MAST
GRC PLATFORM
 Back to home
Legal · Privacy

Privacy Policy

MAST Consulting Group (“MAST”, “we”, “us”) operates the MAST GRC Platform. This policy explains what personal data we process, why, how long we keep it, and the rights you have over it. We align our practices with ISO/IEC 27701, the GDPR, the UAE PDPL and the KSA PDPL.

Last updated · June 2, 2026

1. Scope of this policy

This Privacy Policy applies to information processed through (a) our public websites (including mastgt.com), (b) the MAST GRC Platform SaaS application, and (c) communications with our sales, support and security teams. When you access an instance of the platform on behalf of an organisation (your "Tenant"), that organisation is the data controller for content you enter; MAST acts as a data processor on its behalf.

2. What data we collect

  • Account data — full name, business email, organisation, role, locale, country.
  • Authentication data — hashed credentials, MFA factors, session tokens, IP address and user-agent of sign-in events.
  • GRC content — controls, risks, audits, findings, policies, evidence files and other artefacts you upload.
  • Telemetry — feature usage, error traces, latency and uptime metrics (no third-party advertising trackers).
  • Support communications — tickets, contact form submissions and email correspondence.
  • Billing data — company name, billing contact, VAT/TRN, invoices (payment card data is handled directly by our PCI-DSS Level 1 payment processor; we never store full card numbers).

3. How we use your data

  • Provide, secure and improve the platform and its modules.
  • Authenticate users, enforce role-based access and detect abuse.
  • Send transactional emails (account, approval, rollout and audit notifications).
  • Provide customer support and respond to enquiries.
  • Comply with legal obligations and protect our legal rights.
  • Generate aggregated, de-identified analytics to improve the product.

We do not sell personal data and we do not use customer GRC content to train third-party AI models.

4. Lawful bases for processing

Depending on the activity, we rely on: (i) contract — to deliver the platform you or your organisation signed up for; (ii) legitimate interests — to keep the service secure and improve it; (iii) legal obligation — to meet accounting, security and regulatory requirements; (iv) consent — for any optional marketing communications, which you can withdraw at any time.

5. Sharing & sub-processors

We share personal data only with vetted sub-processors that support the service — including our cloud hosting provider, transactional email provider, object storage and observability platform. A current list of sub-processors, certifications and data-processing terms is available on request. Each sub-processor is bound by a written data processing agreement consistent with GDPR Art. 28.

6. International data transfers

By default, tenant data is stored in the region selected by your organisation (e.g. EU, UAE, KSA, US, India). Where data is transferred outside its home region we rely on Standard Contractual Clauses, UK IDTA, or equivalent local mechanisms together with supplementary technical measures such as encryption in transit and at rest.

7. Retention

  • Active tenant content — for the duration of your subscription.
  • Backups — encrypted and retained for up to 35 days, then irreversibly deleted.
  • Audit logs and security events — up to 24 months.
  • Support tickets — up to 36 months after closure.
  • Contact form submissions — up to 24 months unless you ask us to delete sooner.

8. Your rights

Subject to local law, you have the right to access, correct, port, restrict or erase your personal data, and to object to certain processing. To exercise a right, write to privacy@mastgt.com. We respond within 30 days. If we act as a processor on behalf of your organisation, we will route the request to the tenant administrator.

9. Security measures

The platform operates under an ISO/IEC 27001 information security management system and a SOC 2 Type II control environment. Controls include AES-256 encryption at rest, TLS 1.2+ in transit, hardware-key-based MFA for production access, least-privilege role-based access control, continuous vulnerability scanning, quarterly penetration testing and 24×7 monitoring. See the Security page for details.

10. Children's data

The platform is intended for business use. We do not knowingly collect personal data from individuals under 16. If you believe a minor has provided data to us, contact us and we will delete it.

11. Changes to this policy

We will notify tenant administrators by email of any material change at least 30 days before it takes effect. Continued use of the platform after that date constitutes acceptance.

12. Contact our Data Protection Officer

MAST Consulting Group — Data Protection Office
Email: dpo@mastgt.com