Privacy Policy

We respect your privacy and are committed to protecting your personal information.
This policy explains how Lavawall® collects, uses, stores, and shares your data — and what rights you have over it.

🔒 Privacy Notice: Lavawall® accesses certain Google Workspace data (such as Google sign-in identity and, where you enable it, Gmail and Google Workspace security signals) solely to provide the security assessment features you have enabled. This data is never sold, traded, or used for advertising. You may review or withdraw Google access at any time at console.lavawall.com/dashboard_gw.php. See Section 8 for full details.

Lavawall® Privacy Policy

Issued by

ThreeShield Information Security Corporation (“ThreeShield”, “we”, “us”, or “our”)

a Canadian Federal Corporation located in Calgary, Alberta

This Privacy Policy applies to the Lavawall® Software as a Service (SaaS) platform, the Lavawall® agent software installed on Windows, Linux, and macOS devices, and all public-facing web properties operated by ThreeShield (collectively, the “Service”). By using the Service you acknowledge that you have read and agree to this Privacy Policy. If you do not agree, please discontinue use of the Service.

Effective date: April 8, 2025.  Last reviewed: April 8, 2026.  This policy is reviewed and updated at least annually or whenever material changes occur. We will notify registered users of material changes by email at least thirty (30) days before they take effect.

Contents
  1. Who We Are & How to Contact Us
  2. Regulatory Framework & Jurisdiction
  3. What Information We Collect
  4. How We Use Your Information
  5. Data Residency & International Transfers
  6. Third-Party Sub-Processors & Service Providers
  7. Data Sharing & Disclosure — We Do Not Sell Your Data
  8. Google User Data & Limited Use Policy
  9. Microsoft & AWS Integration Data
  10. Cookies, Analytics & Tracking Technologies
  11. Data Retention
  12. Security Safeguards
  13. Your Rights & Choices
  14. Rights for Alberta & Canadian Residents
  15. Rights for EU / EEA Residents (GDPR)
  16. Rights for US Residents
  17. Children’s Privacy
  18. Changes to This Policy
  19. Governing Law

1. Who We Are & How to Contact Us

The data controller for all personal information processed through the Lavawall® Service is:

ThreeShield Information Security Corporation
Calgary, Alberta, Canada
Privacy inquiries: lavawall.com/contact.php
(please include “Privacy” in the subject of your message)

For EU/EEA data subjects who require a formal representative under Article 27 GDPR, please direct correspondence via our contact form marked “GDPR Representative.” ThreeShield will respond to all verifiable privacy requests within the timeframes required by applicable law and no later than thirty (30) calendar days.

2. Regulatory Framework & Jurisdiction

ThreeShield operates primarily under Canadian federal and Alberta provincial privacy law and complies, to the extent applicable, with the privacy requirements of the jurisdictions from which users access the Service:

  • Canada (Federal): Personal Information Protection and Electronic Documents Act (PIPEDA / Bill C-27 successor framework), and the Canada Anti-Spam Legislation (CASL).
  • Alberta (Provincial): Personal Information Protection Act (PIPA, SA 2003, c P-6.5) and the Health Information Act (HIA) where applicable.
  • European Union / EEA: General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable national implementations.
  • United States: Applicable federal sector laws and, where triggered, state privacy laws including the California Consumer Privacy Act (CCPA / CPRA), the Virginia Consumer Data Protection Act (VCDPA), and similar statutes.
  • Cloud provider requirements: Google API Services User Data Policy (including Limited Use requirements), Microsoft identity platform policies, and AWS data processing terms.

The governing law of this Privacy Policy is the law of the Province of Alberta, Canada. Where the mandatory privacy laws of another jurisdiction apply to a specific user, we will comply with those mandatory requirements to the extent they are legally applicable to ThreeShield.

3. What Information We Collect

3.1 Account & Identity Information

When you register for Lavawall®, we collect your name, email address, company name, phone number (for multi-factor authentication via SMS), and billing information. If you register or sign in via a third-party identity provider (Google Workspace, Microsoft Entra ID, or similar), we receive the profile information that provider makes available under your consent, typically your name, email address, and profile identifier. We do not receive or store your third-party account password.

3.2 Device & Endpoint Security Data

When you install the Lavawall® agent on a Windows, Linux, or macOS device, we collect security and configuration telemetry from that device, including: operating system version and patch status, installed software inventory and patch state, hardware identifiers (hostname, device ID), network configuration, open ports, running services and processes relevant to security assessment, battery health indicators, antivirus and firewall configuration status, and BIOS/firmware version information. We collect the minimum information necessary to perform the Vulnerability Assessment.

