← Pylon Command
Get notified

Privacy Policy

Last updated: May 20, 2026

Pre-launch notice. Command is currently in development and not yet available for use. This Privacy Policy describes how we will handle data when the platform launches and is published now so that customers evaluating Command can understand the data practices that will apply. Until Command is generally available, only marketing-site inquiries fall under this policy; those are covered by Section 2.5 below and by our corporate Privacy Policy.

1. Overview

Advosec, LLC d/b/a The Pylon Group ("we," "our," or "us") is building Command, a software-as-a-service platform for security program management. Command is designed to be the operating system for a security program, consolidating roadmap, controls, exceptions, audits, and board reporting in a single workspace for security leaders, vCISOs, and PE firms managing security across a portfolio. This Privacy Policy explains how we will collect, use, disclose, and safeguard information when you visit our website (thepylongroup.com/software/command) and when you use the Command platform once it is generally available.

By using our services or submitting information through our website, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

2. Information We Will Collect

2.1 Account Information

When you register for an account, we will collect your name, email address, organization name, job title, and authentication credentials. Account creation and authentication will be managed through our infrastructure provider (Supabase Auth).

2.2 Platform Data

In the course of using the Command platform, you may input or upload:

  • Security program data including roadmap items, milestones, owners, and due dates
  • Control library data including framework mappings, control descriptions, ownership, status, and evidence references
  • Exceptions and risk-acceptance records including business justification, compensating controls, expiration dates, and approver chain
  • Audit and assessment data including findings, remediation plans, due dates, and closure evidence
  • Policy documents, runbooks, standards, and procedures
  • Board reports, executive summaries, and metrics rollups generated through the platform
  • Vendor and third-party risk references, where Command is linked with Scout
  • Diligence and integration data, where Command is linked with Anvil
  • Personnel and team structure data necessary to assign ownership and access

2.3 AI Processing Data

Command will include AI features for tasks such as control mapping suggestions, exception drafting, audit response generation, and board report drafting. Document content and prompt context submitted for AI analysis will be sent to our AI service provider (Anthropic) for processing and will not be retained by the AI provider beyond the processing session. We will not use your data to train AI models.

2.4 Usage and Technical Data

We will automatically collect certain technical information including IP address, browser type, device information, pages visited, features used, session duration, and interaction patterns. This data is used for service improvement, security monitoring, and troubleshooting.

2.5 Pre-Launch Inquiries and Marketing Data

When you submit your email to be notified about Command, request a demo, or otherwise contact us about Command through our website, we collect the information you provide. This includes email address and any context you share (organization name, role, security program details, and intended use case). This information is governed by both this policy and the corporate Privacy Policy.

3. How We Will Use Your Information

We will use collected information to:

  • Provide, maintain, and improve the Command platform
  • Run security program management workflows including roadmap, controls, exceptions, audits, and reporting
  • Power AI-driven control mapping, drafting, and recommendations
  • Send service-related communications including platform updates, audit reminders, and security notices
  • Respond to pre-launch inquiries, demo requests, and customer feedback
  • Monitor and prevent security incidents, fraud, and abuse
  • Comply with legal obligations

We do not and will not sell your personal information or platform data to third parties. We do not use your data for advertising purposes. Program data uploaded by your organization is not shared with any other organization or used for any purpose outside of providing the service to you.

4. Data Sharing and Disclosure

4.1 Service Providers (Sub-Processors)

When Command launches, we expect to use the following third-party service providers to operate the platform. The final list at launch may differ and will be reflected in an updated version of this policy:

  • Supabase — Database hosting, authentication, edge functions, and file storage. Supabase maintains SOC 2 Type II compliance. Data is hosted in the United States.
  • Cloudflare — Content delivery, DDoS protection, and DNS for our marketing site.
  • Anthropic — AI processing for control mapping, drafting assistance, and report generation. Data sent to Anthropic is processed in real-time and not retained for model training.
  • Web3Forms — Processing of pre-launch and demo request form submissions on our marketing site.

4.2 Cross-Platform Integration

If your organization uses Command together with Scout (third-party risk) or Anvil (M&A diligence), data may flow between the platforms based on the integrations your organization configures. Data flow between Pylon Group platforms within the same organization is not considered third-party disclosure.

4.3 Legal Requirements

We may disclose your information if required to do so by law, in response to valid legal process, to protect our rights or safety, or to investigate potential violations of our Terms of Service.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Security

We will implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security (RLS) enforcing organization-level data isolation in our database
  • JWT-based authentication with secure session management
  • Rate limiting on API endpoints and Edge Functions
  • Regular security assessments of our platform and infrastructure
  • Role-based access controls within the platform

Our infrastructure provider (Supabase) maintains SOC 2 Type II compliance. We operate on SOC 2-compliant infrastructure and implement security controls consistent with SOC 2 Trust Services Criteria. Command's independent attestation status at launch will be documented in this policy when known.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We will retain your account data and platform data for as long as your account is active or as needed to provide services to your organization. When an organization's account is terminated, we retain data for a period of 30 days to allow for data export, after which it is permanently deleted from our systems. Backup copies may persist in encrypted backups for up to 90 days.

Pre-launch inquiries, demo requests, and marketing inquiries are retained for up to 24 months.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate personal information
  • Request deletion of your personal information
  • Object to or restrict processing of your personal information
  • Request portability of your data in a structured, machine-readable format
  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at [email protected]. We will respond to requests within 30 days.

8. Cookies and Tracking

Our marketing site (thepylongroup.com/software/command) does not currently use third-party analytics cookies or tracking pixels. When the Command platform launches, essential cookies will be used for authentication and session management. We do not use cookies for advertising or cross-site tracking.

9. International Data Transfers

Our platform infrastructure is hosted in the United States via Supabase (AWS). If you are accessing our services from outside the United States, your data will be transferred to and processed in the United States. By using our services, you consent to this transfer.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time, including when Command launches and the data practices described as forward-looking become operational. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or platform notification.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Advosec, LLC d/b/a The Pylon Group
Email: [email protected]