> For the complete documentation index, see [llms.txt](https://dualguard.gitbook.io/dualguard/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dualguard.gitbook.io/dualguard/privacy-policies/privacy-policy-for-protocols.md).

# Privacy Policy for Protocols

DualGuard handles protocol team information only as needed to evaluate, run, and support security review programs.

This page explains the kinds of information DualGuard may receive from protocol teams, how that information is used, when it may be shared, and how it is handled.

For privacy and data-handling matters, DualGuard operates through Shawarmasec, a French EURL.

### Information DualGuard may collect from protocol teams

DualGuard may receive information such as:

* names, work email addresses, and job titles
* company or protocol details
* project documentation, repositories, and scoped code
* deployment details, architecture notes, and operational context
* communications related to scoping, findings, fixes, timelines, and program operations
* billing, contracting, or other transaction-related information

The exact data depends on the service being provided.

### How that information is used

DualGuard may use protocol team information to:

* evaluate whether a review is a fit
* define scope and prepare the review environment
* coordinate reviews, contests, mitigation work, or pre-launch programs
* communicate about findings, fixes, judging, timelines, and deliverables
* improve internal operations, documentation, and program administration
* comply with legal, contractual, or security obligations

DualGuard does not need protocol team personal data beyond what is reasonably required to operate the engagement.

### Confidentiality and scoped access

Private review materials are handled as confidential within the limits of the applicable agreements and program rules.

Access should be limited to people who need the information to operate, review, judge, or support the relevant program.

If a program is public by design, such as a competitive review or pre-launch bounty, information shared into that program may be visible to the participants or other parties defined by the rules of that program.

### Sharing of protocol team information

DualGuard may share protocol team information only when reasonably necessary, including with:

* reviewers, judges, contest managers, or operators involved in the program
* service providers that support communication, storage, administration, or operations
* counterparties where disclosure is required by the agreed program structure
* legal or regulatory authorities where disclosure is required by law or valid process

DualGuard does not sell protocol team personal information.

### Data retention

DualGuard may retain protocol team information for as long as needed to:

* provide the requested services
* maintain security and operational records
* resolve disputes or investigate incidents
* comply with legal, tax, accounting, or contractual obligations

Retention periods depend on the type of information and the nature of the engagement.

### Security measures

DualGuard aims to use reasonable administrative and technical safeguards appropriate to the sensitivity of the information it handles.

No system is perfectly secure. Protocol teams should avoid sharing unnecessary personal data and should provide access only to the materials needed for the engagement.

### Protocol team responsibilities

Protocol team should share only information they are authorized to disclose.

Protocol team should remove unnecessary personal data from repositories, tickets, attachments, and test environments before sharing them where possible.

Protocol team remain responsible for their own systems, access controls, and deployment decisions.

### Rights and requests

Applicable privacy laws may grant rights to access, correct, delete, or restrict certain personal information.

Requests should be made through DualGuard's official contact channels. DualGuard may need to verify the request before acting on it.

### Changes to this policy

DualGuard may update this policy as its services and operating practices evolve.

Material updates should be reflected on this page.
