Skip to content

Common Defense Security Terms

Last updated: 2026-06-16

These Security Terms summarize the security measures taken by Common Defense AI Security, Inc. ("Common Defense", "we", "us", or "our") to protect the data of our users (“you” or “your” or “customers”) who register User Accounts and receive the Common Defense Service (the “Service”).

The Service is an autonomous AI tool with no (or limited) human oversight and intervention unless specifically requested, required by law, or in the event of a security threat. The Service is designed to detect scams, phishing, and impersonations in your Platform Account messages and will alert you when it detects a threat. Through the Service, you will be able to review verdicts, see analytics, and change settings from the Common Defense dashboard which will be populated with your own verdicts, history, and settings.

These Security Terms are in addition to our Terms of Service and our Privacy Policy. Please review our Terms of Service for further descriptions of the Service and how to register a User Account. Please review our Privacy Policy to understand the type of data we collect, how it is collected, how it is used, and other privacy terms. Capitalized terms in these Security Terms have the meanings ascribed to them in our Terms of Service.

YOU MUST HAVE A USER ACCOUNT IN ORDER TO BE A CUSTOMER AND RECEIVE THE SERVICE. WHEN YOU REGISTER YOUR USER ACCOUNT, YOU WILL BE REQUIRED TO AFFIRMATIVELY CONSENT TO THE TERMS OF SERVICE. WHEN YOU GIVE YOUR AFFIRMATIVE CONSENT, THE TERMS OF SERVICE WILL BECOME A BINDING CONTRACT BETWEEN YOU AND US.

Encryption

  • In transit. TLS 1.2 or higher for all communication between your browser and our servers, between Common Defense and connected messaging platforms (Gmail, Microsoft 365 / Outlook, Telegram, WhatsApp), and between Common Defense and our sub-processors.
  • At rest. OAuth tokens, Platform Account credentials, and message-derived Content are encrypted at rest. Encryption keys are managed in AWS Key Management Service (KMS).

Access control

No reading of your messages or scan results during normal operations. The narrow, audit-logged exceptions are listed in Section 10 of the Privacy Policy: your explicit request, security or abuse investigation, legal compliance, and aggregated or anonymized internal operations.

Per-user isolation

Each customer's messages, verdicts, and detection history are isolated from every other customer. One customer cannot access another customer's data through any user-facing interface or API.

Operations

  • Continuous monitoring for service health, abuse, and anomalous activity.
  • Encrypted backups on a rolling retention schedule. Backups follow the same deletion windows as primary data and do not extend retention beyond the windows described in Section 9 of the Privacy Policy.
  • Incident response. We will notify affected customers and the relevant authorities of any unauthorized access to the Service or to any customer data, to the extent and in the timeframes required by applicable law.

Compliance

  • The Service’s Gmail integration adheres to the Google API Services User Data Policy, including the Limited Use requirements. The detailed Limited Use commitments are in Section 13 of the Privacy Policy.
  • We are engaging an authorized assessor for the Google CASA (Cloud Application Security Assessment) Tier 2 review of our Gmail integration.

Reporting a vulnerability

If you believe you have discovered a security issue affecting our Service, please email security@commondefense.ai. We acknowledge reports promptly and investigate every submission. We will not pursue good-faith security research that respects user privacy and avoids service disruption.

Contact

Common Defense AI Security, Inc.
General: accounts@commondefense.ai
Security reports: security@commondefense.ai