Privacy Policy
Last Updated: May 1, 2026
BlackBox Auditor LLC ("we," "us," or "our") provides a SaaS platform that helps auditors, GRC professionals, and internal security teams gather evidence from AWS environments. This policy explains how we collect, use, protect, and retain information when you visit blackboxauditor.com and use our services.
Who This Policy Applies To
This policy applies to two categories of users:
Direct Users
Individuals employed by or acting on behalf of the organization that owns the AWS account being assessed.
Third-Party Users (e.g., Audit Firms)
Professionals who use BlackBox Auditor on behalf of clients, connecting to AWS accounts owned by a third party.
If you are an audit firm or external professional using this tool on a client's AWS environment, you are responsible for ensuring you have obtained appropriate written authorization from that client before initiating any connection or scan. AWS environment metadata processed through the platform in this context is handled on your behalf, and you remain the data controller for that engagement. We recommend maintaining your own data processing agreements with your clients as required by applicable law.
Information We Collect
Account Information
When you register, we collect your name, email address, and billing information. Billing transactions are processed by PayPal and/or Stripe — we do not store raw payment card details.
AWS Connection Credentials
To initiate a connection, you provide an IAM Role ARN and External ID. These are used transiently to establish the cross-account session and are not stored in our systems. We retain no record of your IAM Role ARN, External ID, or AWS Account ID after the connection is made.
AWS Environment Metadata
To generate audit reports, we ingest configuration metadata from your AWS environment — for example, IAM policies and resource configuration settings. We do not access, read, or store application data, database contents, secrets, or credential values.
Website Analytics
Blackboxauditor.com uses Google Analytics to collect standard website usage data such as pages visited, browser type, and approximate location. Google Analytics may set cookies in your browser. You can opt out using the Google Analytics Opt-out Browser Add-on.
Service Usage Analytics
We operate an internal analytics system hosted on AWS infrastructure to track report generation and usage activity within the platform. This data is used solely for service improvement, capacity planning, and security monitoring. It is not shared with third parties and is subject to the same 14-day retention period described below.
How We Access Your Data — Zero-Credential Architecture
BlackBox Auditor holds no persistent IAM Access Keys or Secret Keys. All access is initiated through a customer-controlled AWS Cross-Account IAM Role. The External ID you configure acts as a shared secret that protects against unauthorized role assumption (a "confused deputy" attack). Because we do not store your connection credentials, you maintain complete control: revoking access is as simple as deleting or modifying the trust policy on the IAM role within your own AWS account.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account information (name, email) | Duration of your account, plus 90 days after termination |
| AWS connection credentials (Role ARN, External ID) | Not retained — used transiently only |
| AWS environment metadata / generated reports | 14 days from generation, then permanently deleted |
| Service usage analytics | 14 days, then permanently deleted |
We strongly recommend downloading your reports before the 14-day window expires. Deleted reports are not recoverable.
Third-Party Service Providers
We share limited data with the following providers who assist in operating the platform:
- PayPal and/or Stripe — billing and subscription management
- Zoho — account and transactional email communications
- Google — website analytics (blackboxauditor.com)
These providers are contractually bound to process data solely on our instructions and in accordance with applicable law.
We do not sell, rent, or share your personal data with third parties for their own marketing or commercial purposes.
Your Rights
For Users in the European Economic Area (GDPR)
We process your personal data on the basis of contract performance (account information and service delivery) and legitimate interests (security and platform integrity). You have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Request erasure of your data ("right to be forgotten")
- Restrict or object to processing of your data
- Receive your data in a portable format
- Lodge a complaint with your national data protection supervisory authority
For California Residents (CCPA)
You have the right to know what personal information we collect and how it is used, to request deletion of your data, and to opt out of the sale of your personal information.
We do not sell personal information.
To exercise any of the above rights, contact us at info@blackboxauditor.com.
Data Security and Breach Notification
We implement industry-standard security measures to protect your information. In the event of a data breach affecting your personal information, we will notify affected users as required by applicable law.
Data Controller
BlackBox Auditor LLC
4057 Oxford Glen Dr.
Franklin, TN 37067
info@blackboxauditor.com
Changes to This Policy
We may update this policy periodically. Registered users will be notified of material changes by email. The "Last Updated" date at the top of this page reflects the most recent revision.