The following additional data categories are collected only when the corresponding optional feature is enabled by you or your administrator:

  • File Change Monitoring: If enabled, we collect file metadata including filenames, file paths, timestamps, and file sizes to detect unauthorized changes. We do not collect or transmit the contents of files.
  • User Account Mapping: We collect device user account information (such as usernames and account identifiers) to map local accounts to Entra ID, Google Workspace, or Microsoft directory accounts, and to identify unused, stale, or potentially compromised accounts.
  • SaaS Discovery: If enabled, Lavawall® automatically reviews email metadata only (such as sender addresses, recipient addresses, and subject lines) to identify indicators of SaaS provider usage within your organization. Email message body content is never accessed or stored.
  • Phishing Reporting: If the phishing reporting tool is used, reported emails submitted by users (including email headers, metadata, and body content) are stored for investigation and security analysis purposes.
  • Ticketing System: If you use the Lavawall® integrated ticketing system, emails forwarded into or through the system are stored as part of the ticket record, including headers, metadata, and body content.
  • DMARC Monitoring: If DMARC monitoring is enabled, we store data contained in DMARC RUA (Reporting URI for Aggregate) reports sent to Lavawall® by mail receivers, which may include IP addresses, email volumes, and authentication results associated with your domain.
  • Remote Support File Transfers: If the Lavawall® remote support function is used, files sent to or received from a managed device are transmitted through Lavawall® servers in transit. These files are not permanently stored on our servers and are relayed solely for the purpose of the active support session. You or your administrator control when a remote support session is initiated.
  • Email Security Metadata: We store email contact information, subject lines, and other metadata associated with your monitored email environment to identify potential breach indicators, such as unusual email download volumes or apparent targeting of sensitive content.

All data collected by optional features is stored in our Canadian-resident infrastructure and is subject to the same protections and retention limits as all other data under this Privacy Policy.

3.3 Network, Domain & Email Security Data

When you add IP addresses, domains, or email domains to Lavawall®, we perform external scans of those network-facing assets, including: open port analysis, TLS/SSL certificate validity, DNS record configuration (DMARC, SPF, DKIM), web application headers, and public vulnerability indicators. These scans are performed from our scanning infrastructure in Calgary, Alberta, Canada and AWS infrastructure in Montréal, Québec, Canada. Scanning is limited to assets you explicitly register and authorize within the Lavawall® console.

3.4 Usage & Log Data

We collect server-side logs of console activity for security, audit, and troubleshooting purposes. Log data includes: IP addresses of console sessions, timestamps, actions performed within the console, and error information. Console session logs are not shared with third-party analytics providers. On our public-facing marketing pages only, we use third-party analytics tools described in Section 10.

3.5 Contact Form & Support Data

When you submit a contact form on our public website, we collect your name, email address, company, and message content. This information is processed through our contact form. Historically, contact form submissions were also processed by HubSpot (CRM) and Zendesk (support ticketing); we have since transitioned these functions to the Lavawall® platform hosted on Canadian servers. HubSpot and Zendesk have never had access to data within the Lavawall® console.

3.6 Payment Information

Payment card processing is performed by a PCI-DSS compliant payment processor. ThreeShield does not store full payment card numbers on its own systems. We retain transaction identifiers, amounts, and billing address information for accounting and fraud prevention purposes.

4. How We Use Your Information

We collect and use personal information only for the following purposes, which correspond to lawful bases under applicable privacy law:

  • Provision of the Service: To provide, operate, maintain, and improve the Lavawall® Vulnerability Assessment and related features you have subscribed to.
  • Authentication & Security: To verify your identity, protect accounts, detect and prevent fraud, and enforce multi-factor authentication.
  • Billing & Account Administration: To process payments, manage subscriptions, issue invoices, and handle account changes.
  • Communications: To send transactional and service-related emails (security alerts, scan results, account notifications, policy updates) and, where you have provided consent, marketing communications. You may opt out of marketing communications at any time.
  • Customer Support: To respond to your inquiries and support requests.
  • Legal Compliance & Audit: To comply with applicable laws, regulations, court orders, and our contractual obligations, and to maintain audit logs for security and accountability purposes.
  • Aggregate Analytics: To produce anonymized, aggregated statistics about the security landscape (e.g., prevalence of unpatched software across industries) for research and public reporting. These statistics cannot be used to identify individual users or organizations.

We do not use your information for automated decision-making that produces legal or similarly significant effects without human review, nor do we use it to build advertising profiles.

