✦ Virtual CISO for Small to Mid-Sized Business

Your virtual CISO
for $49/month

Most small businesses have no security plan. One breach can end everything. Narro gives you the guidance you need — in minutes, not months.

78% of small businesses fear a breach
would close them down

$232K saved by having a
tested response plan

< 5 min TO YOUR PERSONALIZED
SECURITY REPORT

No credit card needed · Your score & top 3 priorities are free

Enterprise security guidance and cyber threat intelligence — made affordable.

Follow three simple steps to understand your security posture — and exactly what to do about it.

Step 1

📋

Complete the assessment in under 5 minutes

Answer questions about your business, size, industry, and current security practices. No technical expertise required.

Step 2

🛡️

Get your security score

Receive a letter grade (A through F) with a plain-English breakdown of what's working and what needs attention.

Step 3

🔐

Get your full security plan

Unlock your incident response plan, curated AI analysis, weekly industry threat digest, and ready-to-use security policy templates.

Simple, transparent pricing

Start free. Upgrade when you're ready.

Free

$0

no credit card needed

Included

Security score & letter grade
Top 3 security priorities
Security posture overview

Narro Pro

$49

per month

Everything in Free, plus:

Full priority list
Incident Response Plan
Curated Analysis
Weekly Industry Digest
Every Monday morning, get an email with the latest cyber threats targeting your industry — curated with real sources. You control the frequency: weekly, biweekly, monthly, or never.
Security Policy Templates

Use code LAUNCH20 at checkout for 20% off your first month — first 50 customers, expires July 15, 2026.

Frequently asked questions

Can I cancel anytime?

Yes. Cancel from your account menu and your subscription ends immediately. No questions asked.

What industries do you cover?

Healthcare, financial services, retail/ecommerce, and professional services (law firms, accounting, consulting).

Is my data secure?

Your assessment answers are encrypted and stored securely. We never sell your data or share it with third parties.

What if I have questions?

Email us at support@narrosec.com and we'll respond within one business day.

By subscribing you agree to our Terms of Service and Privacy Policy.

The Krusty Krab — Security Report

Narro Pro

D+ Security Score

High Risk

Multiple critical gaps that attackers actively exploit — prioritize MFA, backups, and an incident response plan.

✅ What's Working (5)

✓ Regular security training ✓ Dedicated IT support ✓ Cloud storage in use ✓ Company-wide password manager ✓ Cyber insurance coverage

⚠️ Needs Attention (6)

MFA only partially enabled No incident response plan No backup process Vendor access unmanaged Personal devices with no security controls No formal offboarding process

Immediate action required

1

The Krabby Patty Secret Formula Is Exposed — Lock Down Your Accounts

MFA is not fully enabled on all employee accounts. If even one login gets stolen, attackers get full access to your POS system, customer data, and financial records. Enable multi-factor authentication on all accounts this week.

🕐 1 hour · Free

2

Squidward Left the Back Door Open — You Have No Incident Response Plan

When ransomware hits The Krusty Krab, who do you call? What do you shut down first? Without a written plan, every minute of chaos costs you money and customers. Your Response Plan tab has a custom playbook ready to print.

🕐 2 hours · Free

3

Mr. Krabs' Gold Is Sitting in One Basket — No Offsite Backups

If your POS or computer gets hit with ransomware today, your sales records, customer data, and business files could be gone forever. Automated cloud backups mean you can recover without paying the ransom.

🕐 2 hours · ~$7/mo

🔒

Unlock 4 more priorities including network segmentation, vendor access controls, and your full Narro Pro security plan

Get every priority, your custom Incident Response Plan, a personalized AI analysis, and the weekly industry digest with Narro Pro — $49/mo.

🔓 Unlock with Narro Pro →

The Krusty Krab — Incident Response Plan

For when Plankton (or a real attacker) finally gets in

Phase 1 — Identify the Threat (First 30 Minutes)

1

Sound the alarm — but stay calm. Check your POS system, business email, and payment dashboards for signs of unauthorized access, unusual transactions, or ransomware messages. If screens show unexpected warnings or locked files, photograph them immediately — do not click anything or attempt to dismiss them.

2

Pull the affected device off the network. Disconnect any compromised computer or terminal from Wi-Fi and unplug its ethernet cable. If the POS register is affected, switch to manual payment processing (cash or card imprint) and notify your team calmly — customers don't need details.

