Cygent Cygent

Last updated April 28, 2026

Cygent Privacy Policy

Cygent Privacy Policy

Last updated: April 28, 2026

This Privacy Policy describes how Cyfrin Inc ("Company", "We", "Us", or "Our") collects, uses, discloses, and protects Personal Data when You access or use the Cygent platform (the "Service"). It applies to visitors of Our marketing site, Account holders, members of customer Organizations, and individuals whose Personal Data is incidentally Processed through the Service.

This Privacy Policy should be read together with the Cygent Terms of Service and, for enterprise Customers, the Cygent Data Processing Agreement. Capitalized terms not defined here have the meaning given in those documents.

1. Who We Are

The data controller responsible for Personal Data Processed under this Privacy Policy is:

Cyfrin Inc 9066 Cascada Way Naples, FL 34114 United States Email: support@cyfrin.io

Where We Process Personal Data on behalf of an Organization (e.g., Smart Contract Code submitted for analysis, Findings, integration content), the Organization is the Controller (or Business) and We act as Processor (or Service Provider). Our processing in that capacity is governed by the Data Processing Agreement.

2. Scope

This Privacy Policy applies to Personal Data We Process as a Controller, including:

  • Account registration and authentication data;
  • Billing and contact data for Customer administrators;
  • Service operational and usage metrics used for Our own administrative purposes;
  • Marketing-site visitor data (cookies, analytics signals, contact-form submissions).

It does not govern Personal Data We Process on behalf of an Organization as a Processor — that processing is governed by the Agreement and DPA.

3. Personal Data We Collect

3.1 Data You Provide

  • Account Data — email and password sign-up: email address, name (optional), and password. We store passwords as one-way hashes using a memory-hard algorithm (scrypt); We never store, log, or have access to Your password in plaintext. We also store an email-verification status and any verification tokens We issue.
  • Account Data — OAuth sign-up: where You sign in with GitHub or Google, We receive Your name, email address, avatar, and provider user ID from the OAuth provider. We do not receive or store Your authentication credentials for those providers.
  • Two-factor authentication data: TOTP secret (encrypted at rest), recovery codes (hashed). Two-factor authentication is mandatory for all Accounts; existing Accounts may be subject to a short grace period before enforcement.
  • Organization Data: Organization name, role, membership, Instance configuration, billing contacts.
  • Communications: messages You send Us through email, support requests, or contact forms.

3.2 Data Generated Through Your Use of the Service

  • Smart Contract Code and Findings: Repository code You submit for analysis, audit Findings, code context, severity classifications, and remediation recommendations. (Processed on Your Organization's behalf — see Section 2.)
  • Integration Data: access tokens and configuration for connected Third-Party Integrations (GitHub, Slack, Discord, Telegram), encrypted at rest using AES-256-GCM.
  • Usage and Operational Data: job execution history, audit statistics, command invocations, timestamps, IP addresses, user-agent strings, error and diagnostic logs.

3.3 Data Collected Automatically

  • Cookies and similar technologies: session cookies for authentication, and limited first-party analytics. See Section 8.
  • Device and connection data: IP address, browser type, operating system, referring URL, pages visited, and approximate location derived from IP.

3.4 Data from Third Parties

  • OAuth provider data: profile information GitHub or Google returns when You sign in.
  • Third-Party Integration data: repository, pull request, channel, and message metadata returned by GitHub, Slack, Discord, or Telegram when You connect those services.
  • Payment processor data: billing status from Our payment processor (We do not receive or store full payment card numbers).

3.5 Special Categories

The Service is not intended to Process special categories of Personal Data (GDPR Art. 9) or data relating to criminal convictions (GDPR Art. 10). Please do not submit such data through the Service.

4. How We Use Personal Data

We Process Personal Data for the following purposes:

Purpose Examples Legal basis (GDPR)
Provide the Service Authenticate You (including email/password sign-in, OAuth sign-in, and two-factor authentication), provision Instances, run audits and PR reviews, deliver Findings, send notifications Performance of a contract (Art. 6(1)(b))
Account security Send email-verification and password-reset messages, screen new passwords against known-breached password databases, enforce two-factor authentication, apply auth rate limits, alert on suspicious sign-in activity Performance of a contract; legal obligation; legitimate interests
Maintain and secure the Service Detect abuse, investigate incidents, prevent fraud, monitor availability, apply rate limits Legitimate interests (Art. 6(1)(f))
Communicate with You Send transactional emails, respond to support requests, notify You of material changes Performance of a contract; legitimate interests
Improve the Service Aggregate usage analytics, debug errors, prioritize features Legitimate interests
Comply with law Respond to lawful requests, enforce Terms, defend legal claims Legal obligation (Art. 6(1)(c)); legitimate interests
Marketing (where applicable) Send product updates and announcements to Account holders or contacts who have opted in Consent (Art. 6(1)(a)) or legitimate interests, depending on jurisdiction

We do not use, and do not permit Our Sub-processors to use, Customer Personal Data (including Smart Contract Code, Findings, prompts, completions, or embeddings) to train, fine-tune, or otherwise improve any generally available machine learning or AI models. See Section 5.3 of the DPA for the technical and contractual measures We rely on.

