What is a Bitsight Security Rating?

A Bitsight Security Rating is an objective measurement of an organisation's cyber security performance, expressed on a 250 to 900 scale. Calculated daily from externally observable signals without requiring any agent, network access, or questionnaire.

Do I need to install anything to get a BitScore rating?

No. BitScore requires no agent, no network access, and no system credentials. Ratings are computed entirely from external, attacker-visible signals. Your free rating report is delivered as little as 45 minutes for publicly listed entities, up to 48 hours for all others.

Is BitScore like a credit score for cyber security?

Yes — just as a credit score gives lenders an objective measure of financial risk, BitScore (powered by Bitsight) provides an objective cyber risk score that insurers, regulators, customers and boards use to assess and price cyber risk.

Legal

Privacy Policy

Effective: 14 June 2026 · Last updated: 14 June 2026 · Version: 1.0

This Privacy Policy (“Policy”) is issued by BitScore Cybertech LLP, a Limited Liability Partnership incorporated in India and registered under the Startup India initiative (“BitScore”, “we”, “us”, “our”). BitScore is the authorised India partner for the Bitsight Cyber Risk Intelligence Platform operated by Bitsight Technologies, Inc. (“Bitsight”). References to “you” or “your” mean the natural person or legal entity using https://www.bitscore.in/ and https://www.bitscore.ai.in/(the “Website”) or engaging us for services.

1. Scope of this Policy

This Policy explains what personal data we collect, how we use it, who we share it with, the lawful bases on which we process it, and the rights you have. It applies to:

visitors to the Website;
prospective customers who request a Cyber Risk Rating Report, contact us by email, or are referred from our Website to Bitsight's intake form;
customer points of contact, administrators, and authorised users of Security Posture Management (“SPM”) and Third-Party Risk Management (“TPRM”) engagements; and
correspondents who reach us by email, phone, or professional networks.

This Policy does notgovern data processed by Bitsight on its own platform when you interact directly with Bitsight (for example, via bitsight.com or the Bitsight portal under a separate Bitsight licence). For those interactions, Bitsight's own privacy notice and Security Ratings Access Terms apply. We will tell you when a transfer to Bitsight is involved.

When you request a report via our Website, you are redirected to Bitsight's intake form. Bitsight collects the data you submit there as an independent controller. We may also receive your contact details from Bitsight or from direct correspondence with us.

2. What personal data we collect

We have deliberately designed our service to minimise personal data collection. The Bitsight platform measures external, attacker-visible signals about an organisation — it does not require an agent on your systems, credentials, or access to your internal environment, and it does not rely on a self-reported questionnaire.

(a) Information you provide directly

Identity and contact details: name, work email, phone number, designation/role, company name, company address.
The content of your enquiry, including the Website domain you wish to be assessed.
Information shared during pre-sales conversations, demos, or onboarding (for example, team roles, security tooling context, or vendor lists for TPRM scope).
Billing and tax details for paying customers (GSTIN, PAN where required, billing address, purchase order references).

(b) Information collected automatically on the Website

Network and device data: IP address, approximate location derived from IP, browser type and version, operating system, device type, referrer URL, language preference, and timestamps.
Usage data: pages viewed, navigation paths, and similar interaction telemetry.
Cookies and similar technologies, including strictly necessary cookies, first-party analytics (Vercel Analytics and Vercel Speed Insights), and — only if you accept cookies — Google Tag Manager (including Google Analytics 4), Zoho PageSense, and the LinkedIn Insight Tag.

On your first visit, we offer a cookie choice. Non-essential marketing and analytics tags load only after you select “Accept all.” You can change your choice at any time via Cookie settings in the Website footer or your browser controls.

(c) Information collected through service delivery

For Cyber Risk Rating Report requests, we ask Bitsight to generate or release a rating for the organisation domain you nominate. Inputs are publicly observable signals associated with that domain's external attack surface (for example, DNS records, TLS configuration, exposed ports, or leaked credentials linked to the domain). These are predominantly organisational signals; any incidental personal data is subject to the safeguards in this Policy.
For SPM and TPRM customers, we receive designated vendor and entity lists, internal stakeholder contact details, and configuration preferences inside the Bitsight portal.

(d) Information we do not collect

We do not deploy agents on your endpoints, do not request system or network credentials, and do not require access to internal logs or telemetry. We do not knowingly process Sensitive Personal Data or Information (“SPDI”) as defined under the SPDI Rules — financial information, biometrics, health data, sexual orientation, and similar categories — for the operation of the Website or the rating service. Please do not include SPDI in unsolicited correspondence.

3. How and why we use personal data

Under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), we rely on consent as the primary basis for processing personal data, and on the legitimate uses specified in Section 7 of the DPDP Act where applicable (notably, processing where you have voluntarily provided your data for a specified purpose). Where the SPDI Rules apply, we rely on consent and the necessity of processing for the purpose for which the information was provided.

Purpose	Typical data	Lawful basis
Respond to enquiries and report requests	Name, work email, phone, role, company, domain, message content	Consent / voluntary provision (DPDP §7)
Deliver Bitsight ratings, SPM, or TPRM	Domain(s), stakeholder contacts, service configuration, billing details	Contract performance / consent
Operate and secure the Website	IP address, browser/device data, server logs	Legitimate uses / legal obligation
Understand aggregate Website usage	Page views and interaction telemetry via Vercel Analytics & Speed Insights	Legitimate uses (first-party, privacy-oriented analytics)
Marketing measurement (with consent)	Usage signals via GTM/GA4, Zoho PageSense, LinkedIn Insight Tag	Consent
Legal, tax, and regulatory compliance	Records required by Indian law	Legal obligation

We will not use your personal data for any purpose materially different from those listed above without giving you notice and, where required, obtaining fresh consent.

