Privacy

Privacy Policy

Last updated: May 9, 2026

Introduction

717 DEV LLC ("717 DEV", "we", "us") provides AI security, application security, and software engineering services. This Privacy Policy describes the limited information we collect through our website and how we handle it.

We aim to be straightforward: we don't run advertising, we don't sell or share data with third parties for their use, and we don't track visitors with analytics. The information we collect comes from the contact form on this site, and it's used to respond to your inquiry.

Scope

This policy covers personal information we collect through our website at 717dev.com. It does not govern data we receive in the course of a security engagement — that's covered separately by the engagement-specific agreements (NDA, MSA, or SOW) you sign with us. See Engagement & Client Data below for an overview of how that data is handled.

Information We Collect

When you submit our contact form, we collect what you choose to provide:

  • Your name
  • Your email address
  • Your phone number (optional)
  • The engagement type you select (optional)
  • The message you write

We do not set advertising trackers or analytics cookies on this site, and we do not maintain user accounts. The site sets no cookies in normal operation. Web fonts are self-hosted on the same origin as the rest of the site — no third-party font service is used.

This site and our services are intended for businesses and adults. We do not knowingly collect personal information from children under 13. If we become aware that we have, we will delete it promptly.

How We Use Your Information

We use the information you submit through the contact form solely to:

  • Respond to your inquiry
  • Continue the conversation by email or phone, if you've initiated one
  • Maintain reasonable records of business communications

We do not use your information for marketing, advertising, automated decision-making, or any purpose unrelated to the conversation you started with us.

Engagement & Client Data

When you engage 717 DEV for security work, you may share systems access, source code, architecture documents, vulnerability data, or other sensitive information with us. That data is governed by the engagement agreement (NDA, MSA, SOW) you sign with us, which typically provides:

  • Mutual non-disclosure with no expiration on confidentiality of sensitive material
  • Encrypted transport for all sensitive material
  • Storage on infrastructure with access limited to the engagement team
  • A documented chain of custody for findings, reports, and supporting artifacts
  • Return or secure destruction of engagement data on closure, except where retention is required by law or your written authorization

If your engagement involves regulated data (HIPAA, PCI DSS, SOC 2 evidence, ITAR/EAR-controlled material, or similar), additional contractual terms apply and are negotiated before access is granted.

Third-Party Services

The website relies on a small number of third-party services. We chose each for its limited data collection and clear privacy posture:

  • FormSubmit — processes contact-form submissions and delivers them to us via email. Form data passes through FormSubmit's infrastructure to reach us; their handling is governed by their own privacy policy.
  • Microsoft Azure Static Web Apps — hosts the website and serves all assets, including self-hosted web fonts. Standard server access logs (timestamp, request path, status code, IP, user agent) are generated for security and abuse-prevention purposes.

We do not use analytics, advertising, or marketing-automation services on this site.

Data Hosting & International Transfers

Our website is hosted on Microsoft Azure infrastructure in the United States. FormSubmit (which processes contact-form submissions) operates from the United States. If you are located outside the United States, your information may be transferred to and processed in the United States or other jurisdictions where our service providers operate.

Where required by law (such as GDPR's Chapter V), we rely on Standard Contractual Clauses or equivalent safeguards for international transfers of personal information.

Data Retention

  • Contact form submissions — retained for the life of the inquiry plus a reasonable period for business records (typically up to 24 months), then deleted.
  • Engagement data — retained per the engagement agreement; returned or destroyed at closure unless otherwise specified.
  • Server access logs — retained for up to 90 days for security and abuse-prevention purposes, then deleted or anonymized.

If you'd like us to delete your information sooner than these defaults, see Your Rights below.

Data Security

Security is what we do, and we apply the same rigor to our own data handling that we expect from our clients:

  • In transit — All connections to this site are encrypted via HTTPS using TLS 1.2 or higher. We enforce HSTS to prevent downgrade attacks.
  • At rest — Inquiries delivered to our email infrastructure are stored on services that provide encryption at rest by default. We do not maintain a separate visitor database.
  • Access control — Information is accessible only to 717 DEV personnel with a legitimate business need. Multi-factor authentication is required for all administrative accounts.
  • Operational practices — We apply current patching, principle-of-least-privilege, change review, and monitoring to our own infrastructure; the same practices we recommend to clients.
  • Content Security Policy — This site enforces a strict CSP, framing protections, and a Permissions-Policy that disables sensors and APIs we don't use.

No system is impenetrable, and we don't pretend otherwise. We design assuming threats are real, apply current best practices, and continuously evaluate our posture against emerging risks.

Security Incidents

In the event of a confirmed security incident affecting personal information we hold:

  • We will investigate, contain, and remediate as a priority.
  • We will notify affected individuals and applicable regulators within the timeframes required by law — including, where applicable, the 72-hour notification requirement under GDPR Article 33 and applicable state breach-notification laws in the United States.
  • Notifications will describe what happened, what data was involved, what we have done in response, and what (if anything) you should do.
  • We will cooperate fully with law enforcement and regulatory authorities as required.

For incidents involving client engagement data, the notification process and timelines defined in the relevant engagement agreement take precedence.

Your Rights

Depending on your jurisdiction, you have the right to:

  • Access — confirm whether we hold information about you and obtain a copy
  • Rectification — correct inaccurate or incomplete information
  • Erasure — request that we delete your information, subject to legal retention obligations
  • Restriction — limit how we process your information
  • Data portability — receive your information in a structured, machine-readable format
  • Objection — object to processing based on our legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, email info@717dev.com with "Privacy Request" in the subject line. We will respond within 30 days. We will not discriminate against you for exercising your rights.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the rights described above, including the right to know what categories of personal information we collect, the right to deletion, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under CCPA/CPRA.

If you are located in the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR grant additional rights, including the right to lodge a complaint with a supervisory authority. Our legal basis for processing is generally contract performance (responding to your inquiry) or our legitimate interest in operating the site securely and responding to business inquiries.

Updates to This Policy

We may update this policy from time to time. The "Last updated" date at the top of the page will reflect the current version. Where the changes are material, we will communicate them through other means — for example, a prominent notice on this page or, for active engagements, direct notice to our client contact.

Contact

For questions about this policy or to exercise any of the rights described above:

←  Return to home