Privacy Policy
Cyberion Security (“we”, “us”, “our”) operates the Cyberion EDR platform, including this website, the management console, endpoint agents, and related APIs (collectively, the Service). This Privacy Policy explains how we process personal data when you use the Service.
1. Who is responsible for processing?
The data controller for personal data collected through this website and access-request forms is:
- Cyberion Security
- Privacy contact: legal@cyberion.security
- Data Protection contact: dpo@cyberion.security
For endpoint telemetry and security data processed on behalf of a customer organization, that customer is generally the data controller and we act as a data processor under their instructions and applicable data processing terms.
2. Scope
This policy applies to:
- Visitors to https://cyberion.cloud and users who submit access requests;
- Authenticated console users (administrators and operators);
- Data processed through Cyberion EDR agents deployed on customer endpoints, as described in Section 5.
3. Categories of personal data we process
| Category | Examples | Source |
|---|---|---|
| Account & identity | Username, password hash, role (admin/operator), optional email | Provided by your organization or during account setup |
| Access requests | Business email, infrastructure scope, free-text notes | Landing page contact form |
| Audit & security logs | Console actions, IP address, timestamps, user agent where logged | Generated by the Service |
| Endpoint & security telemetry | Hostname, IP, OS, process/network events, alerts, inventory, vulnerability findings | EDR agents on customer systems |
| Technical data | Session identifiers, cookies, API tokens, agent authentication tokens | Generated by the Service |
We do not intentionally collect special categories of data (e.g. health, biometric, or children’s data). Customers must ensure they have a lawful basis to deploy agents and that telemetry collection complies with their policies and applicable law.
4. Purposes and legal bases (EEA/UK)
Where GDPR or UK GDPR applies, we rely on the following bases:
- Contract — to provide the Service, authenticate users, and support customers who have agreed to use Cyberion EDR;
- Legitimate interests — to secure the platform, prevent abuse, improve detection capabilities, maintain audit trails, and respond to access requests (balanced against your rights);
- Legal obligation — where we must retain or disclose data to comply with law;
- Consent — only where explicitly requested (e.g. optional marketing, if offered).
5. Endpoint agents and security processing
Cyberion EDR agents collect security-relevant telemetry from endpoints you or your organization authorize, including but not limited to:
- Heartbeat and inventory (hostname, IP, operating system, installed packages);
- Process and network events used for threat detection and investigation;
- Alerts, detection matches, and optional remediation actions executed through playbooks;
- Vulnerability signatures and, if enabled, external CVE/OSV lookups based on package versions.
This processing is necessary to deliver endpoint detection and response. Customers are responsible for informing their personnel and obtaining any required notices or consents before deployment.
6. Cookies and similar technologies
We use strictly necessary session cookies to keep you signed in to the console. These cookies are essential for authentication and security. We do not use advertising or cross-site tracking cookies on the console. You can control cookies through your browser; disabling session cookies will prevent login.
7. Recipients and subprocessors
We may share personal data with:
- Hosting and infrastructure providers that operate our servers and databases;
- Email delivery providers (if SMTP is configured for notifications or password reset);
- Webhook or integration endpoints configured by the customer;
- External vulnerability databases (e.g. OSV) when the customer enables live CVE lookup;
- Professional advisers or authorities when required by law.
We require processors to protect data under contractual terms consistent with applicable law. A subprocessor list is available on request at legal@cyberion.security.
8. International transfers
If personal data is transferred outside the EEA/UK, we implement appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms, unless an adequacy decision applies. Contact us for details of transfers relevant to your deployment.
9. Security
We implement technical and organizational measures appropriate to the risk, including access controls, hashed passwords, optional agent token authentication, rate limiting, audit logging, and encrypted transport (HTTPS). No method of transmission or storage is 100% secure; you must also protect credentials and agent tokens.
10. Retention
- Console accounts — retained while the account is active and for a reasonable period thereafter;
- Access requests — retained until processed and then archived or deleted per our retention schedule;
- Alerts and telemetry — retained according to customer configuration (e.g. alert retention settings) and operational needs;
- Audit logs — retained to demonstrate compliance and investigate security incidents.
When data is no longer needed, we delete or anonymize it unless longer retention is required by law.
11. Your rights
Depending on your location, you may have the right to access, rectify, erase, restrict, object to processing, and data portability. Where processing is based on consent, you may withdraw consent at any time. You may lodge a complaint with your supervisory authority (e.g. CNIL in France).
To exercise rights relating to console account data, contact your organization administrator or legal@cyberion.security. For endpoint data, contact your employer or the customer organization that deployed the agent; we will assist the controller as required.
12. Automated decision-making
The Service uses rule-based detection and optional analyst-assist features. Alerts and playbooks may trigger automated or semi-automated actions configured by the customer (e.g. isolation recommendations). Significant decisions with legal or similar effects are not made solely by automated means without human oversight unless explicitly configured and permitted by the customer.
13. Children
The Service is intended for business and professional use. We do not knowingly collect personal data from children under 16.
14. Changes
We may update this Privacy Policy. The “Last updated” date at the bottom of the page will change when we do. Material changes will be communicated through the Service or by email where appropriate.
15. Contact
Questions about this policy: legal@cyberion.security
Security incidents: soc@cyberion.security