Privacy Policy

CyBox Security — Privacy Policy

Last Updated: September 6, 2025

1) Introduction

CyBox Security and its affiliates (“CyBox,” “we,” “us,” “our”) provide software and services that help developers and organizations discover and remediate security issues in code, dependencies, cloud/IaC and running apps (the “Platform”). This Privacy Policy explains how we collect, use, disclose and protect personal data when you interact with our public website(s), Platform, marketing properties and support channels (collectively, the “Services”).

Personal data” (or “personal information”) means information that identifies or relates to an identifiable individual. It does not include aggregated, de-identified or anonymized data.

We consider privacy a core design principle. Because CyBox operates globally, we align our program with the EU GDPR, UK GDPR, Swiss FDPIC guidance, and California CCPA/CPRA, and we honor additional rights where applicable.

This Privacy Policy covers: (i) visitors to our Website, (ii) users of the Platform (including free trials), and (iii) individuals who interact with our marketing or support. If you are a business customer with a DPA (Data Processing Addendum), that DPA governs where CyBox acts as a processor for customer data.

2) Who We Are & How to Contact Us

  • Email (General/Legal): support@cybox.ai

If you are in the UK/EEA/Switzerland, CyBox is the controller for personal data described here (unless your contract/DPA states CyBox acts as a processor for certain Platform data). We may appoint an EU/UK representative as required; details will be provided on request.

3) What We Collect

3.1 Identifiers & Contact Data

Name, username/handle, email address, company/role, phone (optional), billing details (for paid plans via our payment processor), and authentication identifiers (including from SSO/OAuth providers such as GitHub, GitLab or Bitbucket).

3.2 Account & Commercial Data

Account metadata, tenant/workspace, plan tier, features used, purchases, invoices, subscription status, support history.

3.3 Technical & Usage Data

IP address, device/OS/browser, locale, time zone, pages viewed, referral/source, clickstream, session diagnostics, performance and crash logs, and telemetry related to Platform features.

3.4 Platform & Scan Data (Service Data)

If you connect repositories, registries, cloud/IaC or URLs, we may process repository metadata (e.g., URLs, branches), dependency manifests/lockfiles, IaC files, scan configurations, scan outputs (findings, severity, file paths/lines), and runtime/DAST results. Where feasible, we minimize ingestion (e.g., scanning in isolated/ephemeral environments) and store results, insights and references rather than full source.

3.5 Cookies & Similar Technologies

We use cookies, local storage, SDKs and pixels for session management, analytics, A/B testing, security and (where permitted) marketing/retargeting. See Cookie Policy for granular controls.

3.6 Third-Party Sources

We may receive personal data from:

  • Auth/SSO providers (e.g., name, email, org membership).
  • Your employer/customer admin (for seat provisioning).
  • Marketing/CRM tools (enrichment, events, referrals) where permitted by law.
  • Public sources (e.g., Git profile, company websites, conferences).

We do not intentionally collect sensitive categories of personal data. Do not submit sensitive data via general website forms.

4) Why We Use Personal Data (Purposes) & Legal Bases

4.1 Purposes

  • Provide & secure the Services: authentication, account setup, feature delivery, fraud prevention, service resilience.
  • Operate the Platform: run scans, generate results/reports, store findings, recommend fixes, provide dashboards/APIs.
  • Customer support: respond to tickets, troubleshoot, incident notifications, success programs.
  • Product improvement & research: diagnostics, usage analytics, A/B testing, quality assurance, and new features.
  • Business operations: billing, tax, accounting, audits, and compliance.
  • Communications: service announcements, transactional emails, and (with choice) product updates and marketing.
  • Security & compliance: access controls, logs, monitoring, vulnerability triage, and legal requests.
  • Legal defense/rights: to establish, exercise or defend legal claims.

4.2 GDPR/UK GDPR Legal Bases

  • Contract necessity (Art. 6(1)(b)): to create/manage your account and deliver Platform features.
  • Legitimate interests (Art. 6(1)(f)): secure/operate Services, improve and protect against abuse, B2B marketing (with opt-out).
  • Consent (Art. 6(1)(a)): where required for cookies/marketing or optional features.
  • Legal obligation (Art. 6(1)(c)): tax, accounting, law enforcement requests.
  • Vital interests/Public interest (rare).

4.3 CCPA/CPRA Disclosures

We may “share” (or, in limited cases, “sell” as defined by CPRA) internet/network activity to advertising/retargeting partners. You can opt-out (see Your Rights and “Do Not Sell/Share My Personal Information” link in the Cookie banner or footer). We do not knowingly sell/share data of consumers under 16.

5) How We Share Personal Data

We share personal data with:

  • Service providers / processors: cloud hosting, analytics, error tracking, payments, email delivery, support, CI/CD, observability, DAST/browser automation infrastructure, and data enrichment—solely to perform services for us, under contract.
  • Integration partners you connect (e.g., GitHub, GitLab, Bitbucket) at your direction.
  • Professional advisors (legal, audit, finance) under duty of confidentiality.
  • Corporate transactions: merger, acquisition, financing, restructuring, or asset sale (with appropriate safeguards).
  • Legal/compliance: to comply with law, enforce agreements, protect rights, security and safety.
  • Aggregated/de-identified insights that do not identify individuals.

