Sentralis Inc., a Texas corporation (“Sentralis,” “we,” “us,” or “our”), operates the ControlOS platform and related services under the MitigoSuite product family (collectively, the “Platform”). This Privacy Policy describes how we collect, use, store, and disclose information when you access or use the Platform as an authorized representative of a business entity (“Customer” or “you”).
ControlOS is a business-to-business (“B2B”) governance, risk, and compliance (“GRC”) platform. We do not market or sell our services to individual consumers. All references to “you” or “your” in this policy refer to the Customer organization and its authorized users.
When a Customer registers for the Platform, we collect business contact information including name, business email address, job title, and organization name. This information is necessary to create and administer your tenant account and provide access to authorized users within your organization.
The Platform enables Customers to input, upload, configure, and manage data related to their governance, risk, and compliance operations (“Customer Data”). This includes, but is not limited to: control definitions, framework mappings, risk indicators, audit evidence, remediation plans, workflow configurations, segregation-of-duties matrices, and compliance documentation. Customer Data is stored within the Customer’s isolated tenant environment and is owned exclusively by the Customer.
We automatically collect technical information when you interact with the Platform, including browser type, device information, IP address, pages visited, timestamps, and feature usage patterns. This data is used to maintain Platform performance, diagnose issues, and improve the service.
When Customers connect third-party systems to the Platform (such as NetSuite or other ERP and accounting systems), we process data transmitted through those integrations solely for the purpose of delivering the Platform’s functionality. Integration credentials are encrypted at rest and in transit.
ControlOS operates on a multi-tenant architecture. Each Customer is assigned a unique tenant identifier. All Customer Data is logically isolated by tenant at the database level, ensuring that one Customer’s data is never accessible to another Customer. Platform baseline configurations (such as standard framework definitions and control libraries) are maintained separately from tenant-specific data and are available to all Customers as part of the service.
We enforce tenant-level access controls through row-level security policies in our database layer. User authentication is validated on every request, and tenant membership is verified before any data is returned.
We use the information we collect for the following purposes:
We do not sell, rent, or trade Customer Data or personal information to third parties. We do not use Customer Data for advertising purposes.
We treat all Customer Data as confidential information. We maintain the secrecy and logical and physical security of all confidential information entrusted to us. Access to Customer Data within our organization is limited on a disciplined “as needed” basis to employees and agents who require access to facilitate the delivery of Platform services, and who are bound by confidentiality obligations. No rights or licenses, express or implied, are conveyed to Sentralis in Customer Data beyond what is necessary to provide the Platform.
If we believe in good faith that Customer Data must be disclosed in response to a valid order of a court of competent jurisdiction, we may so disclose to the extent required to comply, provided we give the Customer reasonable opportunity to contest such disclosure and obtain a protective order.
Customer Data is processed and stored in the United States using industry-standard cloud infrastructure providers. Our primary data storage is provided by Supabase (PostgreSQL), with application hosting on Vercel. All data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 encryption.
We maintain separate environments for development, staging, and production to ensure that Customer Data in the production environment is never exposed to development or testing processes.
We may share information only in the following limited circumstances:
We retain Customer Data for the duration of the Customer’s active subscription. Upon termination of the subscription, Customer Data is retained for a period of thirty (30) days to allow for data export, after which it is permanently deleted from our production systems. Backups containing Customer Data are purged within ninety (90) days of account termination.
Upon request, Sentralis shall return all Customer Data including all copies thereof and/or certify the destruction thereof.
Usage and technical data may be retained in aggregated, de-identified form for analytics and service improvement purposes.
We implement administrative, technical, and physical safeguards designed to protect Customer Data, including: encryption in transit and at rest, tenant-level data isolation through row-level security, role-based access controls, audit logging, and regular security assessments. While no system is completely secure, we are committed to maintaining commercially reasonable security practices appropriate for the nature of the data we process.
As a B2B platform, the Customer organization acts as the data controller for any personal data contained within Customer Data. Sentralis acts as a data processor, processing Customer Data solely on the Customer’s instructions as provided through the Platform’s functionality.
Customers are responsible for ensuring that their use of the Platform complies with applicable data protection laws, including providing any required notices to and obtaining any required consents from individuals whose personal data may be included in Customer Data.
Customers may request export or deletion of their data at any time by contacting us at the address below.
Any ideas, suggestions, or recommendations made by Customers regarding the Platform may be used and incorporated into Sentralis’s products, technologies, and services without royalties or other obligations, so long as Sentralis does not infringe the Customer’s patents, copyrights, or trademark rights. Customer Data itself remains the exclusive property of the Customer at all times.
The Platform uses session cookies and local storage strictly for authentication and user experience purposes (such as maintaining login state and user preferences). We do not use third-party advertising cookies or cross-site tracking technologies. We do not engage in behavioral advertising or sell tracking data.
The Platform is designed for use by business professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a minor, we will take steps to delete such information promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. We will notify Customers of material changes by posting a notice within the Platform or by email. The “Last Updated” date at the top of this policy indicates when the most recent revisions were made.
This Privacy Policy shall be governed in all respects by the laws of the State of Texas. The state district courts of Harris County, Texas, shall be the exclusive forum for any litigation or dispute resolution arising from this policy.
If you have questions about this Privacy Policy or our data practices, please contact us at:
Sentralis Inc.
Email: Engel@mitigosuite.com
© 2026 Sentralis Inc. All rights reserved.
Terms of Service →