Download Rubric

Preferred Option

Google Sheets Icon
Save From Google Sheets

Additional Options

Note: These options have limited functionality. The Google Sheets option is preferred.

PDF Icon
Download PDF
XLSX Icon
Download XLSX

Welcome to Cybersecurity Coalition for Education (CC4E) Cybersecurity Rubric (CR) AI-Enabled Sidekick ("we," "our," or the "Service"). This Privacy Policy explains how we collect, use, and protect your information when you use our AI chatbot assistant for CC4E Cybersecurity Rubric 2.0 self-assessments.

This Service is designed with privacy in mind, using browser-based storage and collecting only what data is necessary for service functionality. We are committed to protecting your privacy and being transparent about our data practices. Review our Terms of Service for using the CR Sidekick.

Table of Contents

Information We Collect

Information You Provide

  • Chat Messages: Your conversations with the AI assistant, including questions and responses
  • Uploaded Files: Documents you upload for analysis (PDFs, images, text files)
  • Assessment Data: Your cybersecurity maturity self-assessments and rubric scores

Automatically Collected Information

  • Session Identifiers: Unique IDs generated to manage your conversation history
  • Usage Analytics: Assessment analytics for Google Sheets integration (function, domain, scores)
  • Technical Information: Browser type, device information (only for service functionality)

How We Use Your Information

The information we gather is used for these purposes:

  • Provide AI Assistance: Processing your messages and uploaded files to generate relevant responses
  • Document Analysis: Extracting and analyzing content from uploaded documents to answer your questions
  • Assessment Support: Helping you evaluate cybersecurity maturity levels across rubric domains
  • Google Sheets Integration: Updating rubric checkboxes based on assessment results
  • Generate Reports: Creating PDF reports summarizing your cybersecurity self-assessment results

Data Storage and Retention

Data Retention Summary

We maintain clear retention limits for all data types, as summarized below:

  • Chat history: Stored locally until cleared by the user
  • Uploaded files: Temporary, deleted after processing
  • Report metadata: Retained for up to 30 days for service improvement
  • Google Sheets mappings: Retained until revoked

Browser-Based Storage

Conversation History: Your chat conversations are stored locally in your browser using local storage. This means your conversation data never leaves your device and is not stored on our servers. You can clear this data at any time by using the clear conversation feature or clearing your browser's local storage.

Temporary Server Storage

  • Uploaded Files: Temporarily stored on our server for document analysis, then deleted after processing
  • Assessment Reports: Generated PDF reports are temporarily stored for download, then automatically removed
  • Session Data: Minimal session metadata kept temporarily to maintain conversation context

Database Storage

We store the following in our database for service functionality:

  • File metadata (filename, upload date, session ID) - not file contents
  • Assessment report metadata (function, category, generation date)
  • System configuration (bot settings, suggested prompts)
  • Google Sheets mappings for checkbox automation

The CR Sidekick provides AI-generated insights for educational and cybersecurity maturity evaluation. While designed for accuracy, responses should be reviewed by qualified personnel before use in compliance or audit documentation.

Third-Party Services

OpenAI API

We use OpenAI's API to provide AI-powered responses. When you interact with the chatbot:

  • Your messages and uploaded file contents are sent to OpenAI for processing
  • OpenAI processes this data to generate responses but does not use it to train their models
  • OpenAI's data processing is governed by their API Terms and Data Usage Policies
  • We do not share personal identifying information with OpenAI

The AI assistant does not make autonomous decisions, perform surveillance, or access user data outside of the current session.

Google Sheets API

CR Sidekick does not use cookies or third-party tracking scripts. All interactions occur within your browser session. When integrated with Google Sheets, the Service:

  • Read Access: Reads sheet structure to identify correct cells for updates and to access chat history backups on the same sheet
  • Write Access: Updates checkboxes and cell values based on your assessments and stores backup chat history on the same sheet
  • Limited Scope: Only accesses spreadsheets you explicitly authorize
  • No Personal Data: Does not access or store personal information from your Google account

All data access and deletion actions are logged and reviewed periodically to maintain accountability and transparency.

Google API Services User Data Policy Compliance: CR Sidekick's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data Security

We implement security measures to protect your information:

  • Encryption: All data transmitted between your browser and our servers use HTTPS encryption
  • Access Controls: Server-side data is protected with authentication and authorization controls
  • Browser Storage: Conversation data in local Storage is isolated to your browser session
  • Temporary Storage: Uploaded files are deleted after processing to minimize data retention

Your Rights And Choices

You have the following rights regarding your data:

  • Access: Your conversation history is accessible directly in the chatbot interface
  • Delete Conversations: Clear your conversation history using the "Clear Conversation" feature
  • Delete Browser Data: Clear local Storage in your browser settings to remove all local data
  • File Deletion: Uploaded files are automatically deleted after processing or can be removed from admin panel
  • Revoke Google Sheets Access: Disconnect the integration at any time through Google account settings

In the unlikely event of a data breach affecting user files or assessment metadata, CC4E will notify impacted users and relevant authorities within 72 hours of discovery, following NIST SP 800-61 incident handling guidance.

No Account Required

Our Service is designed for privacy and ease of use. You do not need to create an account, provide an email address, or share personal identifying information to use CR Sidekick. Each browser session generates a unique, anonymous session ID that is not linked to your identity.

Children's Privacy

Our Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us to have it removed.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify users of significant changes by updating the "Last Updated" date at the top of this policy. Your continued use of the Service after changes indicates acceptance of the updated policy.

International Users

Our Service is hosted in the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. By using the Service, you consent to this transfer.

Contact Us

Previous versions of this Privacy Policy are archived and available upon request to ensure transparency of revisions. If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at support@cybersecurityrubric.org or use our contact form. We will respond to your inquiry within 5 business days.

Summary

CR Sidekick is designed with your privacy in mind. We use browser-based storage for conversations, temporarily process uploaded files for analysis, and integrate with Google Sheets only with your explicit authorization. We do not collect personal identifying information, sell your data, or use it for purposes beyond providing our cybersecurity assessment assistance service.