3

Call your IT contact and notify the owner. Alert IT support immediately. If you don't have dedicated IT, contact your POS vendor's security line. Do not attempt to repair or restore the system yourself — you may destroy forensic evidence needed by investigators or insurers.

4

Document everything you observed. Write down exactly what happened, when you noticed it, and which systems appear affected. Time-stamped notes are critical for your insurer, law enforcement, and any required breach notifications later.

Phase 2 — Contain the Damage (First 2 Hours)

5

Change all critical passwords from a clean device. Use a personal phone not connected to the business Wi-Fi. Prioritize in this order: business banking, your point-of-sale admin, business email, and your router admin panel. Use your company password manager to generate new credentials.

🔒

See your complete incident response plan with Narro Pro

Get your complete incident response plan with Narro Pro — all remaining phases tailored specifically to your business, industry, and security gaps.

Cancel anytime · Instant access

The Krabby Situation (Executive Summary)

Look, Mr. Krabs — the good news is The Krusty Krab isn't completely defenseless. SpongeBob and the crew get regular security training, and you've already got a company-wide password manager. That's more than most of Bikini Bottom can say, and it shows up in your score.

But a C+ means real holes exist. Three of them, specifically: not everyone has multi-factor authentication turned on, there's no written plan for what to do when something goes wrong, and your data isn't backed up anywhere that ransomware can't reach. These aren't hypothetical problems — they're the exact things attackers go looking for in restaurants and retail shops.

The genuinely good news: all three are fixable this week, on your own, without spending much money.

What Plankton Is Actually After (Your Biggest Risks)

Not everyone has MFA turned on: Think of multi-factor authentication like a second lock on the Krusty Krab front door. Right now, some of your accounts only have one lock. If a hacker gets your password — from a data breach somewhere else, a phishing email, or just a lucky guess — they can walk straight into your POS system, your bank account, and your customer records. MFA stops that cold. It takes under an hour to set up everywhere it's missing.
No written incident response plan: If ransomware hit the Krusty Krab tonight and locked up the register, what would SpongeBob do first? Who would he call? What would he tell customers? If the answer is "not sure," that's a problem. The first 30 minutes of a breach either save you or cost you thousands. A one-page checklist posted in the manager's office is the difference between controlled response and total chaos.
No offsite backups: Your sales records, customer data, and order history all live on computers that ransomware can reach. If someone encrypts them tonight, you're looking at either paying the ransom — usually $10,000 to $50,000 for a business this size — or losing the data permanently. Automated cloud backups cost about $7 a month and take two hours to set up. That's the whole fix.

What's Actually Working in the Kitchen (Your Strengths)

You have cyber insurance: This is a bigger deal than most people realize. If something bad happens at The Krusty Krab, you have a 24/7 number to call, lawyers who handle breach notifications, and investigators who know exactly what to do. Most small businesses in Bikini Bottom find out too late what it costs to deal with a breach without any of that. You're ahead.
The crew gets security training: Most attacks on restaurants and retail shops start with someone clicking a bad link in an email or giving their password to someone who called pretending to be tech support. Regular training means SpongeBob, Squidward, and the team know what to look for. That's a real advantage — a trained employee is your best early warning system.
Everyone uses a password manager: This means nobody's using "krabbypatty1" for every account they own. A password manager gives every account a unique, strong password — which cuts off one of the most common ways attackers get in. You've already done this, which is great. The remaining gap is just adding MFA on top of it.

The 90-Day Krabby Patty Recipe (Your Action Plan)

This week — Turn on MFA everywhere it's missing: Go to your point-of-sale system, your business email, and your bank and enable multi-factor authentication on every account. Use an authenticator app like Google Authenticator or Authy — not SMS if you can avoid it. Takes under an hour total. Free. Closes the most common way attackers get into businesses like The Krusty Krab.
Week 2 — Set up automatic cloud backups: Backblaze B2 costs about $7 a month. Set it to automatically back up the POS computer and any other machine holding customer or financial data every night. After you set it up, do a test restore — actually pull a file back from the backup and confirm it works. A backup you've never tested isn't really a backup.
Week 3 — Print and post the incident response plan: The Response Plan tab has a step-by-step plan tailored to The Krusty Krab. Print it. Post it in the manager's office. Walk SpongeBob and Squidward through the first three steps so either of them can handle the first 30 minutes of an incident without waiting for you. It doesn't need to be perfect — it just needs to exist before something goes wrong.
Month 2 — Go through your vendor list: Make a list of every person or company with access to your network, your POS, or your business accounts — your POS provider, cleaning crew, delivery platforms, anyone. Cancel or revoke any access that isn't actively needed. The ones you keep should each have their own credentials, not a shared login that nobody audits.
Month 3 — Build an offboarding habit: Every time someone leaves The Krusty Krab — even a part-time fry cook — their POS login, email account, and delivery app access should be turned off that day. Not eventually. That day. Former employees with working credentials are a common source of unauthorized access that usually goes unnoticed for months.

