SanctiKey

Legal

Privacy Policy

SanctiKey, LLC · Last Updated: July 1, 2026

1. Introduction

SanctiKey, LLC ("SanctiKey," "we," "us," or "our") is a Massachusetts limited liability company operating at the registered address of Northwest Registered Agent Service Inc., 82 Wendell Ave., STE 100, Pittsfield, MA 01201. We provide managed cryptographic infrastructure, encryption, key management, and security tooling as a Software as a Service (SaaS) platform (the "Service").

This Privacy Policy explains how we collect, use, store, and protect information when you visit our marketing website (the "Site") or use our Service. It also explains your rights with respect to your information.

By accessing the Site or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, do not access the Site or use the Service.

2. Key Custody and Data We Never Retain

When customers submit data to our cryptographic API endpoints ("API Payloads"), SanctiKey performs the requested operations and returns the result without retaining the payload. Our custody model is:

  • Keys are non-extractable. Customer cryptographic keys are generated and held as non-extractable material in AWS KMS within the customer’s dedicated AWS account. No one, including SanctiKey, can export the raw key bytes.
  • SanctiKey operates the keys, only on your instruction. SanctiKey’s systems use your keys solely to perform the operations you request through the Service’s API, including decryption when you request it. SanctiKey controls the key policies until you exercise the Keyout right described in the Business Continuity and Keyout Policy.
  • No payload retention. SanctiKey does not store the plaintext or ciphertext content of API Payloads. Optional asynchronous operations for large payloads stage data briefly in encrypted object storage and delete it upon completion. Because no payload content is retained, SanctiKey cannot produce your data in response to a legal demand; if legal process seeks to compel a cryptographic operation on data presented to SanctiKey, we will notify you unless legally prohibited from doing so.

Encrypted payload content is structurally outside the scope of personal data SanctiKey collects or controls under this Privacy Policy.

3. Eligibility

The Site and Service are intended solely for use by individuals who are 18 years of age or older and who have the legal authority to enter into binding agreements on behalf of themselves or their organization. By accessing the Site or using the Service, you represent and warrant that you meet these eligibility requirements.

We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected such information, we will take prompt steps to delete it.

4. Information We Collect

4.1 Information You Provide Directly

When you register for an account, contact us, or use the Service, we may collect:

  • Identity information: Full legal name
  • Contact information: Email address
  • Billing address: Corporate or business billing address collected for invoicing and tax purposes
  • Account credentials: Username and authentication data (passwords are never stored in plaintext; see Section 8)
  • Communications: Any information you include when contacting our support team or communicating with us

4.2 Payment Information

We do not collect, store, or process payment card information directly. All payment processing is handled by a third-party payment processor (currently Stripe, Inc.). When you provide payment information, you are providing it directly to Stripe under their privacy policy and terms of service. SanctiKey receives only limited non-sensitive transaction data such as payment confirmation status and a tokenized reference identifier. We do not have access to your full card number, CVV, or bank account details at any time.

4.3 Information Collected Automatically

When you visit our Site or use our Service, we may automatically collect:

  • Usage telemetry: Aggregate and anonymized data about how features are used, including feature interaction counts, error rates, and performance metrics. This data is used solely for product improvement and is not linked to individual users beyond what is necessary for security purposes.
  • IP address: We may collect and temporarily retain your IP address at a country or region level for security purposes, including fraud detection, abuse prevention, rate limiting, and audit logging. IP addresses are not used for targeted advertising or sold to third parties.
  • Log data: Server logs including access timestamps, request types, and response codes, retained for security and operational purposes.
  • Device and browser information: Browser type, operating system, and related technical identifiers, collected for compatibility and security purposes.

4.4 Analytics on the Marketing Site

We use Google Analytics on our marketing website (the Site) to understand visitor behavior in aggregate. Google Analytics collects information such as pages visited, time on page, and referral source using cookies and similar tracking technologies. This analytics integration is limited to the marketing Site and is not present within the SanctiKey SaaS application or customer portal.

You may opt out of Google Analytics tracking by using the Google Analytics Opt-out Browser Add-on available at https://tools.google.com/dlpage/gaoptout.

4.5 Information We Do Not Collect

SanctiKey is designed with data minimization as a core principle. We do not collect:

  • Payment card numbers, CVVs, or bank account information
  • Social Security numbers or government-issued identification numbers
  • Sensitive personal categories such as health data, biometric data, or racial or ethnic origin
  • Customer cryptographic key material: by architectural design, SanctiKey cannot extract your private keys and does not retain the content of data processed through our Service (see Section 8)

5. How We Use Your Information

We use the information we collect for the following purposes:

PurposeLegal Basis (where applicable)
Providing and operating the ServicePerformance of contract
Account creation and authenticationPerformance of contract
Processing payments via StripePerformance of contract
Sending transactional communications (receipts, security alerts, service notices)Performance of contract / Legitimate interest
Responding to support requestsPerformance of contract / Legitimate interest
Security monitoring, fraud prevention, and abuse detectionLegitimate interest
Product improvement using aggregated telemetryLegitimate interest
Compliance with applicable lawLegal obligation
Enforcing our Terms of Service and Acceptable Use PolicyLegitimate interest

We do not use your information for targeted advertising. We do not sell your personal information to third parties. We do not use your information to make automated decisions that produce legal or similarly significant effects without human review.

