WHAT WE DO (AND DO NOT) COLLECT

Your data, handled with care.

We’re a security company, so we hold ourselves to the standards we give you. Here’s exactly what SSM collects from your endpoints — and what it never touches.

Transparency

What we collect — and what we never touch

The line is drawn here, and it’s non-negotiable.

We DO collect

  • Endpoint hardware + software inventory
  • Foreground app name, window title, idle state
  • Browser URLs + search terms (Chrome/Edge/Brave)
  • Screenshots during business hours (stored on your tenant)
  • Login usernames & MAC addresses
  • Windows event-log entries relating to security
  • Antivirus / BitLocker / update status
  • Email tenant metadata (mailboxes, MFA state, sign-ins)
  • Compromised-credential flags from HIBP

We NEVER collect

  • Passwords — never, under any circumstances
  • The contents of documents, emails or chats
  • Keystrokes (no keyloggers — ever)
  • Form submissions (phishing-sim records boolean only)
  • Webcam or microphone content
  • Banking or health PII beyond what’s on the desktop
  • Clipboard contents
  • Personal files on user OneDrive/Dropbox
  • Data from non-work browser profiles
Compliance & standards

We hold ourselves to the standards we sell

Cyber Essentials

Our own infrastructure is certified Cyber Essentials. We eat our own dog food.

GDPR + UK DPA 2018

Lawful-basis documented per data category. Full DPA available on request.

UK-hosted

All customer data stays in the United Kingdom. No third-country transfers without explicit consent.

Code-signed

DigiCert EV Extended Validation on a hardware USB token. SHA-384 + timestamp counter-signature.

72-hour breach SLA

Any confirmed breach disclosed within 72 hours, regardless of whether customer data is affected.

Data retention

12-month default retention. Customer-configurable down to 30 days or up to 7 years.

Supply chain

Third-party subprocessors

We publish every third-party service that touches your data, what role it plays, and where it lives.

SubprocessorRoleRegion
MicrosoftGraph API for email securityUK South
CloudflareDNS, TLS certificate challenges, DDoS protectionGlobal edge
DigiCertCode-signing certificate issuanceUSA (signing done locally)
Have I Been PwnedCredential-breach lookups (k-anonymity)UK/EU
SimpleHelp LtdRemote-support session relaySelf-hosted UK
Documentation

Download the details

Security whitepaper

Detailed architecture, threat model, encryption choices.

Data Processing Agreement

GDPR-compliant DPA ready for your procurement team.

Penetration test report

Our most recent third-party pentest report, redacted.

Any privacy questions we haven’t answered?

We’re happy to jump on a call with your InfoSec team, procurement or auditor. Nothing’s too technical or too simple to ask.

Email security team Contact support