🔍 Plankton Launches Phishing Campaign Targeting Bikini Bottom Restaurants High Risk

Plankton Enterprises has been sending fake "Krabby Patty Ingredient Supplier" emails to restaurants across Bikini Bottom, impersonating a company called "Premium BB Seafood Co." with a domain that looks almost identical to the real thing. Restaurant owners who clicked the invoice link were taken to a fake payment portal that harvested their banking credentials and POS admin passwords. Several Bikini Bottom businesses reported unauthorized wire transfers within 48 hours of clicking the link. Sandy Cheeks, who analyzed the campaign from her treedome lab, confirmed the emails are indistinguishable from real supplier invoices without careful inspection. What to do: Never pay an invoice or change payment details based on an email alone. Always call the vendor back using a phone number you already have on file — not one in the email.

🔍 The Flying Dutchman's Ghost Network Stealing POS Credentials at Goo Lagoon Shops High Risk

The Flying Dutchman — or someone using his spectral networking equipment — has been setting up a rogue Wi-Fi access point near Goo Lagoon retail businesses under the name "GooLagoon_FREE_WiFi." Staff devices that automatically connected to the fake network had their POS admin credentials intercepted via a man-in-the-middle attack. Three Goo Lagoon shops reported unauthorized access to their point-of-sale systems within days of the fake network appearing. Patrick Star reportedly connected to it twice and "thought it was really fast." What to do right now: Give your business Wi-Fi a unique name, add a password to your guest network, and turn off auto-connect on all staff devices. Verify your POS terminal is on a separate network from customer Wi-Fi — this is a single checkbox in most router settings.

🔍 Fake "Krabby Patty Recipe Manager" App Delivering Ransomware to Restaurant Registers Critical Risk

A malicious app called "Krabby Patty Recipe Manager v2.1" has been circulating in Bikini Bottom business forums, marketed as free inventory and recipe management software. The app installs normally and appears to work for several days before downloading a ransomware payload overnight, encrypting all files on the host machine — including POS records, customer data, and financial documents. A ransom note then appears demanding payment in "Doubloons" for the decryption key. Mrs. Puff's driving school was reportedly among the first victims; she declined to comment but sources say she was "very upset." What to do: Never install software on a business computer or POS terminal without checking with your IT contact first. If you're not sure whether an app is legitimate, don't install it.

⚡ SpongeBob's Security Homework: One Thing To Do Before Your Next Shift

Turn on login alerts on your two most important accounts. Go to your payment system settings and your business email account and enable login notifications. You'll get a message every time someone signs in from a new device or location — which means if a hacker gets your password, you'll know about it in minutes instead of finding out weeks later when money is already gone. Takes about 10 minutes. Costs nothing. Do it before you flip the "Open" sign tomorrow morning.

Acceptable Use Policy

Governs employee use of company devices, networks, and software.

Acceptable Use Policy — The Krusty Krab

Effective Date: June 2026 · Bikini Bottom, Pacific Ocean

1. Purpose

This Acceptable Use Policy ("Policy") establishes guidelines for the acceptable use of information technology resources owned or operated by The Krusty Krab, located at 3541 Anchor Way, Bikini Bottom. This Policy exists to protect the business, its employees (including fry cooks, cashiers, and management), its customers, and its reputation from security incidents arising from misuse of company technology.

2. Scope

This Policy applies to all Krusty Krab employees, contractors, delivery partners, and vendors who access company systems, devices, or networks in any capacity — whether on-site at the Bikini Bottom location or remotely.

3. Acceptable Use

All Krusty Krab devices — including the kitchen POS terminal, the manager's office computer, and any company-issued tablets — must be used primarily for business purposes.
Internet access provided on company equipment is for work-related activities. Brief personal use during breaks is permitted provided it does not involve prohibited activities listed in Section 4.
All software installed on company devices must receive prior written approval from the owner or designated manager before installation.
Employees must not download, install, or run software from unknown or unverified sources — particularly on POS terminals that process customer payment data.
Company accounts (email, payment system, delivery platforms) must be accessed using credentials stored in The Krusty Krab's company-wide password manager.

