Privacy & Intel Protocols
Our operating procedures are designed to protect the integrity of your data. We operate on a need-to-know basis, ensuring every byte of information is fortified against unauthorized access.
DATA COLLECTION [INTEL GATHERING]
ACCOUNT DATA
Identifiers, clearance levels, and authentication hashes required for node entry.
LAB LOGS
Full telemetry of virtual environment interactions and vulnerability exploitations.
CALENDAR SYNC
Optional, for anyone who connects a Google Calendar: we read only your busy/free times (never event titles or contents) to adjust bookable availability, and — using a dedicated calendar our app creates — we add or remove events for sessions you book. We store an encrypted refresh token; disconnecting erases the data and revokes our access.
YOUTUBE PUBLISHING
Administrators only: when an admin connects our official YouTube channel, we upload lesson videos to it as unlisted, update their titles and descriptions, and delete them when a lesson is removed. We access only videos our app creates on our own channel and store an encrypted refresh token; disconnecting revokes our access.
SESSION RECORDINGS
When you take part in a live one-to-one or group session, it is recorded and transcribed as standard — audio, video, shared screens, and chat — and you are notified while recording is active. Through AI session insights (on by default; off in your profile) we generate transcripts, notes, and personalised feedback, on our own systems and via Anthropic's Claude. Recordings and transcripts are kept for up to 12 months. We never sell them or share them with a third party to train its models.
STRICT_MODE: ACTIVE LOG_LEVEL: PERFORMANCE_ONLY PII_FILTER: ENFORCEDDATA USAGE
Collected telemetry is used exclusively for operational analysis. We analyze your progression to calibrate training difficulty and ensure curriculum efficacy.
- check_circle Optimize curriculum delivery speed
- check_circle Detect anomalous system behavior
- check_circle Benchmark against industry standards
DEFENSIVE MEASURES
Zero-Trust Architecture
Verification is required for every access request, regardless of origin.
At-Rest Encryption
All intellectual assets are scrambled using FIPS 140-2 compliant algorithms.
ENCRYPTION & EXFILTRATION
DEFENSE_GRID does NOT sell operator intel to external entities. Data is only shared with authorized processors (e.g., Stripe for encrypted payments).
Who controls your data
The data controller for DEFENSE_GRID is ORIGIN TEN LTD (trading as Korra Studio), a company registered in England & Wales under company number 13753392, with its registered office at Building 2, 1st Floor, C/O Elsg, Croxley Green Business Park, Watford, England, WD18 8YA. For any privacy question or to exercise your rights, contact build@korra.studio.
Processors we use
We share the minimum data necessary with vetted processors who act only on our instructions under a data-processing agreement:
- ›Keycloak (self-hosted identity provider) — stores your login credentials and authentication data.
- ›Amazon Web Services — hosting, database, and file storage (profile images, course media).
- ›Stripe — payment processing and subscription billing. We never see or store your full card details.
- ›Email delivery — transactional messages (account, billing, and support notifications).
- ›Google APIs — Google Calendar (read-only busy/free access, plus a dedicated app-created calendar for your booked-session events) and, for administrators, the YouTube Data API (uploading and managing lesson videos on our own channel). Governed by Google's API Services User Data Policy, including its Limited Use requirements.
- ›Anthropic (Claude API) — where a session is recorded and you have AI insights switched on, Claude helps transcribe, summarise, and analyse it so we can generate notes and feedback. Anthropic processes this under its commercial terms and does not use your content to train its models. Some AI analysis also runs on our own self-hosted models on our own infrastructure.
Why we can process it
We process account and training data to perform our contract with you (providing the service), billing data to comply with legal obligations (tax/accounting), and security logs under our legitimate interest in keeping the platform safe. Recording and transcription are a standard, disclosed condition of live sessions, processed to deliver, review, and safeguard them on the basis of our contract with you and our legitimate interest in running the service safely. AI session insights are on by default; you can withdraw them at any time in your profile, which also stops any use of your recordings to improve our own models.
How long we keep it
We keep your data while your account is active. If you delete your account, personal and training data is erased immediately; billing records are retained only as long as tax and accounting law requires. Session recordings and transcripts are kept for up to 12 months and then deleted; you can ask us to delete a recording sooner.
Where it's processed
Your data is hosted in the United Kingdom (AWS London, eu-west-2). Where a processor (such as Stripe) transfers data outside the UK/EEA, that transfer relies on an adequacy decision or Standard Contractual Clauses.
Right to complain
If you believe we've mishandled your data you can lodge a complaint with your supervisory authority — in the UK, the Information Commissioner's Office (ico.org.uk).
Google API Services
Korra Studio's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, we never sell it, and we do not allow humans to read it except with your consent, for security, or where required by law.
GOOGLE USER DATA WE ACCESS
If you connect Google Calendar, we access: your Google account email address (to identify the connection), your list of calendars, and free/busy time ranges from the calendars you enable — never event titles, descriptions, locations, attendees, or any other event content. We also create, update, and delete events on a dedicated "Korra Studio Sessions" calendar that our application creates in your account; we cannot see events on any of your other calendars. If an administrator connects our YouTube channel, we access the connecting account's email address and the videos our application uploads to our own channel. For each connection we store an encrypted OAuth refresh token.
HOW WE USE GOOGLE USER DATA
Google user data is used only to provide the feature you connected it for: free/busy times are used solely to hide time slots where you are unavailable from the session-booking calendar; events are added to (or removed from) the app-created calendar only when a session you participate in is booked or cancelled; YouTube access is used only to upload lesson videos to our own channel as unlisted and to update or delete them when the lesson changes. We do not use Google user data for advertising or marketing, we do not build profiles from it, and we do not use it to develop, improve, or train generalised AI or machine-learning models.
SHARING OF GOOGLE USER DATA
We do not sell Google user data, and we do not share, transfer, or disclose it to any third party. It is stored only on our own infrastructure hosted with Amazon Web Services (our hosting processor, acting under our instructions) and is disclosed only where required by law. No other processor listed above receives Google user data.
HOW WE PROTECT GOOGLE USER DATA
OAuth refresh tokens are encrypted at rest with AES-256-GCM before being stored and are only ever decrypted on our servers — they are never sent to your browser or any third party. All Google user data is transmitted over TLS (HTTPS), stored in an access-controlled database, and handled exclusively by server-side code.
RETENTION & DELETION OF GOOGLE USER DATA
We retain Google user data only while your connection is active. Cached free/busy intervals are continuously replaced, and the moment you disconnect a calendar or account (from your availability or profile page) or delete your account, the stored tokens and cached data are deleted and our access is revoked with Google. You can also revoke our access at any time from your Google Account security settings (myaccount.google.com/permissions), or email build@korra.studio to request deletion of any Google user data we hold.
This application uses YouTube API Services to upload and manage lesson videos on our own channel. Your use of that feature is also governed by the YouTube Terms of Service and Google's Privacy Policy:
Secured Learning Environment
Your focus should be on the code, not the risks. We handle the fortification so you can handle the innovation.