Overview
Plain language summary: GRC Lab collects only what is necessary to run your account and provide the audit platform. We do not sell your data, share it with advertisers, or use it for any purpose other than operating and improving the service.
GRC Lab ("we", "our", "the platform") is operated by GRCLab.net, based in Azerbaijan. This Privacy Policy explains how we handle personal data when you register, log in, and use the GRC Lab audit platform at grclab.net.
By creating an account and using the platform you agree to this policy. If you do not agree, please do not register.
Data We Collect
Account data (provided by you)
| Data | Why we collect it |
|---|
| Full name | Displayed in your profile and included in exported audit reports |
| Email address | Account login, password reset, and platform notifications |
| Password (hashed) | Authentication — stored as a one-way hash, never in plain text |
| Organisation / role | Optional — used to personalise your audit context |
Audit data (created by you)
- Compliance status, risk levels and notes you enter for CBAR / ISO / NIST controls
- Evidence files you upload (stored per requirement)
- Target completion dates and remediation notes
- Risk assessment records linked to requirements
This data belongs to you. It is tied to your user account and not visible to other users.
Technical data (collected automatically)
- IP address and browser type (server logs, retained for 30 days)
- Session cookies required for login to function
- Page load timestamps for error diagnosis
How We Use Your Data
We use your data exclusively to:
- Provide and operate your account and the audit platform
- Authenticate your login and maintain your session securely
- Populate your name in exported PDF, Excel and CSV reports
- Send you account-related emails (password reset, access approval)
- Diagnose technical errors and maintain platform stability
- Improve the platform based on aggregated, anonymised usage patterns
We do not use your data for advertising, profiling, or marketing to third parties.
Data Storage
Your account and CBAR audit data is stored in a MySQL database hosted on servers located in Azerbaijan. ISO 27001:2022 and NIST CSF 2.0 assessment data is stored in your browser's local storage — it does not leave your device unless you export a report.
Local storage note: ISO and NIST audit data is scoped to your user account and browser. Clearing browser data or switching devices will reset this data. For permanent multi-device access, consider exporting your data to Excel or CSV regularly.
Data Sharing
We do not sell, rent or trade your personal data. We may share data only in the following limited circumstances:
- Service providers: Hosting and infrastructure providers operating under data processing agreements
- Legal obligation: If required by Azerbaijani law or a valid court order
- Business transfer: In the event of a merger or acquisition, with advance notice to users
Your audit data (CBAR requirements, ISO controls, NIST controls, evidence files) is never shared with any third party under any circumstances.
Cookies
GRC Lab uses only essential cookies required to operate the platform. We do not use tracking, advertising or analytics cookies.
| Cookie | Purpose | Duration |
|---|
| PHPSESSID | Maintains your login session | Session (deleted on browser close) |
| grclab_modules_u* | Saves your module preferences per user (localStorage) | Until manually cleared |
| grclab_audits_u* | Saves which audit templates are open (localStorage) | Until manually cleared |
You can clear browser cookies and local storage at any time through your browser settings. This will log you out and reset your ISO / NIST audit state.
Your Rights
You have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate or incomplete data
- Deletion — request deletion of your account and all associated data
- Export — download your audit data at any time using the built-in PDF / Excel / CSV export tools
- Objection — object to any processing not strictly necessary for operating your account
To exercise any of these rights, contact us at info@grclab.net. We will respond within 30 days.
Security
We take the security of your data seriously. Measures in place include:
- All passwords are hashed using industry-standard algorithms — never stored in plain text
- HTTPS encryption for all data transmitted between your browser and our servers
- Session-based authentication with automatic expiry
- Role-based access controls — users can only access their own audit data
- Regular backups of the database with restricted access
If you believe your account has been compromised, contact us immediately at info@grclab.net.
Data Retention
We retain your data for as long as your account is active. If you request account deletion:
- Your account, profile and CBAR audit data will be permanently deleted within 14 days
- Server logs containing your IP address are deleted after 30 days
- Backup copies are purged within 60 days
- ISO and NIST data stored in your browser's local storage must be cleared manually by you
Policy Changes
We may update this policy from time to time to reflect changes in the platform or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and notify registered users by email at least 14 days before the change takes effect.
Continued use of the platform after the effective date constitutes acceptance of the updated policy.