Tentacle Ops ("we," "us") operates this website and the Tentacle Ops product. This page describes what data we collect, how we use it, who we share it with, and how to contact us.

We try to keep this short and accurate. If something here is unclear, email hello@tentacleops.ai.

What we collect from website visitors

Analytics

We use Plausible Analytics, a privacy-focused, cookieless analytics tool. Plausible does not use cookies, does not collect personally identifiable information, and does not track visitors across sites. We use it to count page views, see which posts are read, and understand referral traffic in aggregate. We never receive your IP address in identifiable form.

Waitlist signups

If you submit your email to our waitlist form, we collect:

  • Your email address
  • The date and time you submitted

We use this to email you about Tentacle Ops product updates, pilot invitations, and related news. You can ask us to remove your email at any time by replying to any message we send, or by emailing hello@tentacleops.ai.

Direct contact

When you email us, we keep the message and any information you choose to include in it (your name, company, what you are working on). We use it to respond to you and to remember context for future conversations.

Server logs

Our web server keeps standard request logs (IP address, timestamp, requested page, user agent) for operational purposes such as debugging and abuse prevention. Logs are rotated after 30 days.

What we do not collect

  • We do not use Google Analytics or any third-party advertising trackers.
  • We do not sell, rent, or share your data with advertisers.
  • We do not run ads on this site.
  • We do not require you to create an account to read anything.

The CMMC Knowledge Base chat

The free chat at tentacleops.ai/chat is an educational tool that answers questions about CMMC, NIST 800-171, DFARS, GCC High, Azure Gov, and related defense-contractor topics. It is unclassified and public-facing. Do not enter CUI, ITAR, EAR, FOUO, classified information, or contract-specific sensitive data. The system is not authorized to receive controlled information.

What we collect from chat

  • Account info. When you create a free account: your name, work email, optionally company name and company size, and a bcrypt-hashed password. We do not store your password in plain text.
  • Your messages, only during your session. Conversation history lives in your browser tab (sessionStorage). When you close the tab, the history is gone. We do not save your questions or answers in our database.
  • Abuse-control records. If our prompt-injection guardrail is tripped, we log the offending message, the source IP, and your account email so we can ban abusive IPs. This is the only chat content we persist.

What happens when you send a question

  1. Your message travels over TLS to our private server (a DigitalOcean droplet under our control).
  2. The server runs a local search of public regulatory documents (NIST, DFARS, CMMC, FAR, etc.) using a small embedding model that runs on the same server. Your text is not sent anywhere for this step.
  3. Your message, the matched regulatory snippets, and the last few turns of your in-browser conversation history are sent to AWS Bedrock for inference. Bedrock returns the answer over TLS.
  4. The answer streams back to your browser. Neither the question nor the answer is written to our database.

The model and training

The model is Meta's open-weight Llama 3.3 70B Instruct, served on AWS Bedrock in us-east-2. Your questions are not used to train any AI model. Open-weight models do not learn from inputs at inference time. AWS does not use your prompts to train AWS models and does not share them with Meta. AWS may briefly retain Bedrock inputs for trust-and-safety review per its standard policy; we are pursuing an opt-out from this retention.

Account deletion

Email hello@tentacleops.ai from the address tied to the account. We will delete your account record and confirm by reply.

The Tentacle Ops product

Tentacle Ops the product is delivered as a per-customer isolated stack. Customer data, including any Controlled Unclassified Information (CUI), Federal Contract Information (FCI), or business records, is processed within the customer's own authorization boundary. We do not pull customer CUI or FCI into Tentacle Ops shared infrastructure. Per-customer terms are governed by the agreement signed at onboarding, which supersedes this site-level policy with respect to product data.

Connected services we use

Where we integrate with third-party services on your behalf, we follow the principle of least privilege and use only the data needed to perform the requested action.

  • AWS Bedrock. Used for chat inference. See "The CMMC Knowledge Base chat" above. AWS region us-east-2.
  • DigitalOcean. Hosts our web server and the chat backend. Standard cloud-provider responsibilities apply.
  • Let's Encrypt. Issues the TLS certificate that protects every request to and from this site.
  • Plausible Analytics. Aggregate site analytics, no PII, no cookies. See their privacy policy.
  • Google (Gmail API). Used to deliver internal lead-notification emails to our team when someone signs up or joins the waitlist. The API call sends our notification body, not your chat content.
  • LinkedIn API. If we connect to LinkedIn on behalf of a Tentacle Ops team member to post content or comment on posts, we use the OpenID Connect "Sign In with LinkedIn" and "Share on LinkedIn" scopes. We store only the OAuth tokens and the member URN required to make the API calls. We do not read other people's profiles, message inboxes, or connection lists. Tokens are stored encrypted at rest with restrictive filesystem permissions and refreshed automatically; they can be revoked at any time from your LinkedIn account settings under "Permitted services."
  • Email infrastructure. We send and receive email via Microsoft 365. Standard email metadata (sender, recipient, subject, timestamp) is processed by Microsoft per their terms.

How long we keep things

  • Chat conversations: only while your browser tab is open. Nothing about your chat is written to our database.
  • Chat accounts: until you ask us to delete them.
  • Waitlist emails: until you ask us to delete them or until we discontinue the waitlist.
  • Direct correspondence: as long as the conversation is active and a reasonable period after for context, typically up to 3 years.
  • Server logs: 30 days.
  • Abuse-control records (banned IPs, blocked prompt-injection attempts): retained while the abusive pattern is active.
  • OAuth tokens for connected services: until the connection is revoked or the integration is removed.

Your rights

You can:

  • Ask us what we have on file about you.
  • Ask us to correct or delete it.
  • Ask us to stop emailing you.
  • Revoke any connected service permission directly with the provider (for example, LinkedIn settings).

Email hello@tentacleops.ai with your request. We will respond within a reasonable time, typically within 14 days.

Where data lives

Our website and operational infrastructure run in the United States. If you are visiting from outside the U.S., your information will be transferred to and processed in the U.S. By using the site, you consent to that transfer.

Children

This site is not directed to children under 16, and we do not knowingly collect information from them.

Changes to this policy

If we change this policy, we will update the "Last updated" date at the top and, for material changes, post a note on the site. Continued use of the site after a change means you accept the updated policy.

Contact

Tentacle Ops
Email: hello@tentacleops.ai