MAS Pilot LLC operates maspilot.io. This Privacy Policy explains how we collect, use, and protect information from users of our GSA MAS compliance platform.
When you create an account, we collect your name, work email address, organization name, and billing information. Billing information is processed by our payment provider and is not stored on MAS Pilot servers.
MAS Pilot is pre-launch; the description below is the platform's target design. When you upload TDR data for validation, that data is designed to be processed in-memory for validation purposes only and not persisted to a database. Validation results are temporarily stored to display your report and deleted after 30 days. Independent attestation of these controls (SOC 2 Type II) is planned prior to general availability; enterprise evaluators may request current status under NDA.
We collect information about how you use the Service to improve it. This data is not sold to third parties.
We do not sell your personal information. We do not use your TDR data to train models.
Account information is retained for the duration of your subscription plus 90 days after cancellation. Validation results are retained for 30 days. Transactional pricing data is not retained beyond the validation session. Application audit logs are retained for 7 years, aligned to federal contractor records-management practice under FAR Part 4 (including FAR 4.703 as applicable to contract-related records). FAR 4.703 governs contractor retention of contract-related records; MAS Pilot's audit-log retention is set to that baseline and is not itself a statement that FAR 4.703 prescribes a SaaS audit-log retention period.
We implement encryption in transit and at rest, role-based access controls, multi-factor authentication for administrative access, and comprehensive audit logging. See our Security page for the breakdown of what is implemented today versus planned prior to general availability.
If MAS Pilot becomes aware of a security incident that has resulted in, or is reasonably believed to have resulted in, unauthorized acquisition of unencrypted personal information, we will notify affected contractors within 72 hours of confirming the incident, unless a longer delay is required by law-enforcement request. Notifications will describe the categories of information involved, the steps MAS Pilot has taken in response, and the steps we recommend the contractor take. This commitment is consistent with the Maryland Personal Information Protection Act (MD Code Com. Law §14-3504), state-equivalent breach-notification statutes, and the GDPR 72-hour controller-notification standard where applicable. Where MAS Pilot acts as a processor, we will notify the responsible Controller without undue delay upon becoming aware of a breach so the Controller can meet its own notification obligations.
You may request access to, correction of, or deletion of your personal information at any time by contacting [email protected]. We will respond within 30 days.
We use essential cookies for authentication and session management only. See our Cookie Policy for full details. We do not use advertising or third-party tracking cookies.
Material changes will be communicated via email at least 15 days before taking effect.
Privacy inquiries: [email protected] · Legal notices: [email protected] · MAS Pilot LLC · Washington, DC