Company Information
NISTA Technologies is the trading name of NISTA LLC, a limited liability company registered in the State of Maryland, United States. NISTA engineers AI-powered software products, enterprise platforms, and secure cloud-native systems for commercial, nonprofit, education, healthcare, and government customers. References to "NISTA," "we," "our," and "us" in this Policy mean NISTA LLC and its affiliates acting as the data controller or processor described in the applicable engagement.
Registered contact: NISTA LLC · Maryland, USA · privacy@nistatech.com.
Information We Collect
We collect only the information necessary to operate our website, deliver our products, meet contractual obligations, secure our systems, and comply with law. The categories below describe what we may collect, how, and why.
Personal Information
- Identifiers — name, work email, phone, job title, employer, and country.
- Account data — authentication identifiers, hashed credentials, MFA state, and session metadata.
- Communications — messages you send us via forms, email, support tickets, or scheduled calls.
- Recruiting data — résumé, work history, and interview notes when you apply to NISTA.
Business Information
- Organization name, size, industry, and procurement contacts.
- Billing and tax information required to invoice enterprise customers.
- Contract terms, statements of work, and negotiated commercial data.
- Vendor and partner intake information for teaming and subcontracting.
Government Contract Information
When engaging with federal, state, local, tribal, and territorial agencies, NISTA may process registration identifiers (UEI, CAGE), NAICS codes, capability statements, past performance references, and information required by acquisition regulations (FAR / DFARS). Handling of Controlled Unclassified Information (CUI) follows NIST SP 800-171 and contract-specific safeguards.
Technical Data
- Device, browser, operating system, and language.
- IP address, approximate geolocation (country / region), and access timestamps.
- Referrer URL, pages viewed, and product-usage telemetry.
- Diagnostic data required to investigate errors and security events.
Log Files
Our systems generate server, application, and security logs. Logs may include IP addresses, request paths, response codes, user agents, and correlation identifiers. Logs are retained only as long as needed for security, reliability, and compliance investigations.
Analytics
We use privacy-respecting product and web analytics to measure aggregate performance, adoption, and reliability. Where analytics involve third-party processors, we configure IP truncation, restrict data sharing, and disable advertising features unless a customer explicitly opts in.
AI Usage
NISTA products may use AI models to summarize, classify, transcribe, translate, generate, or reason over content you provide. Customer inputs to AI features are treated as customer data:
- Customer content is not used to train foundation models operated by third parties, unless a customer explicitly opts in.
- Access to AI features is isolated per tenant and per environment.
- Prompt, response, and evaluation logs are retained under the same controls as other customer data.
- Model selection, providers, and regions are documented per product and configurable for regulated workloads.
See our Responsible AI policy for governance details.
Data Engineering Operations
NISTA operates data engineering services on behalf of customers, including ingestion, transformation, governance, and analytics enablement. In these engagements NISTA typically acts as a data processorunder a written agreement, processing customer data solely under documented instructions.
Data Pipelines
Pipelines are designed with least-privilege service identities, tenant isolation, encrypted transport, schema validation, deterministic transformations, lineage tracking, and audit logging. PII and sensitive fields are tokenized or masked where the downstream consumer does not require them.
Cloud Services
NISTA operates primarily on major hyperscale cloud providers (AWS, Microsoft Azure, Google Cloud, and edge platforms). Regions and residency are selected per engagement. Production workloads are separated from corporate systems and from non-production environments.
Third-party Services
NISTA uses a limited, reviewed set of subprocessors. Representative examples:
- Microsoft — corporate productivity, identity, and Azure infrastructure.
- Google — Google Cloud services, workspace tooling, and analytics (configured for privacy).
- Stripe — payment processing for commercial subscriptions.
- Azure — compute, storage, networking, AI, and identity services.
- AWS — compute, storage, networking, and managed data services.
- OpenAI — foundation-model inference for AI features, configured with data-processing terms and no training use of customer data.
- Anthropic — foundation-model inference for AI features, configured with data-processing terms and no training use of customer data.
- Hosting providers — CDN, DNS, edge, and observability providers used to deliver the website and services.
A current subprocessor list is available on request from privacy@nistatech.com.
Security
NISTA maintains administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. See our Security page for a full description of controls.
Encryption
Data in transit is encrypted using TLS 1.2+ (TLS 1.3 preferred). Data at rest is encrypted using AES-256 or equivalent, with keys managed in dedicated KMS/HSM services. Customer data in regulated workloads may use customer-managed keys where supported.
Retention
We retain information only for as long as required to deliver services, meet legal and contractual obligations, and support legitimate business needs. Retention periods are documented per data category in our internal records-management program and, for customer data, in the applicable contract.
Government Requests
NISTA reviews government requests for legal validity and scope. Where permitted, we notify affected customers before disclosure, challenge overbroad requests, and produce only the minimum information required. Emergency disclosures follow a documented internal review process.
International Transfers
Where NISTA transfers personal data across borders, we rely on lawful transfer mechanisms including Standard Contractual Clauses, adequacy decisions, or the applicable data-transfer framework. Regional data residency is available for qualifying engagements.
California (CCPA / CPRA)
California residents have the right to know, delete, correct, and opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. NISTA does not sell or share personal information as defined by the CCPA. To exercise your rights, contact privacy@nistatech.com.
GDPR / UK GDPR
Where NISTA acts as a controller of EU/UK personal data, we process it on the lawful bases of contract, legitimate interests, consent, or legal obligation. Data subjects may exercise their rights of access, rectification, erasure, restriction, portability, and objection. Where NISTA acts as a processor, we do so under a written Data Processing Addendum.
Other U.S. State Privacy Laws
NISTA honors comparable rights under Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other state privacy laws as they take effect. Requests are handled through the same channel as CCPA and GDPR requests.
Your Rights
- Right to access the information we hold about you.
- Right to request correction or deletion.
- Right to object to or restrict certain processing.
- Right to portability of information you provided.
- Right to withdraw consent where processing is based on consent.
- Right to appeal a decision on a rights request.
Submit requests to privacy@nistatech.com. We respond within statutory timeframes.
Children's Privacy
NISTA products are designed for enterprise, government, and organizational use. We do not knowingly collect personal information from children under 13 (or under the applicable age of digital consent in your jurisdiction) without verifiable parental or organizational consent.
Contact Information
Questions about this Policy, or to exercise your rights, contact:
NISTA LLC · Attn: Privacy · Maryland, USA
privacy@nistatech.com
