CerynixGovernance · Evidence · Resilience
Platform Pricing Security Sign in

Legal

Privacy Policy

Version 0.1 (draft) · Last updated [DATE].

⚠️ Draft template — not legal advice. This document is a starting point only. Bracketed [placeholders] must be completed and the whole policy reviewed and adapted by qualified counsel for your jurisdiction before you rely on it or publish it as binding.

This Privacy Policy explains how Cerynix ("Cerynix", "we", "us"), operated by [Andrejs Sevcenko / legal entity name], [registered address], processes personal data when you visit cerynix.com or use the Cerynix platform (the "Service"). We act as a data controller for our own account, billing and website data, and as a data processor for the content you put into the Service on behalf of your organisation (see our Data Processing Agreement).

1. Data we process

  • Account & contact data — name, work email, organisation, role, and authentication data you provide when registering or requesting access.
  • Service content — the controls, risks, evidence, assets, incidents, policies and connector data you or your organisation load into the Service.
  • Connector data — data pulled from systems you connect (e.g. identity, endpoint and security tools); connector credentials are encrypted at rest and never returned by the API.
  • Usage & technical data — logs, IP address, timestamps and audit events needed to operate and secure the Service.

We do not sell personal data, and we do not use your Service content to train third-party AI models.

2. Why we process it (lawful bases)

  • Performance of a contract — to provide the Service you or your organisation signed up for.
  • Legitimate interests — to secure, maintain and improve the Service, and to respond to enquiries.
  • Legal obligation — where we must retain or disclose data by law.
  • Consent — where required, e.g. certain optional communications (you can withdraw at any time).

3. Sharing & sub-processors

We share personal data only with service providers ("sub-processors") that help us run the Service (e.g. hosting, content delivery and email), under contracts requiring appropriate safeguards. A current list is maintained in the DPA. Cerynix can be self-hosted, in which case your Service content stays in your own environment.

4. International transfers

Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses. An EU data-residency option is available for evidence storage.

5. Retention

We keep personal data only as long as needed for the purposes above, then delete or anonymise it. Service content is retained per your organisation's agreement and deleted or returned on termination (see the DPA).

6. Security

We apply measures appropriate to the risk, including multi-tenant isolation (PostgreSQL Row-Level Security), role-based access control, encryption of connector secrets, audit logging of sensitive actions, and a hardened network edge. No system is perfectly secure; we work to reduce and respond to risk.

7. Your rights

Subject to applicable law, you may request access, rectification, erasure, restriction or portability of your personal data, and object to certain processing. For Service content, direct requests to the organisation that controls it; we will assist as processor. Contact us at [email protected]. You may also complain to your supervisory authority (in Latvia, the Data State Inspectorate).

8. Cookies

The marketing site uses only what is necessary to serve pages; it sets no advertising or cross-site tracking cookies. The application may use strictly necessary cookies for authentication and session management.

9. Changes & contact

We may update this policy; material changes will be posted here with a new version and date. Questions? Email [email protected].

© 2026 Cerynix. All rights reserved. HomePricingPrivacyTermsDPAContact

Cerynix supports your NIS2, ISO/IEC 27001 and GDPR readiness. It is not legal advice and does not guarantee compliance or certification. This page is a draft template pending review by qualified counsel.