ISAI Cybersecurity AI Privacy Policy

Effective Date: January 2, 2026

This Privacy Policy outlines the practices of ISAI Cybersecurity AI ("ISAI," "we," "us," or "our") regarding the collection, use, processing, and disclosure of information, including Personal Information, in connection with our AI-powered cybersecurity services. We are committed to upholding the highest standards of privacy, data protection, and ethical AI deployment, in strict compliance with applicable laws and regulations, including the EU AI Act, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) (2026 Amendments), and guided by the NIST AI Risk Management Framework (AI RMF).

1. AI Governance & Transparency (Mandatory 2026)

ISAI employs Automated Decision-Making Technology (ADMT) to enhance cybersecurity posture, detect threats, and provide proactive security insights. Our commitment to transparency ensures users understand the nature and impact of our AI systems.

• Plain-Language ADMT Notice: Prior to the utilization of any Automated Decision-Making Technology (ADMT) that may significantly impact user experience or security posture, ISAI provides a clear, plain-language notice. This notice explains the underlying logic of the AI system, its intended purpose (e.g., real-time threat detection, vulnerability assessment, access control recommendations), and the potential outcomes or implications for the user. This ensures informed consent and understanding of AI-driven functionalities.
• Human-in-the-Loop Disclosure: ISAI integrates human oversight at critical junctures within its operational framework. We explicitly disclose instances where human intervention is employed to validate AI-generated security alerts, confirm threat assessments, or review high-stakes automated decisions. This "human-in-the-loop" approach mitigates risks associated with fully autonomous systems and ensures accountability.
• Synthetic Content Labeling: In adherence to Article 50 of the EU AI Act, any reports, code, analyses, or other content generated by ISAI's artificial intelligence systems are explicitly labeled as AI-generated. This ensures clarity regarding the origin of information and distinguishes AI-produced content from human-authored material.

2. Specialized Data Collection for Cybersecurity

The efficacy of ISAI's cybersecurity services necessitates the collection of specific technical and operational data. This data is collected solely for the purpose of providing, maintaining, and improving our security offerings, and for compliance with legal obligations.

• Cyber-Specific Data Categories: ISAI collects the following categories of technical data:
• System Logs: Records pertaining to system activities, network traffic, access attempts, and security events.
• Outbound Prompt Data: Inputs, queries, or commands provided by users to the ISAI AI system.
• Generated Security Outputs: AI-generated responses, security alerts, threat intelligence reports, vulnerability assessments, and recommended remediation actions.
• Configuration Data: Information related to the security configurations of monitored systems and networks. This data is processed to identify, analyze, and mitigate cybersecurity threats, enhance system resilience, and optimize the performance of our AI models.
• Sensitive Personal Information (SPI): As per the 2026 amendments to the CCPA/CPRA, Sensitive Personal Information (SPI) includes, but is not limited to, personal data from all users under the age of 16. ISAI provides a "Right to Limit" notice for any SPI collected that is used for purposes beyond the basic functionality and security of our services. Users are afforded the right to limit the use and disclosure of their SPI.
• Neural & Biometric Data: Should ISAI implement behavioral biometrics for authentication or other security-related functionalities, we acknowledge and adhere to the evolving legal requirements for "neural data" protections active in various states. Robust safeguards, including encryption, access controls, and strict data minimization principles, are applied to such data. Specific disclosures regarding the collection, processing, and retention of neural or biometric data will be provided at the point of collection, along with explicit consent mechanisms where required.

3. Enhanced 2026 User Rights

ISAI is committed to empowering users with comprehensive control over their Personal Information, aligning with the advanced privacy rights stipulated by the 2026 CCPA/CPRA amendments and other relevant regulations.

• "Your Privacy Choices" Hub: Users are provided with a centralized "Your Privacy Choices" hub, accessible via a single, prominent link within the ISAI application settings. This hub enables users to simultaneously exercise their rights to opt out of data sharing for cross-context behavioral advertising and to limit the use and disclosure of their Sensitive Personal Information (SPI).
• ADMT Opt-Out & Appeal: For high-stakes decisions rendered by our Automated Decision-Making Technology (ADMT) that may have significant legal or similar effects on the user (e.g., blocking user access, imposing severe security restrictions), ISAI offers a clear mechanism for users to opt out of such automated decision-making. Furthermore, users possess an explicit right to appeal the AI's output or decision to a qualified human reviewer, who will reassess the determination and provide a final decision.
• Universal Opt-Out Signals: ISAI's systems are configured to automatically recognize and honor universal opt-out signals, including the Global Privacy Control (GPC) and other browser-based privacy signals. This demonstrates our proactive commitment to respecting user privacy preferences without requiring individual action within our platform.
• Extended "Right to Know": Users are entitled to request access to specific pieces of Personal Information that ISAI has collected about them, extending back to January 1, 2022. This right applies regardless of previous 12-month limitations, providing a more comprehensive view of collected data. Requests can be submitted via [Insert Contact Method for Privacy Requests].

4. Security & Compliance Certifications

ISAI maintains a robust security posture and adheres to stringent compliance requirements to protect user data and ensure the integrity of our services.

• Cybersecurity Audits: ISAI undergoes mandatory annual cybersecurity audits, as required for high-revenue or high-risk businesses operating in California. These audits assess our security controls, identify vulnerabilities, and ensure ongoing compliance with industry�s best practices and regulatory mandates. The results of these audits inform continuous improvements to our security framework.
• Breach Notification: In the event of data breach affecting Personal Information, ISAI commits to notifying affected users within 30 days of discovery. This notification will provide clear information regarding the nature of the breach, the types of data involved, and steps users can take to protect themselves, in accordance with 2026 breach notification standards.
• NIST Framework Alignment: ISAI's development, deployment, and operational practices are explicitly aligned with the National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF). This alignment demonstrates our commitment to "Privacy by Design" and "Security by Design," ensuring that privacy and security considerations are integrated into every stage of the AI lifecycle. The NIST AI RMF guides our approach to identifying, assessing, and mitigating risks associated with AI systems, fostering trustworthy and responsible AI.

Contact Information

For any questions regarding this Privacy Policy, to exercise your privacy rights, or for further information on our data protection practices, please contact our Privacy Officer at:

Email: admin@isaicore.com Postal Address:15 Iron Horse Dr Unit E112 Bedford NH, 03110

Policy Updates

ISAI reserves the right to update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or technological advancements. We will notify users of any material changes by posting the updated policy on our website and, where appropriate, through direct communication. We encourage you to review this policy regularly.