← Back to home

Privacy Policy

Effective date: May 13, 2026 · Custodia, LLC, Pittsburgh, Pennsylvania, USA

1. Who we are and what this policy covers

Custodia, LLC, a Pennsylvania limited liability company headquartered in Pittsburgh, Pennsylvania (“BidFedCMMC,” “we,” “us,” or “our”), operates a U.S.-built, U.S.-operated cybersecurity compliance platform at bidfedcmmc.com (the “Service”). The Service supports U.S. federal and defense contractors in meeting their obligations under the Federal Acquisition Regulation (FAR), the Defense Federal Acquisition Regulation Supplement (DFARS), and the Cybersecurity Maturity Model Certification (CMMC) program.

This Privacy Policy describes how we collect, use, disclose, retain, and safeguard information of customers, prospective customers, and visitors to the Service.

Regulatory frameworks our handling aligns to:NIST SP 800-171 Rev. 2, FAR 52.204-21, DFARS 252.204-7012, CMMC Level 1 under 32 CFR Part 170, the Privacy Act of 1974 (as applicable to a commercial service provider), the Pennsylvania Breach of Personal Information Notification Act (73 P.S. § 2301 et seq.), the federal CAN-SPAM Act, the Telephone Consumer Protection Act (TCPA), the Children's Online Privacy Protection Act (COPPA), and U.S. state comprehensive privacy laws including CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TDPSA (Texas), OCPA (Oregon), MCDPA (Montana), ICDPA (Iowa), DPDPA (Delaware), NJDPA (New Jersey), TIPA (Tennessee), MCDPA (Minnesota), MODPA (Maryland), INCDPA (Indiana), and the comparable laws of Nebraska, New Hampshire, Rhode Island, and Kentucky, in each case to the extent applicable.

2. United States only

The Service is offered only to legal entities organized under the laws of, and operating from within, the United States. We do not market to or knowingly collect information from individuals or entities located in the European Economic Area, the United Kingdom, Switzerland, Canada, China, or any jurisdiction subject to a comprehensive U.S. sanctions program. If you are located outside the United States, do not use the Service.

3. Information we collect

We collect only the information needed to deliver the Service.

  • Account data: name, business email, business phone (optional), company name, NAICS codes, UEI/CAGE if provided.
  • Compliance content: control responses, evidence files, attestations, SPRS scoring data, and assessment artifacts that you upload or that the Service generates on your behalf.
  • Integration metadata (Microsoft 365 / Google Workspace): if you authorize an integration, we read user directory listings, audit-log metadata, and policy settings via least-privilege, read-only OAuth scopes. We do not read email content, calendar bodies, file contents, or personal communications.
  • Telemetry: non-personally-identifying usage metrics, error logs, IP address, browser/device user-agent, and security event data needed for product reliability, abuse prevention, and audit-log integrity.
  • Communications: messages sent to support, officer tickets, and any feedback you provide.
  • Billing data: processed by our PCI-DSS-compliant payment processor (Stripe, Inc.). We do not store full payment-card numbers.

What we do NOT collect or knowingly accept: Social Security numbers; Protected Health Information (PHI) regulated by HIPAA; biometric identifiers; precise geolocation; data of minors; financial-account numbers beyond what the payment processor handles; classified information; export- controlled technical data subject to ITAR (22 CFR Parts 120-130) or EAR (15 CFR Parts 730-774); or Controlled Unclassified Information (CUI). Customers must not upload any of the foregoing to the Service. The Service is scoped to CMMC Level 1 / FCI and is not authorized for CUI.

4. How we use information

  • Provide, operate, secure, and improve the Service.
  • Generate compliance assessments, SPRS-style scores, evidence packages, policies, and audit artifacts on your behalf.
  • Send transactional and compliance-relevant communications (account notices, evidence-freshness alerts, the weekly Compliance Pulse, security incident notifications).
  • Send commercial marketing communications only with a clear opt-out in every message, in compliance with CAN-SPAM. We do not send SMS or autodialed calls without express prior written consent under the TCPA.
  • Provide customer support and respond to inquiries.
  • Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms of Service and Acceptable Use Policy.
  • Comply with U.S. federal, state, and local legal obligations.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use customer compliance data to train any third-party generative AI model.

5. Artificial intelligence disclosure

The Service uses third-party large-language-model providers (currently Anthropic, PBC and OpenAI, L.L.C., both U.S. companies) to power AI features including the “Charlie” virtual compliance officer. Customer prompts and uploaded evidence are transmitted to these providers only as required to fulfill the request you initiated, are subject to written zero-retention agreements, and are not used to train any model. AI-generated content is software output, not legal or regulatory advice. You remain responsible for reviewing AI-generated content before acting on it.

