Skip to main content

Client Safety and Confidentiality

Effective Date: 2nd December 2024

At CyberSanctus, client safety and confidentiality are our top priorities. We understand the trust our clients place in us when they submit their code for analysis using our SaaS platform, CodeHound. This page outlines our commitment to safeguarding your data, ensuring transparency in our practices, and adhering to strict confidentiality standards.

1. Client Safety

a. Secure Data Handling

  • Encryption: All data transmitted to and from our servers is encrypted using TLS 1.3 to ensure it remains secure during transit.
  • Isolated Environments: Code submitted for scans is processed within isolated Docker containers. These containers are destroyed immediately after the scan is complete, typically within 60 to 120 seconds.
  • Data Retention: CyberSanctus does not store any submitted code or intermediate files after the scan process.

b. Rigorous Security Measures

  • Infrastructure Protection: Our servers are hosted in secure, ISO/IEC 27001-compliant data centers.
  • Access Control: Access to our systems is strictly limited to authorized personnel under robust access control policies.
  • Vulnerability Assessments: Our platform undergoes regular penetration testing and security audits to identify and mitigate potential risks.

2. Confidentiality

a. Code Confidentiality

  • Submitted code is processed solely for the purpose of generating a vulnerability scan. It is not stored or shared with any third parties, except as explicitly noted (e.g., OpenAI for findings generation).
  • Snippets of user-submitted code may be sent to OpenAI, a trusted third-party provider, for generating detailed findings and remediation advice. OpenAI adheres to stringent confidentiality and security obligations.

b. Non-Disclosure

  • CyberSanctus does not share user-submitted code, findings, or reports with partners, affiliates, or external parties.
  • We do not sell or distribute user data to brokers or advertisers.

3. Audit Report Handling

By default:

  • Scan reports are uploaded to Firebase under a unique link accessible to the user.
  • Users who prefer not to have their reports uploaded to Firebase can contact us at info@cybersanctus.com to make alternative arrangements.
  • Audit reports may include snippets of vulnerable code to help identify and explain the issues but will not include the entire submitted code.

4. Third-Party Integrations and Responsibilities

To provide high-quality services, CyberSanctus partners with a small number of trusted third-party providers:

  • OpenAI: For generating insights and remediation suggestions for vulnerabilities. Data shared is limited to the minimum required for generating meaningful output and is subject to strict confidentiality agreements.
  • Stripe: For secure payment processing. Stripe is PCI DSS-compliant.
  • Intercom: For providing customer support and communication services. Only user email addresses are shared.

All third-party providers are evaluated to ensure compliance with our safety and confidentiality standards.

5. Client Rights and Transparency

a. Rights to Data

  • Access: Clients may request access to any personal data stored in our systems.
  • Deletion: Clients may permanently delete their accounts, removing all associated data from our databases.
  • Preferences: Clients can communicate specific preferences, such as avoiding Firebase uploads, by contacting info@cybersanctus.com.

b. Transparency

  • Our practices and policies are detailed in the Privacy Policy and are designed to uphold transparency at all times.
  • Any updates to our practices will be communicated via this page and our other policy documents.

6. Exceptional Circumstances

While we are committed to safeguarding your data, there are rare circumstances where we may disclose user data:

  • Law Enforcement Requests: CyberSanctus complies with valid law enforcement requests supported by warrants or legal authority.
  • Corporate Changes: In the event of an acquisition or merger, we may transfer user data to the acquiring entity, ensuring that it remains subject to the same confidentiality standards.

7. Breach Response and Mitigation

In the unlikely event of a security breach:

  • Clients will be notified within 72 hours of the breach's discovery, as required by GDPR.
  • Immediate steps will be taken to mitigate risks, secure affected systems, and prevent future occurrences.

8. Contact Us

For questions or concerns regarding client safety and confidentiality, please contact us:

CyberSanctus is dedicated to delivering a secure, trustworthy, and confidential experience for all clients. Your safety is our responsibility, and your trust is our greatest asset.