5. AI Processing and Automated Decision-Making

The Service uses large language models to analyze Smart Contract Code and generate Findings. As described in the Terms of Service:

  • AI-generated Findings are not a substitute for a professional security audit.
  • Findings may include false positives and false negatives.
  • The Service does not make legal, financial, or employment decisions about individuals.

We do not engage in automated decision-making producing legal or similarly significant effects on individuals within the meaning of GDPR Art. 22.

6. How We Share Personal Data

We share Personal Data only as described below. We do not sell Personal Data, and We do not "share" Personal Data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

6.1 Sub-processors

We engage Sub-processors to provide infrastructure, inference, and operational services. As of the Last Updated date, Our Sub-processors include:

Category Sub-processor Purpose Location
Cloud infrastructure — Instances OVHcloud Hosting of per-Organization Instances, Orchestrator, and agent containers United States
Cloud infrastructure — Platform Vercel Inc. Hosting of the Cygent control-plane web application United States
Managed database PlanetScale, Inc. PostgreSQL hosting for platform and agent data United States
LLM aggregation OpenRouter, Inc. Routing of inference requests United States
LLM inference (via OpenRouter) Anthropic, PBC Inference using Claude model family United States
LLM inference (via OpenRouter) OpenAI, L.L.C. Inference using GPT-5 model family; embeddings United States
LLM inference (via OpenRouter) Moonshot AI Inference using Kimi K2.5 (only when Customer opts in) Varies
Authentication — OAuth GitHub, Inc.; Google LLC OAuth identity providers (only engaged where You choose to sign in via these providers rather than email/password) United States
Compromised-password screening Have I Been Pwned (Pwned Passwords API, operated by Superlative Enterprises Pty Ltd) Screening of new and reset passwords against known breach corpora using k-anonymity (only the first 5 characters of the SHA-1 hash of a candidate password are transmitted; the password itself is not sent or stored) Australia / United States
Transactional email Resend, Inc. Account and Service notifications, including email verification, password reset, two-factor enrollment, and security alerts United States
Observability / logging Vercel Inc. Application and runtime logs United States
Meeting-bot recording Recall.ai, Inc. Optional meeting capture (only when enabled) United States
Third-Party Integrations GitHub, Slack, Discord, Telegram Only where You choose to connect them Varies by provider

A current list of Sub-processors is maintained at https://app.cygent.dev/legal/subprocessors. We require each Sub-processor to be bound by data protection obligations no less protective than this Privacy Policy and the DPA.

6.2 Third-Party Integrations You Connect

If You connect a Third-Party Integration, Personal Data flows between the Service and that platform according to Your configuration. Your use of those platforms is governed by the third party's own terms and privacy policy.

6.3 Legal and Safety Disclosures

We may disclose Personal Data when We reasonably believe disclosure is necessary to:

  • Comply with applicable law, legal process, or governmental request;
  • Enforce the Terms of Service or investigate potential violations;
  • Detect, prevent, or address fraud, security, or technical issues;
  • Protect against harm to the rights, property, or safety of the Company, Our users, or the public.

6.4 Business Transfers

If We are involved in a merger, acquisition, financing, or sale of assets, Personal Data may be transferred as part of that transaction. We will notify You and require any successor to honor the commitments in this Privacy Policy.

6.5 With Your Consent or at Your Direction

We share Personal Data with other parties when You direct Us to do so or otherwise consent.

7. International Data Transfers

The Service is operated from data centers in the United States. Customer Personal Data stored by the Service — including Instance data, platform and agent databases, logs, and observability data — is hosted in the United States.

Onward transfers occur:

  • to LLM inference Sub-processors identified in Section 6.1, for the purpose of analyzing Smart Contract Code; and
  • to Third-Party Integrations that You choose to connect.

Where transfers leave the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of protection (including the United States, except where the recipient is certified under the EU–US Data Privacy Framework), We rely on the European Commission's Standard Contractual Clauses (and, where applicable, the UK International Data Transfer Addendum and Swiss FDPIC amendments) together with supplementary technical and organizational measures. For enterprise Customers, the SCCs are incorporated by reference into the DPA.

A copy of the relevant transfer mechanism is available on request from support@cyfrin.io.

8. Cookies and Similar Technologies

We use a small number of first-party cookies to:

  • Keep You signed in (session cookies);
  • Remember preferences (e.g., theme);
  • Measure aggregate usage so We can debug and improve the Service.

We do not use third-party advertising cookies or cross-site tracking. You can control cookies through Your browser settings; disabling session cookies will prevent You from signing in.