6. Microsoft 365 and Google Workspace integrations

When you connect Microsoft 365 or Google Workspace, we use OAuth 2.0 to obtain a least-privilege, read-only token to your organization's tenant. Tokens are encrypted at rest using AES-256-GCM with keys protected under AWS KMS.

Use limitation. We access only the directory, audit-log, and policy data necessary to produce evidence for the controls in your active assessment. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. You may revoke our access at any time from your tenant admin console or from the in-product settings; revocation purges the stored tokens within twenty-four (24) hours.

7. Disclosure to third parties

We disclose information only as follows:

  • Sub-processors that provide infrastructure, hosting, email, authentication, payment processing, and AI inference for the Service. Our current list and our change-notice commitment are published at /subprocessors.
  • Legal compliance. Where required by valid legal process (subpoena, court order, statute) issued by a U.S. court or agency. We will attempt to notify the affected customer unless prohibited by law.
  • Corporate transactions. In connection with a merger, acquisition, financing, or sale of substantially all assets, subject to equivalent confidentiality and security commitments.
  • Customer direction. When you ask us to share your data with a designated party (e.g., your MSP, prime contractor, or counsel).

8. Data residency and security

Customer data is stored on infrastructure located in the contiguous United States. We maintain administrative, technical, and physical safeguards informed by NIST SP 800-171 Rev. 2, including:

  • TLS 1.2+ in transit; AES-256-GCM at rest with AWS KMS-backed envelope encryption.
  • HMAC-signed and hash-anchored audit artifacts to detect tampering.
  • Role-based access control with the principle of least privilege.
  • Multi-factor authentication required for all administrative access.
  • Continuous logging, monitoring, and documented incident-response procedures.
  • Annual review of security controls and sub-processor posture.

For details, see our public Security overview.

9. Cyber-incident notification

In the event of a confirmed unauthorized acquisition of, or access to, customer data, we will notify affected customers without unreasonable delay and, in any event, within seventy-two (72) hours of confirmation, consistent with the spirit of DFARS 252.204-7012(c) and the Pennsylvania Breach of Personal Information Notification Act. The notification will describe the nature of the incident, the data involved (to the extent known), and the remediation steps taken. Where the incident involves personal information regulated by a U.S. state, we will also comply with that state's breach- notification timing.

10. Data retention and deletion

Account and compliance content is retained for the term of your subscription plus ninety (90) days after cancellation, after which it is purged. Audit- trail records (security and access logs) are retained for one (1) year to support our own compliance obligations. You may request earlier deletion of your account data by writing to support@bidfedcmmc.com; we will complete the request within thirty (30) days unless retention is required by law.

11. Your privacy rights

Subject to verification of your identity, you have the right to:

  • Know what personal information we hold about you.
  • Access and obtain a portable copy of that information.
  • Request correction of inaccurate information.
  • Request deletion of your information.
  • Opt out of marketing communications at any time.
  • Where applicable under state law, opt out of profiling that produces legal or similarly significant effects (we do not engage in such profiling), and opt out of the sale or sharing of personal information (we do not sell or share).
  • Designate an authorized agent to exercise these rights on your behalf, subject to identity verification.
  • Be free from retaliation or service degradation for exercising these rights.

Appeals. If we deny a request, you may appeal by replying to our response. Where applicable state law (e.g., Virginia, Colorado, Connecticut, Texas) requires it, you may contact the relevant state attorney general if you are dissatisfied with the outcome.

Submit any rights request to privacy@bidfedcmmc.com. We will respond within forty-five (45) days, extendable by an additional forty-five (45) days where reasonably necessary.

12. Cookies and similar technologies

We use a small number of first-party cookies and similar technologies that are strictly necessary to provide the Service (session authentication, CSRF protection, load balancing, fraud prevention). We do not set third-party advertising or behavioral-tracking cookies. See our Cookie notice for the full list.

13. Children

The Service is for business use by adults aged 18 or older. We do not knowingly collect information from children under 13 (COPPA) or minors under the age of majority in the user's state of residence. If we learn that we have collected such information, we will delete it.

14. Do Not Track and Global Privacy Control

Because we do not engage in cross-context behavioral advertising or the sale of personal information, the Service treats Do Not Track and Global Privacy Control signals consistent with our default no-sale, no-share posture. No user action is required.

15. Data Processing Addendum

Customers acting as a data controller on behalf of their own end users (for example, MSPs and federally-regulated businesses) may request our Data Processing Addendum at /dpa.

16. Changes to this Policy

We will provide notice of material changes by email and in-product banner at least fourteen (14) days before the changes take effect. The Effective date above will be updated accordingly.

17. Contact

Custodia, LLC
6375 Penn Avenue, Suite B #1246
Pittsburgh, Pennsylvania 15206
United States
Privacy: privacy@bidfedcmmc.com
Support: support@bidfedcmmc.com
Security: security@bidfedcmmc.com