4. Prohibited Activities

The following activities are strictly prohibited on Krusty Krab systems and networks:

Accessing, downloading, transmitting, or storing illegal, offensive, or inappropriate content on any company device.
Installing unauthorized software, browser extensions, or applications on any company device without management approval.
Sharing login credentials with any other employee, contractor, or individual — even temporarily or as a convenience. This includes POS PIN codes, email passwords, and payment system logins.
Connecting personal USB drives, external hard drives, or other removable storage media to POS terminals or the manager's office computer without explicit authorization.
Attempting to access systems, accounts, or data beyond the scope of one's assigned role — including accessing Mr. Krabs' financial records or ownership-level accounts without authorization.
Using company resources to conduct personal business, operate competing ventures, or perform activities that create a conflict of interest.

5. Incident Reporting

All Krusty Krab employees are required to report suspected security incidents — including phishing emails, unexpected software behavior, unauthorized account access, or lost/stolen devices — to the owner or manager immediately upon discovery. Delay in reporting may increase harm to the business and its customers.

6. Enforcement

Violations of this Policy may result in disciplinary action up to and including immediate termination of employment or contract. Violations that result in financial harm, data breach, or regulatory penalties may be subject to legal action. This Policy is reviewed annually and updated as needed to reflect changes in technology and business operations.

Name _______________________________ Signature _______________________________ Date _______________

Password Policy

Sets minimum standards for creating and managing passwords across the business.

Vendor Access Policy

Controls how third parties access your systems and customer data.

Employee Offboarding Policy

Ensures system access is revoked and equipment is returned when employees leave.

Welcome

You don't have a security report yet. Take a quick assessment and we'll generate your personalized report — score, top risks, response plan, and more. Under 5 minutes.

Security Assessment 1 / 18

Analyzing your security posture

Our AI is reviewing your answers and generating a personalized security plan.

Calculating risk score

Identifying critical vulnerabilities

Building incident response plan

Generating weekly threat brief

Finalizing recommendations

Security Report

Free plan

↺ New assessment

-- Security Score

Analyzing...

Immediate action required

Terms of Service

Narro Security LLC · Effective June 11, 2026 · Last updated June 11, 2026

1. Acceptance of Terms

By accessing or using the Narro Security service (the "Service"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, do not use the Service. These Terms constitute a legally binding agreement between you and Narro Security LLC ("Narro Security," "we," "us," or "our"), a limited liability company.

We may update these Terms from time to time. We will notify you of material changes by posting a notice on the Service or by email. Your continued use of the Service after changes become effective constitutes your acceptance of the revised Terms.

2. Description of Service

Narro Security provides an AI-powered cybersecurity assessment and advisory platform designed for small and mid-sized businesses. The Service includes a self-assessment questionnaire, a security score and letter grade, a personalized incident response plan, an AI-generated security analysis, a weekly industry threat digest, and security policy templates (collectively, the "Service").

The Service is intended to provide general security guidance and education. It is not a substitute for professional legal, compliance, or cybersecurity consulting services.

3. Account Registration and Security

To access certain features of the Service, you may be required to provide your email address. You agree to provide accurate, current, and complete information. You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account.

We use magic-link authentication via email. You agree not to share your login links with others. If you believe your account has been compromised, contact us at support@narrosec.com immediately.

4. Subscription and Billing

4.1 Subscription Plans

The Service is offered on a free tier and a paid "Narro Pro" subscription plan. Subscription fees, billing periods, and included features are described on our Pricing page and may be updated from time to time with advance notice.

4.2 Payment

Payments are processed by Stripe, Inc. By subscribing to Narro Pro, you authorize us to charge your payment method on a recurring basis at the then-current subscription price. All fees are in U.S. dollars and are non-refundable except as expressly stated herein or required by applicable law.

4.3 Cancellation

You may cancel your Narro Pro subscription at any time from your account menu. Cancellation takes effect immediately and you will retain access to Pro features through the end of your current billing period. No partial refunds are issued for unused time.

4.4 Price Changes

We reserve the right to change subscription prices at any time. We will provide at least 30 days' notice before any price increase takes effect for existing subscribers. Your continued use of the Service after a price change constitutes acceptance of the new price.

