1. Introduction
VettedBlue ("we," "us," or "our") provides a background investigation management platform for law enforcement agencies. This Privacy Policy describes how we collect, use, store, and protect personal information processed through our platform.
2. Information We Collect
We process the following categories of information on behalf of law enforcement agencies:
- Applicant Information: Name, date of birth, Social Security Number (last 4 or full, encrypted), contact information, address history, employment history, education, references, and other data submitted through application forms.
- Investigation Data: Background check results, interview notes, document uploads, OSINT scan results, cross-reference analyses, and investigator notes.
- Officer Information: Name, date of birth (encrypted), PTC ID, badge number, rank, certification status, and relicensing records.
- Communication Records: Call recordings, transcripts, and email correspondence related to investigations.
- User Accounts: Detective/administrator names, email addresses, and hashed passwords.
- Audit Logs: System access records, actions performed, timestamps, and IP addresses.
3. How We Use Information
Information is processed solely to:
- Facilitate law enforcement background investigations and hiring processes
- Support officer relicensing and PTC compliance
- Generate investigation reports and compliance documentation
- Maintain audit trails as required by CJIS and state regulations
- Communicate with applicants, references, and investigation subjects
- Improve platform functionality and security
4. Data Storage & Security
- Hosting: All data is stored on Microsoft Azure infrastructure located in the United States.
- Encryption at Rest: Sensitive PII fields (Social Security Numbers, dates of birth) are encrypted using AES-256-GCM before storage in the database.
- Encryption in Transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
- Access Controls: Role-based access control (RBAC) ensures users only access data within their department and permission level.
- Multi-Tenant Isolation: Each agency's data is logically separated by department/agency scoping on all database queries.
- Authentication: Multi-factor authentication (TOTP and email OTP) is available for all user accounts.
5. Data Retention
We retain data in accordance with law enforcement record-keeping requirements and agency policies:
- Investigation Records: Retained indefinitely unless deleted by the agency. Agencies may delete records at their discretion in compliance with their own retention policies and applicable state regulations.
- Officer & Relicensing Data: Retained indefinitely to support ongoing PTC compliance and certification tracking.
- Communication Records: Call recordings, transcripts, and correspondence are retained indefinitely unless deleted by the agency.
- Audit Logs: Retained for a minimum of 3 years as required by CJIS Security Policy, and indefinitely thereafter unless purged by an administrator.
- Portal Submissions: Retained indefinitely as part of the investigation record.
Agencies retain full control over their data and may request deletion of any records at any time.
6. CJIS Compliance
VettedBlue is designed to comply with the FBI Criminal Justice Information Services (CJIS) Security Policy. Criminal justice information (CJI) is never transmitted to third-party AI services or external APIs. All AI-assisted features operate on non-CJI data only, using an allow-list approach to ensure compliance.
7. Data Sharing
We do not sell personal information. Data may be shared only in the following circumstances:
- With the Contracting Agency: Data is owned by and accessible to the law enforcement agency that created it.
- Infrastructure Providers: Microsoft Azure (hosting), as necessary to operate the platform. These providers are bound by their own security and privacy commitments.
- Legal Requirements: When required by law, subpoena, court order, or to comply with applicable regulations.
8. Individual Rights
Individuals whose data is processed through VettedBlue may contact the relevant law enforcement agency to exercise their rights under applicable state and federal privacy laws. Agencies using VettedBlue are responsible for responding to such requests in accordance with their obligations as data controllers.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to agency administrators via the platform. Continued use of VettedBlue after changes constitutes acceptance of the updated policy.