The short version
- We collect only what we need to run your scoping workspace and process your payment.
- Payments go through Stripe. We never see or store your card number.
- Your workspace data is stored with Netlify, keyed to your access token.
- We don't sell your data, run advertising trackers, or share it except with the processors below.
- You can export or delete your data at any time by emailing ngr.admin@proton.me.
- Do not enter actual CUI, FCI, or classified information into the workspace — it is a scoping and planning tool, not a CUI repository.
1 Who we are
CUIstandard.com ("CUIstandard," the "Site," "we," "us," or "our") is operated by NextGenRails™. We provide an interactive CUI scoping and CMMC Level 2 readiness workspace. This Privacy Policy explains what personal information we collect, how we use and protect it, who we share it with, and the choices and rights you have.
This policy applies to the CUIstandard.com website and the workspace, wizard, and checkout features delivered through it. It does not apply to third-party websites we link to, which have their own privacy policies.
If you do not agree with this policy, please do not use the Site.
2 Information we collect
2.1 Information you provide to the scoping workspace
When you use the CUI Scoping Wizard and workspace, you enter descriptive information about your organization's environment. This may include your organization name, descriptions of your system boundary, lists of users and roles, asset and inventory descriptions, CUI category selections, incident-response contact names and details, milestone progress, and free-text notes. We refer to this collectively as your "Workspace Data."
2.2 Payment information
When you purchase a subscription or one-time product, payment is processed by Stripe, Inc. We receive confirmation of payment and limited details such as your Stripe customer and subscription identifiers and subscription status. We do not collect, see, or store your full payment card number, CVC, or bank details — those are handled directly by Stripe under its own privacy policy.
2.3 Communications
If you contact us at ngr.admin@proton.me, we receive your email address and the contents of your message, which we use to respond to and resolve your request.
2.4 Information collected automatically
Like most websites, our hosting infrastructure automatically logs certain technical data when you visit, including your IP address, browser type and version, device and operating system information, referring pages, and timestamps. This data is generated through our hosting provider (Netlify) for security, reliability, and abuse prevention.
The Site loads web fonts from Google Fonts. When your browser requests these fonts, Google may receive your IP address and request metadata. The Site does not run third-party advertising or behavioral-analytics trackers.
Your wizard answers are temporarily held in your browser's session storage so your progress isn't lost while you move through the questions; this is cleared when you close the tab. Your access token is held only in your browser's memory for the duration of your session and is not stored persistently by us in your browser.
3 What you should not submit
CUIstandard is a tool to help you scope and identify where Controlled Unclassified Information (CUI) lives in your environment. It is not an authorized system for storing, processing, or transmitting CUI, Federal Contract Information (FCI), ITAR-controlled data, classified information, or live system credentials. Do not enter actual CUI or any controlled or classified content into the workspace. Enter only the descriptive, planning-level information needed to scope your program. You are responsible for ensuring the information you submit complies with your own obligations.
4 How we use your information
We use the information we collect to:
- Create, deliver, save, and export your personalized scoping workspace;
- Generate and deliver your access token and verify your subscription status;
- Process payments, manage subscriptions, and handle cancellations through Stripe;
- Provide customer support and respond to your inquiries;
- Maintain the security, integrity, and reliability of the Site and prevent abuse;
- Comply with our legal obligations and enforce our Terms of Service.
We do not use your Workspace Data for advertising, and we do not sell it.
5 Legal bases for processing (EEA/UK users)
If you are in the European Economic Area or the United Kingdom, we process your personal data on the following bases:
- Performance of a contract — to deliver the workspace and products you purchase;
- Legitimate interests — to secure, operate, and improve the Site, where not overridden by your rights;
- Legal obligation — to meet record-keeping, tax, and compliance requirements;
- Consent — where we ask for it, which you may withdraw at any time.
6 How we share information
We do not sell your personal information. We share it only with the service providers ("sub-processors") that make the Site work, and only as needed for them to perform their function:
| Provider | Purpose | Data involved |
|---|---|---|
| Stripe, Inc. | Payment processing & subscription billing | Payment details, customer/subscription IDs, email |
| Netlify, Inc. | Website hosting, serverless functions & workspace data storage (Netlify Blobs) | Workspace Data, access tokens, server logs, IP address |
| Google LLC (Google Fonts) | Serving web fonts | IP address, request metadata |
We may also disclose information if required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of NextGenRails™, our users, or others. If NextGenRails™ is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this policy.
7 Data storage, retention & security
Your Workspace Data is stored in Netlify Blobs and is associated with your unique access token. Data is transmitted over encrypted connections (HTTPS/TLS).
Your account is secured by an access token rather than a username and password. Anyone who has your token can access your workspace, so keep it private and treat it like a password. We cannot recover a lost token, but we can revoke it and issue a new one if you contact support and verify your purchase.
Retention. We retain your Workspace Data for as long as your subscription is active. If your subscription is cancelled or a payment fails, your workspace is deactivated. We may retain limited transaction and communication records as needed for legal, tax, and accounting purposes. You may request deletion of your Workspace Data at any time (see Section 8).
No method of transmission or storage is perfectly secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security.
8 Your rights & choices
Depending on where you live, you may have some or all of the following rights regarding your personal information:
- Access — request a copy of the personal data we hold about you;
- Portability / export — your workspace includes a built-in export feature, and you may also request your data in a portable format;
- Correction — ask us to correct inaccurate data;
- Deletion — ask us to delete your Workspace Data and associated records;
- Restriction or objection — ask us to limit or stop certain processing;
- Withdraw consent — where processing is based on consent.
To exercise any of these rights, email ngr.admin@proton.me. We will respond within the timeframe required by applicable law. You may also lodge a complaint with your local data protection authority.
California residents
We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA), and we do not use it for cross-context behavioral advertising. California residents may exercise their rights to know, delete, and correct by contacting us at the email above, and we will not discriminate against you for doing so.
9 Cookies & similar technologies
The Site does not use cookies for advertising or third-party analytics. We use only what is necessary to operate the Site: temporary browser session storage to preserve your wizard progress, and in-memory handling of your access token during your session. Stripe may set its own cookies during the secure checkout process, governed by Stripe's privacy policy.
10 International data transfers
NextGenRails™ operates from the United States, and our providers (including Stripe and Netlify) process and store data in the United States and other countries. If you access the Site from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have data protection laws that differ from those in your country.
11 Children's privacy
The Site is intended for business and professional use and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us information, contact us and we will delete it.
12 Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date above and post the new version at this URL. Material changes may be communicated through the Site. Your continued use of the Site after an update constitutes acceptance of the revised policy.
13 Contact us
If you have questions, requests, or concerns about this Privacy Policy or your personal information, contact:
NextGenRails™
Email: ngr.admin@proton.me
This Privacy Policy is provided for transparency and does not constitute legal advice. CUIstandard is a planning and scoping tool and does not guarantee certification, audit passage, or regulatory compliance.