5. Data Residency & International Transfers

5.1 Primary Data Locations

Lavawall® is designed and operated as a Canadian-resident platform. Your data is stored and processed in the following primary locations:

  • Scanning infrastructure: Dedicated servers in Calgary, Alberta, Canada and AWS instances in Montréal, Québec, Canada.
  • Databases & front-end systems: AWS in Montréal, Québec, Canada.
  • Agent compilation: Calgary, Alberta, Canada.

5.2 Limited Cross-Border Processing

A limited number of operational activities involve processing outside of Canada:

  • Email delivery: Transactional, notification, and ticketing-related emails are sent through our AWS infrastructure in Montréal, Québec, Canada and dedicated servers in Calgary, Alberta, Canada. Certain legacy email flows may also be routed through AWS infrastructure in Ireland (EU). In transit, email may traverse multiple countries in accordance with internet routing.
  • SMS / MFA: Text messages for multi-factor authentication are delivered by Twilio, Inc., which processes the destination phone number and message content in the United States.
  • Content Delivery & WAF: Agent executables, static assets, and web traffic are distributed through Cloudflare’s global edge network. Cloudflare may cache and process request metadata at edge nodes worldwide. Cloudflare is also used for risk management, Turnstile CAPTCHA, and Web Application Firewall (WAF) services. Cloudflare does not receive your console data.
  • Third-party integrations (user-initiated): If you enable integrations with AWS, Microsoft, Google, Huntress, Sophos, Screen Connect, Axcient, Datto, or other supported platforms, data relevant to those integrations may be processed in the location of those providers’ infrastructure. These transfers occur only when you explicitly initiate the integration through the Lavawall® console. See Section 9.

5.3 Data Residency Requests

If you are located outside of Canada and wish to have your data stored and processed in a different country or region, please contact us via our contact form (include “Data Residency” in the subject). Where a sufficient number of users and endpoints exist in a given region, ThreeShield will work with you to establish regional infrastructure to meet your data residency requirements.

5.4 Adequacy & Transfer Safeguards

Canada has been recognized by the European Commission as providing an adequate level of data protection for the purposes of GDPR Article 45. Where personal data of EU/EEA residents is transferred to other non-adequate countries (such as the United States) for the limited purposes described above, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and the data processing agreements of our sub-processors who are certified or compliant with applicable cross-border transfer frameworks.

6. Third-Party Sub-Processors & Service Providers

We engage the following categories of third-party processors to operate the Service. All sub-processors are bound by data processing agreements that restrict their use of your data to the purposes for which they were engaged:

  • Amazon Web Services (AWS): Cloud hosting, databases, and email delivery infrastructure. Located in Montréal, Québec, Canada and (for email relay) Ireland, EU.
  • Cloudflare: Content delivery network, web application firewall, risk management, and CAPTCHA (Turnstile). Global edge network.
  • Twilio: SMS delivery for multi-factor authentication. United States.
  • HubSpot (legacy): Previously used as CRM for managing contacts submitted through public contact forms and marketing communications. We have transitioned our CRM to the Lavawall® platform hosted on Canadian servers. HubSpot may retain historical contact records. HubSpot has never had access to your Lavawall® console data.
  • Zendesk (legacy): Previously used for customer support ticketing. We have transitioned our support ticketing to the Lavawall® integrated platform hosted on Canadian servers. Zendesk may retain historical ticket records.
  • Google Analytics / Google Tag Manager: Website analytics on public-facing pages only. Not used within the Lavawall® console.
  • Facebook / Meta Pixel: Marketing analytics on public-facing pages only. Not used within the Lavawall® console.
  • Payment processor: PCI-DSS compliant payment card processing. Does not receive security telemetry data.

If ThreeShield subcontracts any part of the Vulnerability Assessment, all subcontractors are bound by confidentiality and privacy obligations equivalent to those in this Privacy Policy and in our Terms of Service.

7. Data Sharing & Disclosure — We Do Not Sell Your Data

ThreeShield does not sell, trade, rent, or exchange any personal information or security data for commercial purposes. Email addresses, usernames, company names, device data, and security statistics are used solely to operate the Lavawall® Service and are not shared with any party outside of ThreeShield except:

  • Sub-processors: As described in Section 6, and strictly to the extent necessary to provide the Service.
  • Legal obligation: Where required by applicable law, a court order, regulatory authority, or law enforcement request with proper legal authority. We will notify you of such requests to the extent permitted by law.
  • Business transaction: In the event of a merger, acquisition, or sale of substantially all assets, personal information may be transferred to the successor entity, which will be bound by this Privacy Policy or required to provide equivalent protections.
  • Protection of rights: Where necessary to protect the rights, property, or safety of ThreeShield, our users, or the public.
  • With your explicit consent: For any other purpose, only with your prior written consent.