We maintain a list of key sub-processors in our Trust/Legal page and update it periodically. (Add a link here once published.)

6) International Transfers

CyBox operates globally and may transfer personal data to countries outside your own (e.g., US, EU, UK, IL). Where required, we use adequacy decisions, Standard Contractual Clauses (SCCs) and supplementary measures, or other lawful transfer mechanisms. Details are available upon request at privacy@cybox.ai.

7) Your Privacy Rights

7.1 EEA/UK/Swiss (GDPR)

You may have the right to access, rectify, erase, restrict, object, port your data, and withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your supervisory authority.

7.2 California (CCPA/CPRA)

You may have the right to know/access, delete, correct, and to opt-out of sale/share of personal information. We do not discriminate for exercising rights. Use the Cookie manager / “Do Not Sell/Share” link or email privacy@cybox.ai.

7.3 How to Exercise Rights

Email privacy@cybox.ai or use in-product controls where available. We will verify your request and respond as required by law. Authorized agents may submit requests as permitted.

8) Retention

We retain personal data only as long as necessary for the purposes described above, including to meet legal, accounting or reporting requirements, and to maintain security/defensibility. Illustratively:

  • Account & billing data: for the subscription term + statutory retention.
  • Scan results/findings: per your workspace settings or our product defaults (e.g., 30–365 days for MVP/feature limits), or as set in your agreement/DPA.
  • Logs/telemetry: short operational windows unless extended for security/abuse investigations.
    When retention ends, we will delete or de-identify the data unless a longer period is required by law or to establish/exercise/defend legal claims.

9) Security

We implement technical and organizational measures appropriate to risk, including least-privilege access, encryption in transit and at rest (where applicable), network segmentation, vulnerability management, logging/monitoring, secure SDLC, and employee training. No system is perfectly secure; you are responsible for safeguarding your credentials, secrets and connected accounts.

10) Children

Our Services are not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact privacy@cybox.ai and we will take appropriate steps.

11) Cookies, Analytics & Ads

We use cookies and similar technologies for authentication, security, preferences, analytics, A/B testing, and (where permitted) marketing/retargeting. You can manage preferences via our Cookie banner/manager and your browser settings. See our Cookie Policy for categories, vendors, durations and consent options. Some features may not function without certain cookies.

12) Third-Party Links & Social Features

Our Services may link to third-party websites, SDKs or social media (e.g., GitHub, LinkedIn). Your use of those services is governed by their privacy policies. We are not responsible for third-party practices.

13) Product-Specific Notes (Platform)

13.1 Repository/Asset Connections

When you connect Git providers or upload assets, we request the minimum scopes needed to deliver selected features (e.g., read-only repo access for scanning). You can revoke access at the provider.

13.2 Scanning & Findings

We aim to process only what is necessary to run scans and produce results. By default we store findings/metadata instead of entire source files where feasible. Customers can manage retention and deletion through workspace settings or via support.

13.3 Customer-as-Controller; CyBox-as-Processor

For certain Platform data, CyBox acts as a processor under your instructions. Our Data Processing Addendum (DPA) (including SCCs where applicable) governs such processing and prevails over this Policy in case of conflict.

14) Do Not Track

Our Services currently do not respond to Do Not Track (DNT) signals. We honor universal opt-out signals for CPRA where feasible and required, and provide other opt-out methods (Cookie manager / email).

15) Changes to This Policy

We may update this Privacy Policy from time to time. The “Last Updated” date reflects the latest version. Material changes will be communicated as required by law. Your continued use of the Services after changes become effective means you accept the updated Policy.

16) Contact, Questions & Complaints

  • Legal Email: support@cybox.ai

If you are in the EEA/UK/Switzerland, you may also contact your data protection authority. We encourage you to contact us first so we can address your concerns promptly.

17) Regional Addenda (Summaries)

17.1 EEA/UK/Swiss Addendum

  • Controller: CyBox Security Ltd.
  • Legal bases: Contract, Legitimate interests, Consent, Legal obligation.
  • Transfers: SCCs/adequacy or other lawful mechanisms.
  • Rights: Access, Rectification, Erasure, Restriction, Portability, Objection, Withdraw consent.
  • Supervisory authority: You have the right to lodge a complaint with your local authority.

17.2 California Addendum (CCPA/CPRA)

  • Categories collected: Identifiers, commercial information, internet/network activity, geolocation (general), inferences (product analytics), and customer records (B2B).
  • Sensitive information: not intentionally collected.
  • Purposes: as described in Section 4.
  • Sharing/Selling: limited to advertising/analytics for internet/network activity; opt-out available.
  • Rights: Know/access, delete, correct, opt-out of sale/share, limit use of sensitive info (not applicable as we don’t use it), non-discrimination.
  • How to exercise: Cookie manager, “Do Not Sell/Share” link, or support@cybox.ai.