9. Data Retention

We retain Personal Data for as long as necessary to provide the Service and for the purposes described in Section 4. Specific retention periods include:

  • Account Data: for the life of the Account, plus a reasonable period after termination for legal, audit, and dispute-resolution purposes.
  • Smart Contract Code and Findings: until You delete them through Service controls or until termination of the Agreement, after which they are deleted within ninety (90) days unless You request earlier deletion or return.
  • Operational logs: retained for a limited period sufficient for debugging, security, and capacity planning.
  • Backups: residual copies in routine backups are deleted in accordance with Our backup rotation schedule.

We may retain Personal Data longer where required by law or to establish, exercise, or defend legal claims.

10. Security

We implement technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

  • TLS 1.2+ for all external connections;
  • AES-256-GCM application-layer encryption of integration tokens at rest;
  • Storage-level encryption provided by Our hosting providers;
  • Email/password and OAuth (GitHub, Google) authentication, with mandatory two-factor authentication for all Accounts;
  • One-way password hashing (scrypt) with per-credential salts; password complexity requirements; screening of new and reset passwords against known-breached password databases via k-anonymous lookup; rate limiting on sign-in, sign-up, password-reset, and two-factor endpoints;
  • Role-based access control within Organizations;
  • Per-Organization Instance isolation;
  • Least-privilege access to production systems for Cyfrin personnel;
  • Secrets managed through 1Password and Varlock in production, kept out of source control;
  • Logging, monitoring, and alerting on defined security signals;
  • Background screening (where permitted by law), confidentiality obligations, and security training for personnel.

A more detailed description of Our technical and organizational measures is set out in Section 6 of the DPA. No system is perfectly secure; if You believe Your Account has been compromised, contact Us at security@cyfrin.io.

11. Your Rights

Subject to applicable law, You have the following rights with respect to Personal Data We hold about You:

  • Access — obtain a copy of Personal Data We hold about You;
  • Rectification — correct inaccurate or incomplete Personal Data;
  • Erasure — request deletion of Personal Data, subject to legal retention obligations;
  • Restriction — request restriction of Processing in defined circumstances;
  • Portability — receive Personal Data You have provided in a structured, commonly used, machine-readable format;
  • Objection — object to Processing based on legitimate interests, including direct marketing;
  • Withdraw consent — where Processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior Processing;
  • Lodge a complaint — with a Supervisory Authority in the EU/EEA, the UK Information Commissioner's Office, the Swiss FDPIC, or another competent authority in Your jurisdiction.

11.1 California Residents (CCPA/CPRA)

If You are a California resident, You also have the right to:

  • Know the categories and specific pieces of Personal Information We collect, the sources, the purposes, and the categories of recipients;
  • Delete Personal Information, subject to exceptions;
  • Correct inaccurate Personal Information;
  • Opt out of the "sale" or "sharing" of Personal Information (We do not sell or share Personal Information as those terms are defined under CCPA/CPRA);
  • Limit the use of sensitive Personal Information (We do not Process sensitive Personal Information for purposes that trigger this right);
  • Non-discrimination for exercising Your rights.

You may designate an authorized agent to make a request on Your behalf, subject to verification.

11.2 How to Exercise Your Rights

You can exercise most rights directly through Service controls (Account settings, Organization administration, Instance and Finding deletion). For requests that cannot be completed through the Service, contact Us at support@cyfrin.io. We will respond within the time required by applicable law (generally 30 days under GDPR; 45 days under CCPA/CPRA, extendable as permitted).

If We Process Your Personal Data on behalf of an Organization (i.e., as a Processor), We will direct Your request to that Organization and assist them in responding.

12. Children's Privacy

The Service is not directed to individuals under 18 years of age, and We do not knowingly collect Personal Data from anyone under 18. If You believe a child has provided Us with Personal Data, contact support@cyfrin.io and We will take appropriate steps to delete it.

13. Third-Party Sites and Services

The Service may contain links to third-party websites and services. We are not responsible for the privacy practices of those sites and encourage You to review their privacy policies before providing Personal Data to them.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When We make material changes, We will update the "Last updated" date at the top and, where required by law, provide additional notice (e.g., by email or through the Service). Your continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance of the changes.

15. Contact Us

For questions, concerns, or requests relating to this Privacy Policy or Your Personal Data:

  • Email: support@cyfrin.io
  • Mailing address: Cyfrin Inc, 9066 Cascada Way, Naples, FL 34114, United States

If You are in the EEA, UK, or Switzerland and We do not respond to Your request to Your satisfaction, You may lodge a complaint with Your local Supervisory Authority.

This Privacy Policy is a template intended as a starting point. Before publication, it must be reviewed by qualified legal counsel in each relevant jurisdiction and reconciled with Cyfrin's actual sub-processors, hosting regions, retention schedules, and operational practices.