Legal
Privacy Policy
This Privacy Policy explains how Cerynix ("Cerynix", "we", "us"), operated by [Andrejs Sevcenko / legal entity name], [registered address], processes personal data when you visit cerynix.com or use the Cerynix platform (the "Service"). We act as a data controller for our own account, billing and website data, and as a data processor for the content you put into the Service on behalf of your organisation (see our Data Processing Agreement).
1. Data we process
- Account & contact data — name, work email, organisation, role, and authentication data you provide when registering or requesting access.
- Service content — the controls, risks, evidence, assets, incidents, policies and connector data you or your organisation load into the Service.
- Connector data — data pulled from systems you connect (e.g. identity, endpoint and security tools); connector credentials are encrypted at rest and never returned by the API.
- Usage & technical data — logs, IP address, timestamps and audit events needed to operate and secure the Service.
We do not sell personal data, and we do not use your Service content to train third-party AI models.
2. Why we process it (lawful bases)
- Performance of a contract — to provide the Service you or your organisation signed up for.
- Legitimate interests — to secure, maintain and improve the Service, and to respond to enquiries.
- Legal obligation — where we must retain or disclose data by law.
- Consent — where required, e.g. certain optional communications (you can withdraw at any time).
3. Sharing & sub-processors
We share personal data only with service providers ("sub-processors") that help us run the Service (e.g. hosting, content delivery and email), under contracts requiring appropriate safeguards. A current list is maintained in the DPA. Cerynix can be self-hosted, in which case your Service content stays in your own environment.
4. International transfers
Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses. An EU data-residency option is available for evidence storage.
5. Retention
We keep personal data only as long as needed for the purposes above, then delete or anonymise it. Service content is retained per your organisation's agreement and deleted or returned on termination (see the DPA).
6. Security
We apply measures appropriate to the risk, including multi-tenant isolation (PostgreSQL Row-Level Security), role-based access control, encryption of connector secrets, audit logging of sensitive actions, and a hardened network edge. No system is perfectly secure; we work to reduce and respond to risk.
7. Your rights
Subject to applicable law, you may request access, rectification, erasure, restriction or portability of your personal data, and object to certain processing. For Service content, direct requests to the organisation that controls it; we will assist as processor. Contact us at [email protected]. You may also complain to your supervisory authority (in Latvia, the Data State Inspectorate).
8. Cookies
The marketing site uses only what is necessary to serve pages; it sets no advertising or cross-site tracking cookies. The application may use strictly necessary cookies for authentication and session management.
9. Changes & contact
We may update this policy; material changes will be posted here with a new version and date. Questions? Email [email protected].