5. Free Tier and Pro Plan

The free tier provides a security score, letter grade, and top three security priorities at no cost. The Narro Pro plan provides access to the full priority list, incident response plan, AI-generated security analysis, weekly industry threat digest, and security policy templates. We reserve the right to modify the features included in each tier at any time.

6. Acceptable Use

You agree not to use the Service to:

Violate any applicable law or regulation, including data protection and privacy laws;
Submit false, misleading, or fraudulent information in the assessment;
Attempt to gain unauthorized access to any portion of the Service or its related systems;
Reverse engineer, decompile, or disassemble any part of the Service;
Scrape, harvest, or otherwise collect data from the Service without our express written permission;
Use the Service for any competitive intelligence or benchmarking purpose;
Resell, sublicense, or otherwise commercialize access to the Service without prior written consent.

We reserve the right to suspend or terminate your access to the Service immediately if we determine, in our sole discretion, that you have violated these Terms.

7. Intellectual Property

All content, features, and functionality of the Service — including but not limited to text, graphics, logos, software, AI-generated output, and design — are owned by Narro Security LLC or our licensors and are protected by copyright, trademark, and other intellectual property laws.

We grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Service for your internal business purposes. This license does not permit you to distribute, modify, create derivative works from, or publicly display any part of the Service without our prior written consent.

Security reports, analysis, and policy templates generated through the Service are licensed to you for use within your own business. You may not resell or distribute this content to third parties.

8. Assessment Data and Privacy

Your assessment answers and generated reports are stored securely and used to provide and improve the Service. We do not sell your assessment data to third parties. Our data practices are described in detail in our Privacy Policy, which is incorporated into these Terms by reference.

9. AI-Generated Content

The Service uses artificial intelligence to generate security recommendations, incident response plans, policy templates, and threat analyses. While we work to ensure the quality of AI-generated content, this content is provided for informational purposes only and may contain errors or omissions.

AI-generated content does not constitute professional legal, compliance, or cybersecurity advice. You should independently verify recommendations before implementing them and consult qualified professionals for matters with significant legal, financial, or operational consequences.

10. Disclaimers

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT PERMITTED BY LAW, NARRO SECURITY DISCLAIMS ALL WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE FROM VIRUSES OR OTHER HARMFUL COMPONENTS. WE DO NOT WARRANT THAT THE SECURITY ASSESSMENT, SCORE, OR RECOMMENDATIONS ARE COMPLETE, ACCURATE, OR APPROPRIATE FOR YOUR SPECIFIC CIRCUMSTANCES.

11. Limitation of Liability

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, NARRO SECURITY LLC AND ITS OFFICERS, EMPLOYEES, AGENTS, AND LICENSORS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES — INCLUDING LOSS OF PROFITS, DATA, OR GOODWILL — ARISING FROM OR IN CONNECTION WITH YOUR USE OF THE SERVICE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

OUR TOTAL CUMULATIVE LIABILITY TO YOU FOR ANY CLAIMS ARISING FROM OR RELATED TO THESE TERMS OR THE SERVICE SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNT YOU PAID TO US IN THE TWELVE MONTHS PRECEDING THE CLAIM OR (B) ONE HUNDRED U.S. DOLLARS ($100).

12. Indemnification

You agree to indemnify, defend, and hold harmless Narro Security LLC and its officers, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) your use of the Service; (b) your violation of these Terms; or (c) your violation of any third-party rights.

13. Termination

We may suspend or terminate your access to the Service at any time, with or without cause, with or without notice. Upon termination, your right to use the Service ceases immediately. Provisions of these Terms that by their nature should survive termination shall survive, including Sections 7, 9, 10, 11, 12, and 14.

14. Governing Law and Dispute Resolution

These Terms are governed by the laws of the United States and the state in which Narro Security LLC is incorporated, without regard to conflict of law principles. Any dispute arising from these Terms or the Service shall first be subject to informal resolution by contacting us at support@narrosec.com. If the dispute cannot be resolved informally within 30 days, it shall be resolved by binding arbitration in accordance with the rules of the American Arbitration Association.

You waive any right to participate in a class action lawsuit or class-wide arbitration against Narro Security.

15. General Provisions

These Terms, together with our Privacy Policy, constitute the entire agreement between you and Narro Security LLC regarding your use of the Service and supersede all prior agreements. If any provision of these Terms is found to be unenforceable, the remaining provisions will remain in full force and effect. Our failure to enforce any right or provision does not constitute a waiver of that right or provision.

