longer or shorter retention, the statutory period prevails.
2. Data collected
We collect three categories of data. First, account data — names, business email addresses, and roles of the individuals you nominate as platform users — which is provided directly by your institution. Second, configuration data describing your endpoint fleet, identity directory connections, and policy intent, which the platform requires to operate. Third, telemetry data captured by our endpoint agent: device identifiers, policy state, control attestations, software inventory, and remediation events. Telemetry can include personal data where it relates to a named user (a logged-in user account, a session timestamp). Free-form fields such as ticket notes are scoped to the minimum necessary and may be redacted by configuration. We do not collect content of user files, browsing history, or keyboard input — the platform has no need for those signals.
3. Scope
This statement applies to personal data processed by CrestNode Compliance in the operation of the platform and the delivery of related professional services. It applies to personal data of your nominated platform users, of individuals whose endpoint activity is captured in the course of normal use, and of individuals who contact us through the website or the contact email. It does not cover personal data your institution processes in its own systems outside the platform; for that processing, your institution remains the controller and your own privacy notices apply. Where your institution is the controller and CrestNode is the processor, the master subscription agreement and Data Processing Addendum take precedence over this statement.
4. Contact
Questions about this Privacy Statement, requests under the rights listed below, and concerns about how your data is handled should be sent to contact@platform-node.one. We acknowledge requests within 5 business days and substantively respond within 30 days, extended by up to 60 days for complex requests with notice. Our designated data protection contact under the Personal Information Protection Act of Korea can be reached at the same address. If you are not satisfied with our response, you may lodge a complaint with the Personal Information Protection Commission. Postal correspondence may be sent to the address listed on our Contact page.
5. Rights
Under the Personal Information Protection Act of Korea, individuals whose personal data we process have the right to access, correct, delete, and request the suspension of processing of their personal data, and the right to be informed of the processing in a way that is accessible. Where data is processed under our legitimate interests, you have the right to object on grounds relating to your situation. Where data is processed under your consent, you may withdraw that consent at any time without affecting prior processing. We will respond to verifiable requests free of charge once per twelve months; manifestly unfounded or excessive repeated requests may be refused or charged a reasonable administrative fee with the basis explained in writing. To exercise a right, contact us at the address in section 4.
6. Use of data
Personal data is used to operate the platform under the contract with your institution, to keep the platform secure (fraud detection, anomaly response), to meet our legal and regulatory obligations, and to communicate with named contacts about service operations. Telemetry data is used to deliver compliance attestations, drift detection, and reporting outputs to your institution; it is not used to train external machine-learning models, sold, or shared for marketing purposes. Aggregate, anonymized usage statistics may be used to improve the platform — for example, to understand which connectors are most commonly used. Anonymization is technical (aggregation, k-anonymity thresholds) and reviewed annually so anonymized outputs do not become identifiable as the dataset grows.
7. Third parties
We use a small number of vetted subprocessors: cloud infrastructure (AWS Seoul region for KR tenants), authentication (Auth0), email transit (Postmark), and observability (Datadog, with PII scrubbing at the agent). Our current subprocessor list is published in your tenant under Settings → Subprocessors and updated with 30 days notice for any addition. We never sell personal data, do not embed advertising trackers in the platform, and do not allow subprocessors to use your data for their own purposes. Where a subprocessor processes personal data, we have a data processing agreement in place with terms equivalent to those in our agreement with your institution. International transfers of personal data, where they occur, follow the legal mechanisms appropriate for the destination — for KR-region tenants the data does not leave Korean infrastructure in normal operation.
Questions about this document can be sent to contact@platform-node.one.