Exposure Watch Security and Subprocessors Notice
Effective date: June 15, 2026
Company: Exposure Watch, Inc.
Security contact: security@exposurewatch.co
This notice summarizes Exposure Watch's security and vendor posture.
1. Security posture
Exposure Watch publishes only controls that are implemented:
- We use role-based access controls for customer accounts.
- We use encryption in transit for web traffic.
- We use commercially reasonable safeguards designed to protect customer data.
- We monitor the Service for security, reliability, and abuse.
- We restrict employee/contractor access based on business need.
- We review vendors that process customer personal data.
Exposure Watch does not claim SOC 2, ISO 27001, HIPAA compliance, penetration testing, or 24/7 security operations unless those controls or certifications are expressly stated in writing.
2. Customer security responsibilities
Customers are responsible for managing authorized users, removing departed personnel, maintaining accurate alert contacts, securing email accounts, protecting devices, and using strong authentication where available.
3. Subprocessor list
Exposure Watch uses the following service providers to operate the Service. Additional providers may be listed as the Service evolves.
| Provider | Purpose | Data processed | Location | Link to vendor privacy/security page |
|---|---|---|---|---|
| Amazon Web Services | Application hosting and infrastructure | Account, facility, alert, log, and application data | United States | https://aws.amazon.com/privacy/ |
| Stripe | Payments and subscriptions | Billing contact, subscription, and transaction data | United States and other regions where Stripe operates | https://stripe.com/privacy |
| Email service provider | Sign-in links, service notices, and alerts | Email addresses and message metadata | United States | Provider documentation or privacy notice |
| SMS service provider | Text alerts when enabled | Phone numbers and message metadata | United States | Provider documentation or privacy notice |
| Analytics or error-monitoring provider | Product analytics, debugging, and reliability | Usage data, device data, logs, and error details | United States or provider-defined regions | Provider documentation or privacy notice |
| Customer support tools | Customer support communications | Support communications and account context | United States or provider-defined regions | Provider documentation or privacy notice |
4. Incident notice
If Exposure Watch confirms unauthorized access to Customer Personal Data, Exposure Watch will notify affected customers without undue delay and provide information reasonably available about the nature of the incident, affected data, mitigation steps, and customer actions.
5. Vulnerability reporting
Report suspected vulnerabilities to security@exposurewatch.co. Do not access, modify, delete, export, or disclose data that is not yours. Do not disrupt the Service or run tests without written authorization.
6. PHI exclusion
Exposure Watch is not designed to process PHI. Customers must not submit PHI, patient records, resident names, medical information, or clinical data.