CyberTwin
Trust & security

We sell security advice. We run it on ourselves.

The controls below are live in production, the standards are the bar we hold our own program to, and the frameworks are what your assessments map to. No vague promises.

Program alignment
SOC 2AlignedGDPR / UK-GDPRAlignedISO 27001AlignedSecure SDLCPractice
Live controls
  • Encryption, in transit and at rest
  • Tenant isolation
  • Audit log
  • Read-only by design
Prove it yourself

Don't trust our word — re-check the proof.

Diligence has two axes: the controls we run (below), and whether our output is verifiable at all. Both are yours to check — without taking anything on faith.

Verify a proof, offline

Drop any signed proof bundle into the verifier and your browser re-computes the hash chain and re-runs the reachability check. The verifier runs entirely in your browser — we cannot see what you check, and nothing uploads. Open the verifier →

Read how every number is computed

The ALE math, the compliance-scoring provenance, the attack-path heuristics — every input cited, with the limits named. We cannot claim a control we cannot observe: governance and policy controls need a separate attestation, and the methodology says so. Read the methodology →

See the real artifacts

The actual PDFs the engine produces — board pack, compliance, attack paths — rendered from a seeded sample estate, no signup. Every figure carries its proven-or-modeled label. Download the sample reports →

Standards

What our program aligns with

Our security program is built to map onto the criteria customers ask about.

SOC 2

Aligned

Controls built to the SOC 2 Trust Services Criteria — security, availability, and confidentiality.

GDPR / UK-GDPR

Aligned

A Data Processing Agreement, a public subprocessor register, and export and deletion on request.

ISO 27001

Aligned

An information-security management approach modelled on the ISO 27001 control set.

Secure SDLC

Practice

OWASP-guided development, dependency and secret scanning on every change, least-privilege access throughout.

“Aligned” means our controls are built to follow these criteria — it is not a claim of certification or a completed third-party audit.

Controls

What we've implemented

The technical measures protecting customer data, in plain language.

Encryption, in transit and at rest

TLS 1.2+ everywhere with HSTS preload. Data encrypted at rest.

Authentication

Clerk for password and session security; SSO/SAML for Enterprise. MFA enforced on every operational admin account. No custom auth code.

Tenant isolation

Every query is scoped to the customer's organisation. Cross-tenant access boundaries are enforced in code and covered by a dedicated isolation test suite.

Audit log

A timestamped record of every data-modifying action, available in-product to your org admins and exportable as CSV.

Secrets management

Secrets live in a managed vault, never in source. CI scans every change for leaked credentials before it merges.

Read-only by design

CyberTwin is upload-based today. If read-only integrations ship, connectors use scope-minimum credentials sealed with KMS envelope encryption, encrypted at rest, with every sync logged.

Your data

How we handle your data

The short version. The full Privacy Policy and DPA are linked at the bottom of this page.

What we collect

Account details, the environment data you upload, and operational logs. Marketing analytics are cookieless — page path and referrer only.

How long we keep it

While your account is active. After cancellation the account is read-only for 90 days so you can export, then retained a further 90 days for re-activation before deletion — 180 days total. Audit logs are kept 12 months; billing records as tax law requires.

Your rights

Access, correction, deletion, and portability on request — email privacy@cybertwin.io and we respond within 30 days. You own the artifacts the engine produces.

Data residency

Need your data to live in a specific region? Region-pinned residency is available on Enterprise — contact us to scope it for your organisation.

Subprocessors

Who we share data with

The third parties that process customer data on our behalf, and what each one touches.

SubprocessorPurposeData accessed
Fly.ioApplication hosting, compute, and the persistent volume holding the database. The sole processor of customer data at rest.All account, environment, finding, and audit-log data; uploaded documents
AnthropicLLM narrative generation (Claude API)Profile metadata, structured engine output (no document content); zero-retention API mode
ClerkAuthentication, session management, SSO/SAMLAuth identifiers (email, hashed password, MFA factors)
ResendTransactional emailRecipient email addresses, message content
SentryError monitoringStack traces, request metadata; PII-scrubbing rules applied before send
PostHogMarketing-site product analytics (EU Cloud)Marketing-page behaviour only. Loaded on public pages exclusively — never inside the authenticated product, so no environment, finding, or exposure data reaches it.
LinkedInAd conversion measurement and audience building (Insight Tag)Marketing-page visit signals for ad attribution. Public pages only — the tag never loads inside the authenticated product.

We notify customers in writing before adding a subprocessor.

Disclosure

Found a vulnerability?

Email security@cybertwin.io. We acknowledge within 24 hours and aim to triage within 72. Our public security.txt lives at /.well-known/security.txt.

Diligence

Request the security pack

Email security@cybertwin.io and we'll send the DPA, the subprocessor list, our encryption-in-transit certificate, and an infrastructure architecture overview. Typical turnaround: same business day.