16. Contact

Questions about these Terms? Contact us at support@narrosec.com.

Privacy Policy

Narro Security LLC · Effective June 11, 2026 · Last updated June 11, 2026

Narro Security LLC ("Narro Security," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the choices you have about your information when you use our Service at narrosec.com (the "Service").

By using the Service, you agree to the collection and use of information as described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

Email address: Required to create an account, receive your security report, and access paid features. Also used to deliver your weekly industry digest.
Business name: Provided optionally to personalize your security report.
Assessment answers: Your responses to the security assessment questionnaire — including business size, industry, and security practices. This is the core input used to generate your security report.
Payment information: Billing details for Narro Pro subscriptions are collected and processed directly by Stripe, Inc. We do not store your full payment card details on our servers.
Feedback: Any feedback or messages you send to us via the in-app feedback form or email.

1.2 Information Collected Automatically

Usage data: Standard server logs including IP address, browser type, referring URL, and pages visited. This data is used for security, debugging, and service improvement.
Session data: Authentication session tokens stored in your browser's local storage to keep you logged in.
Theme preference: Your light/dark mode preference, stored in browser local storage.

1.3 Information from Third Parties

Stripe: When you subscribe to Narro Pro, Stripe provides us with subscription status, billing period, and payment events. We do not receive your full card number.
Supabase: Our database provider stores your account data and assessment results.

2. How We Use Your Information

We use the information we collect to:

Provide, personalize, and improve the Service — including generating your security score, priorities, incident response plan, AI analysis, and weekly digest;
Process payments and manage your subscription;
Send transactional emails, including magic-link login emails and your weekly industry digest (if you opt in);
Respond to your support requests and feedback;
Detect, prevent, and address fraud, abuse, and security incidents;
Comply with applicable legal obligations;
Analyze aggregate usage trends to improve the Service (using anonymized or aggregated data that cannot identify you).

We do not use your assessment answers or security report data to train third-party AI models without your explicit consent.

3. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We share your information only in the following limited circumstances:

3.1 Service Providers

We share information with trusted service providers who help us operate the Service:

Anthropic: Your assessment data is sent to Anthropic's API to generate AI-powered security analysis, incident response plans, and policy templates. Anthropic's privacy policy governs their handling of this data.
Stripe: Payment processing and subscription management.
Supabase: Secure database hosting for account and assessment data.
Railway / Vercel: Cloud infrastructure providers hosting the Service's backend and frontend.

All service providers are contractually obligated to use your data only as necessary to provide their services to us and in accordance with applicable law.

3.2 Legal Requirements

We may disclose your information if required to do so by law, subpoena, court order, or other governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Narro Security, our users, or the public.

3.3 Business Transfers

If Narro Security is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

4. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it, including:

Encryption of data in transit using TLS;
Database-level row security and access controls via Supabase;
Secrets (API keys, credentials) are stored only on the backend and never exposed to the browser;
Regular review of security practices and dependencies.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

5. Data Retention

We retain your account information and assessment data for as long as your account is active or as needed to provide the Service. If you close your account or request deletion of your data, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, compliance, or legitimate business purposes.

Stripe retains payment and billing records according to their own retention policies and legal obligations.

6. Cookies and Similar Technologies

The Service uses browser local storage (not traditional cookies) to store your authentication session and theme preference. We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies.

Standard server logs may record your IP address and browser information as described in Section 1.2. These logs are used solely for operational and security purposes and are not used for advertising.

7. Your Rights and Choices

7.1 Access and Correction

You may access and update your account information at any time by logging in to your account. For other access or correction requests, contact us at support@narrosec.com.

7.2 Data Deletion

You may request deletion of your account and associated data by emailing support@narrosec.com. We will process your request within 30 days.

7.3 Email Communications

You can manage your digest email frequency from the Notification settings in your account menu. You may also unsubscribe from any email by clicking the unsubscribe link in any email we send or by contacting us directly.

7.4 California and Other State Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right to opt out of sale (we do not sell personal information). Residents of other U.S. states with applicable privacy laws may have similar rights. To exercise your rights, contact us at support@narrosec.com.

8. Children's Privacy

The Service is intended for use by businesses and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.

9. International Data Transfers

Narro Security is based in the United States. If you use the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to this transfer.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or by sending an email to the address associated with your account. The date at the top of this policy indicates when it was last updated. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Narro Security LLC
Email: support@narrosec.com

Your virtual CISOfor $49/month