8. Google User Data & Limited Use Policy

8.1 What Google Data We Access

Lavawall® may access Google user data in the following circumstances:

  • Google Sign-In / OAuth: When you sign in to Lavawall® using your Google account, we receive your Google account name, email address, and profile picture from Google’s identity service. This data is used solely to authenticate you and associate your account.
  • Google Workspace Integration (user-initiated): If you choose to enable the Google Workspace integration in the Lavawall® console, we may access Google Workspace security signals, directory information, or other data within the specific scopes you authorize. The specific scopes requested are displayed at the time of authorization.

8.2 How We Use Google Data

Our use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • Google user data is used only to provide or improve the specific Lavawall® security assessment features you have enabled. It is not used for any other purpose.
  • Google user data is never transferred to third parties except as necessary to provide the Service to you, as required by law, or with your explicit consent.
  • Google user data is never used for serving advertisements or building advertising profiles.
  • Google user data is never sold, traded, or exchanged.
  • Google user data is never used for determining creditworthiness or for lending purposes.
  • Humans at ThreeShield do not read your Google user data unless you explicitly provide consent, it is necessary for security or legal compliance reasons, or it is aggregated and anonymized.

8.3 Revoking Google Access

You may revoke Lavawall®’s access to your Google account at any time by visiting your Google Account Permissions page and removing Lavawall®. Within the Lavawall® console, you may also:

Revoking access will not delete data already collected; to request deletion, see Section 13.

8.4 Public Analytics (Google Analytics on Public Pages)

We use Google Analytics and Google Tag Manager on our public-facing marketing website (lavawall.com) to understand traffic patterns and improve our public content. Google Analytics is not loaded within the Lavawall® console and does not have access to your account data or security telemetry. You may opt out of Google Analytics tracking by using the Google Analytics Opt-out Browser Add-on or by adjusting your cookie preferences on our site.

9. Microsoft & AWS Integration Data

9.1 Microsoft Integration

If you enable Microsoft Entra ID (Azure AD) sign-in or Microsoft 365 / Azure security integrations, Lavawall® will request only the OAuth scopes necessary to provide the specific security assessment features you have activated. Microsoft user data received via these integrations is subject to the same use restrictions as described in Section 8.2 above. Data is processed in accordance with the Microsoft Trust Center policies for data accessed through the Microsoft identity platform. You may unlink Microsoft 365 Single Sign-On at any time at console.lavawall.com/profile.php.

9.2 AWS Integration

If you enable the AWS integration (e.g., to scan your AWS environment), Lavawall® uses IAM credentials you provide with the minimum necessary permissions. Lavawall® does not store AWS root credentials and recommends the use of a dedicated, read-only IAM role. Security findings retrieved from your AWS environment are stored in our Canadian-resident databases and are subject to this Privacy Policy.

9.3 Other Third-Party Integrations

Lavawall® supports integrations with Huntress, Sophos, Screen Connect, Axcient, Datto, and other platforms. These integrations are disabled by default. You must explicitly enable each integration in your Lavawall® console. Data exchanged with these platforms is limited to what is necessary for the integration’s security function and is processed in accordance with the respective provider’s privacy policies and any data processing agreements in place.

10. Cookies, Analytics & Tracking Technologies

We use the following tracking technologies on our public-facing website. The Lavawall® console uses only essential session cookies required for authentication and security; no third-party tracking is active within the console.

  • Essential cookies: Required for the Service to function, including session management, CSRF protection, and Cloudflare Turnstile bot detection. These cannot be disabled without breaking the Service.
  • Analytics cookies (public site only): Google Analytics, Google Tag Manager, HubSpot, and Facebook Pixel are active on our public-facing marketing pages. These technologies collect pseudonymous identifiers, page views, and interaction data to help us understand how visitors use our website. Under GDPR and applicable Canadian law, these are processed with your consent, which you may grant or withdraw via our cookie preference tool.
  • Do Not Track: We honor browser-level “Do Not Track” (DNT) signals on our public website to the extent technically practicable.

11. Data Retention

We retain personal information and security data for as long as your account is active and for a reasonable period thereafter to fulfill the purposes set out in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are:

  • Account & subscription data: Retained for the duration of the subscription plus seven (7) years for financial and legal compliance.
  • Security telemetry & scan results: Retained for the duration of the subscription and for up to ninety (90) days after account closure, after which they are securely deleted or irreversibly anonymized.
  • Server & access logs: Retained for up to twelve (12) months for security and troubleshooting purposes.
  • Support ticket data: Retained for seven (7) years from ticket closure, to align with applicable contract limitation periods and to support long-term security incident review and audit requirements.
  • Public website analytics: Pseudonymized analytics data is retained in accordance with the respective analytics provider’s default retention settings, typically up to 26 months.

