Security & Privacy Policy – RMF (Risk Management Framework) Tool

📅 Effective Date: June 17, 2025

InfoBeyond Technology LLC (“we,” “us,” or “our”) is committed to protecting the privacy and security of our users’ data. This Security & Privacy Policy describes how RMF Tool (“Service”) collects, uses, stores, and protects information processed through our platform, located at https://rmf-tool.com.

By using RMF Tool, you agree to the practices described in this policy.

1. Overview

RMF Tool applies the NIST Risk Management Framework (SP 800-37) to guide control documentation, system categorization, and compliance workflows. Security and privacy are integral to our design. All customer data is handled in accordance with applicable laws and industry-standard cybersecurity practices.

2. Information We Collect

We collect only the minimum data necessary to deliver and support the Service. This includes:

  • Account Information:: Name, email address, organization, and user role

  • System Data:: Inputs entered into security plans, control assessments, categorization worksheets, and other templates

  • Account Information:: Name

  • Usage Data:: Logs related to user activity, feature use, and support requests

  • Support Communications:: Information voluntarily shared through emails or helpdesk tickets

We do not collect payment or billing data directly; any transactions are handled by third-party processors compliant with PCI-DSS.

3. How We Use Your Information

Users are granted a limited, non-exclusive, non-transferable license to use RMF Tool content for internal business purposes related to risk management and cybersecurity compliance.

We use collected information to:

  • Operate and maintain RMF Tool

  • Provide user support and service updates

You may not:

  • Improve system performance and user experience

  • Generate compliance documentation

  • Monitor system health and ensure security

We do not sell or rent your information to third parties.

4. Data Security Measures

RMF Tool is hosted in secure, U.S.-based cloud infrastructure using Microsoft Azure Commercial While not FedRAMP-authorized, Azure Commercial supports a range of industry-recognized compliance standards. RMF Tool applies technical safeguards aligned with industry best practices for risk-managed environments, including:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest using industry-standard encryption methods

  • Authentication and Access Control: Access to customer data is restricted by role-based permissions and secure authentication mechanisms

  • Monitoring and Logging: All platform activity is logged and monitored for suspicious behavior

  • System Hardening: Infrastructure is regularly updated and follows secure configuration baselines

  • Vulnerability Management: We conduct regular scans, assessments, and remediation based on established security benchmarks

5. Data Retention and Deletion
  • Customer data is retained only for the duration of your active account or as required to comply with legal obligations

  • Upon account closure or request, we will permanently delete all identifiable user and system data within 30 days

  • Backups are retained for disaster recovery and are securely deleted on a rolling schedule

6. Third-Party Services

We may use third-party tools (e.g., for analytics or support) that adhere to security and privacy best practices. Any third-party vendors are reviewed for compliance and data protection alignment.

No third-party has access to your RMF Tool project content unless explicitly authorized by you.

7. User Rights and Choices

You may request access to, correction of, or deletion of your personal data at any time by contacting us. You also have the right to:

  • Export your compliance documentation at will

  • Opt out of optional communications

  • Request a security report or breach notification, if applicable

8. Cookies and Tracking

RMF Tool uses only essential cookies required for login sessions and platform performance. We do not use cookies for advertising or third-party behavioral tracking.

9. Compliance Framework Alignment

Our platform is grounded in trusted federal guidance, including:

  • NIST SP 800-37 – Risk Management Framework

  • FIPS 199 and FIPS 200 – Security categorization and minimum security requirements

  • CNSSI 1253 and NIST SP 800-60 Vol. 1/2 – Information type identification and mapping

To learn more, visit our reference library at:

10. Changes to This Policy

We may update this Security & Privacy Policy from time to time to reflect platform changes or evolving regulations. Updates will be posted at https://rmf-tool.com/privacy, and we will notify users if material changes are made.

11. Contact Us

If you have questions, concerns, or requests related to this policy or your data, please contact:

InfoBeyond Technology LLC
1900 Plantside Drive, Louisville, KY 40223
Email: support@infobeyondtech.com
Website: https://infobeyondtech.com