4. Sharing of personal data

We share personal data only as described below, with parties contractually bound to handle it consistently with this Policy:

Bitsight Technologies, Inc. — domain(s) and stakeholder contacts you nominate, plus service configuration, to provision ratings and platform access. Bitsight processes that data as an independent controller under its own terms.
Vercel Inc. — Website hosting and delivery.
Google (Tag Manager / Analytics) — aggregate usage measurement, only after cookie consent.
Zoho PageSense — Website behaviour analytics, only after cookie consent.
LinkedIn Ireland Unlimited Company — campaign measurement via the Insight Tag, only after cookie consent.
Communication and productivity tools — email, calendar, CRM, support, and document management providers used to run the business.
Professional advisers — auditors, legal counsel, chartered accountants, and insurers, bound by confidentiality duties.
Regulators and law-enforcement — where required under Indian law, including the IT Act, the DPDP Act, the Code of Criminal Procedure, CERT-In Directions, or a binding court order.
Corporate transactions — if BitScore is involved in a merger, acquisition, financing, or asset sale, subject to confidentiality undertakings.

We do not sell personal data, and we do not share it with advertisers for purposes unrelated to the services described above.

5. International transfers

The Bitsight platform is operated from outside India, including the United States and the European Economic Area. By engaging us, you understand that we will transfer the personal data necessary to provision the service to Bitsight in such jurisdictions, which may have data protection regimes different from India's. Transfers are made in accordance with the DPDP Act and under contractual safeguards with Bitsight. Marketing and analytics providers listed in Section 4 may also process data outside India when you have given cookie consent.

6. Data retention

Website analytics (Vercel): per Vercel's default retention for the plan in use.
Marketing/analytics tags (with consent): rolling 14–26 months depending on the provider's default, or shorter where you withdraw consent.
Marketing contacts: until you unsubscribe or 36 months of inactivity, whichever is earlier.
Customer records: duration of the engagement plus eight years after termination, for statutory record-keeping and potential legal claims.
Tax and accounting records: eight years from the end of the relevant financial year, as required by Indian tax legislation.
Security and audit logs: at least 180 days where required by CERT-In Directions, extended where investigation or a legal hold requires.

Once retention is no longer justified, personal data is securely deleted or irreversibly anonymised.

7. How we protect personal data

As a cyber-risk intelligence business, we maintain information security practices mapped to ISO/IEC 27001 — the international standard for information security management. BitScore is not ISO 27001 certified; we align our policies and controls to that framework as a structured baseline, without claiming third-party certification.

Our programme includes reasonable practices consistent with Section 43A of the IT Act and applicable rules, including access controls, encryption of personal data in transit (TLS 1.2 or higher), segregation of environments where practicable, logging and monitoring, vendor review for key sub-processors, and a documented approach to incident response.

No security programme is infallible. If a personal data breach is likely to cause harm to you, we will notify the Data Protection Board of India and affected users in the form and within the timelines required by the DPDP Act and subordinate rules.

8. Your rights as a Data Principal

Subject to the DPDP Act and applicable conditions, you have the right to:

access a summary of the personal data we process about you and the processing activities and recipients;
correction, completion, updating, and erasure of inaccurate, incomplete, or no longer necessary personal data;
withdraw consent at any time, with effect for the future (this may limit certain services);
nominate another individual to exercise your rights in the event of your death or incapacity;
grievance redressal through our Grievance Officer (Section 10) before approaching the Data Protection Board.

To exercise any right, write to nimitt@bitscore.ai.in. We will respond within the timelines prescribed by law (and, in any event, within 30 days for most requests). We may verify your identity before acting on a request.

9. Children

Our services are designed for enterprises and are not directed to children. We do not knowingly collect personal data of children under 18 without verifiable parental consent or in any manner detrimental to a child's well-being. If you believe we have inadvertently collected data about a child, please contact us and we will delete it.

10. Cookies and tracking technologies

The Website uses the following categories:

Strictly necessary — required to serve the Website and remember your cookie preference (stored locally in your browser).
First-party analytics — Vercel Analytics and Speed Insights to understand aggregate performance and usage without third-party marketing cookies.
Marketing and measurement (consent required) — Google Tag Manager (including GA4), Zoho PageSense, and the LinkedIn Insight Tag for campaign and conversion measurement.

The LinkedIn Insight Tag may set cookies and transmit data to LinkedIn Ireland Unlimited Company only after you accept cookies. You can opt out via LinkedIn account settings or by selecting Essential only in our cookie banner. A detailed cookie inventory is available on request from the Grievance Officer.

11. Grievance Officer / Data Protection Officer

In accordance with the IT Act, the Intermediary Rules, and the DPDP Act:

Name: Shri Nimitt Jhaveri, Designated Partner
Entity: BitScore Cybertech LLP
Email: nimitt@bitscore.ai.in
Working hours: Monday to Friday, 10:00–18:00 IST (excluding public holidays)

We will acknowledge any complaint within 48 hours and seek to resolve it within 15 days, in line with the Intermediary Rules.

12. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will revise the “Last updated” date above and, where appropriate, notify you by email or via a prominent notice on the Website before the change takes effect.

13. Contact

For any question about this Policy or our data practices, write to nimitt@bitscore.ai.in with the subject line “Privacy Policy — Query”.

Registered office: BitScore Cybertech LLP, Satyam Corporate Square, Block-B, Behind Rajpath Club, Ahmedabad 380059, Gujarat, India.

Bitsight is a registered trademark of Bitsight Technologies, Inc. BitScore is an authorised partner for Bitsight and is not affiliated with any other rating service that uses a similar name.

← Back to BitScore · Responsible Disclosure