12. Security Safeguards

ThreeShield implements administrative, technical, and physical safeguards appropriate to the sensitivity of the information we hold, including:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of sensitive data at rest.
  • Multi-factor authentication (MFA) enforcement for console access.
  • Cloudflare Web Application Firewall and DDoS protection.
  • Principle of least privilege for internal system access.
  • Regular vulnerability assessments of our own infrastructure (yes, we eat our own dogfood).
  • Security awareness training for staff with access to personal information.

In the event of a data breach that creates a real risk of significant harm to individuals, we will notify affected individuals and the applicable Privacy Commissioner as required by law (within 72 hours under GDPR; as soon as feasible under PIPEDA/PIPA).

13. Your Rights & Choices

Regardless of your jurisdiction, you have the following baseline rights with respect to your personal information:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete personal information.
  • Deletion: You may request deletion of your account and associated personal information, subject to legal retention obligations.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Marketing opt-out: You may unsubscribe from marketing communications at any time using the unsubscribe link in any marketing email or by submitting a request via our contact form.
  • Integration revocation: You may disable any third-party integration at any time in your Lavawall® console settings.

To exercise any of these rights, please contact us via our contact form (please include “Privacy Request” in the subject). We will verify your identity before fulfilling any request and will respond within the timeframe required by applicable law.

14. Rights for Alberta & Canadian Residents

Under Alberta’s Personal Information Protection Act (PIPA) and federal PIPEDA, you have the right to:

  • Know what personal information we have collected, used, or disclosed about you.
  • Challenge the accuracy and completeness of your information and have it amended as appropriate.
  • Withdraw consent for collection, use, or disclosure where collection was based on consent (subject to legal or contractual restrictions and reasonable notice).
  • Lodge a complaint with the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) at oipc.ab.ca or with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

To exercise your Alberta or Canadian privacy rights, please use our contact form and include “Privacy Request” in the subject field.

15. Rights for EU / EEA Residents (GDPR)

If you are located in the European Union or EEA, in addition to the rights in Section 13, you have the following rights under GDPR:

  • Restriction of processing (Art. 18): In certain circumstances you may request that we restrict processing of your data.
  • Data portability (Art. 20): Where processing is based on consent or contract and is carried out by automated means, you may receive your personal data in a structured, machine-readable format.
  • Object to processing (Art. 21): You may object to processing based on legitimate interests; we will cease such processing unless we demonstrate compelling legitimate grounds.
  • Lodge a complaint: You have the right to lodge a complaint with your national supervisory authority. A directory of EU supervisory authorities is available at edpb.europa.eu.

Our lawful basis for processing EU personal data is: contract performance (provision of the Service you subscribed to); legal obligation (compliance with applicable law); legitimate interests (security, fraud prevention, improving the Service); and consent (marketing communications and optional analytics).

16. Rights for US Residents

16.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we have collected about you, the right to delete your personal information (subject to certain exceptions), the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. ThreeShield does not sell or share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CPRA. To exercise your California rights, use our contact form and include “California Privacy Request” in the subject field. We will not discriminate against you for exercising your privacy rights.

16.2 Other US State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy legislation have analogous rights to access, correct, delete, and obtain a copy of their personal data, as well as the right to opt out of targeted advertising and profiling. ThreeShield does not engage in targeted advertising or sell personal data, so those opt-out rights are not applicable. For all other requests, use our contact form.

17. Children’s Privacy

The Lavawall® Service is intended for use by businesses and IT professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected personal information from a minor, we will delete it promptly. If you believe we may have collected information from a minor, please contact us via our contact form.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will post the updated policy on this page with a revised effective date. For material changes — those that significantly affect how we process your personal information or your rights — we will provide at least thirty (30) days’ advance notice by email to registered account holders. Your continued use of the Service after the effective date of a material change constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you may close your account before the effective date.

19. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Province of Alberta and the applicable federal laws of Canada. Where there is a conflict between this Privacy Policy and the mandatory privacy laws of another jurisdiction applicable to a particular user, we will apply the standard most protective of individual privacy rights.

If you have questions about this Privacy Policy or how we handle your personal information, please use our contact form and include “Privacy” in the subject field.

ThreeShield Information Security Corporation — Calgary, Alberta, Canada — Effective April 8, 2025 — Last Reviewed April 8, 2026