6. Cookies and Tracking Technologies

6.1 Marketing Site

Our marketing Site uses cookies and similar technologies, including:

  • Analytics cookies: Google Analytics cookies to understand aggregate visitor behavior
  • Functional cookies: Cookies necessary for basic site functionality

You may configure your browser to refuse cookies or to alert you when cookies are being sent. Disabling cookies may affect the functionality of the Site.

6.2 Service (SaaS Application)

Within the SanctiKey SaaS application, we use only cookies and session tokens that are strictly necessary for authentication and secure session management. We do not use third-party advertising or analytics cookies within the application.

7. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

7.1 Service Providers

We share information with trusted third-party service providers who process data on our behalf and under our instructions, including:

  • Stripe, Inc.: Payment processing
  • Amazon Web Services, Inc.: Cloud infrastructure hosting (AWS is our primary infrastructure provider; data is hosted in the United States)
  • Google LLC: Analytics on the marketing Site only

Each service provider is selected for adherence to data protection standards appropriate to their role.

7.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, judicial process, or governmental authority, or if we believe in good faith that such disclosure is necessary to:

  • Comply with a legal obligation
  • Protect the rights, property, or safety of SanctiKey, our customers, or the public
  • Detect, prevent, or investigate fraud, security incidents, or violations of our Terms of Service

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of SanctiKey's assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

7.4 With Your Consent

We may share your information for any other purpose with your explicit prior consent.

8. Security and Cryptographic Architecture

SanctiKey is built as a security-first platform. We implement the following technical and organizational measures to protect your information:

  • Encryption in transit: All data transmitted between your browser or API client and SanctiKey’s infrastructure is encrypted using TLS 1.2 or higher. Unencrypted HTTP connections are not accepted.
  • Encryption at rest: Data stored in our databases and object storage is encrypted at rest using AES-256 or AWS Key Management Service (KMS).
  • Authentication: Multi-factor authentication (MFA) is enforced on the Service. Account credentials are never stored in plaintext.
  • Access controls: Access to customer data within SanctiKey’s systems follows the principle of least privilege. SanctiKey engineering and operations staff do not have routine access to customer account data except to monitor the health and deployment status of the infrastructure.
  • Non-extractable key architecture: SanctiKey cannot extract or export your cryptographic key material in plaintext. Your private keys are generated and held as non-extractable material in AWS KMS and are used only to perform the cryptographic operations you request; neither SanctiKey personnel nor infrastructure can read the raw key bytes. This is an architectural guarantee, not solely a policy commitment.
  • Audit logging: All administrative and sensitive operations are logged with tamper-evident audit trails retained for compliance purposes.

No security system is impenetrable. While we employ industry-standard measures, we cannot guarantee absolute security of information transmitted over the internet. You are responsible for maintaining the security of your account credentials, API tokens, and MFA devices.

9. Data Retention

We retain your personal information for as long as your account is active or as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

Upon account termination:

  • Account identity and contact information is retained for a period of 90 days to support account recovery and dispute resolution, after which it is deleted or anonymized
  • Transaction records are retained for a minimum of 7 years to satisfy tax and financial recordkeeping requirements
  • Security and audit logs are retained for periods required by applicable compliance frameworks, up to 7 years
  • Aggregated and anonymized telemetry data that cannot be linked to an individual may be retained indefinitely for product improvement purposes

You may request deletion of your personal information in accordance with Section 10 below.

10. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements
  • Portability: Request your personal information in a structured, machine-readable format
  • Objection: Object to certain processing activities based on legitimate interest
  • Restriction: Request that we restrict processing of your information in certain circumstances

To exercise any of these rights, contact us at privacy@sanctikey.com. We will respond to verified requests within 30 days. We may need to verify your identity before processing your request.

We will not discriminate against you for exercising your privacy rights.

11. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information, including:

  • The right to know what personal information we collect, use, disclose, and sell
  • The right to request deletion of your personal information
  • The right to opt out of the sale of your personal information

SanctiKey does not sell personal information. We do not sell your personal information to third parties for monetary or other valuable consideration.

To exercise your CCPA rights, contact us at privacy@sanctikey.com. You may designate an authorized agent to make a request on your behalf.

12. Geographic Restrictions

SanctiKey is operated and managed exclusively within the United States. The Service is intended solely for use by individuals and entities located within the United States.

SanctiKey does not permit access to or use of the Service by individuals or entities located outside the United States, including residents or entities within the European Union, the European Economic Area, or the United Kingdom. Any attempt to access the Service from outside the United States is unauthorized and a violation of these Terms.

SanctiKey does not knowingly collect information from individuals outside the United States. All data processed through the Service is stored and managed within the United States, subject exclusively to United States federal and state law.

13. Export Controls

SanctiKey's Service involves cryptographic technology subject to United States export control laws, including the Export Administration Regulations (EAR). By using the Service, you represent and warrant that you are not located in, under the control of, or a national or resident of any country to which the United States has embargoed goods or services, and that you are not listed on any United States government list of prohibited or restricted parties. SanctiKey reserves the right to refuse or terminate service in order to comply with applicable export control laws.

14. Third-Party Links

The Site may contain links to third-party websites or services that are not operated by SanctiKey. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email to the address associated with your account and by updating the "Last Updated" date at the top of this document. We encourage you to review this Privacy Policy periodically.

Your continued use of the Site or Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

SanctiKey, LLC Privacy Inquiries
Email: privacy@sanctikey.com

For security-related disclosures, please contact: security@sanctikey.com

This Privacy Policy is effective as of the date listed above and supersedes all prior versions.