We sell security advice. We run it on ourselves.
The controls below are live in production, the standards are the bar we hold our own program to, and the frameworks are what your assessments map to. No vague promises.
- Encryption, in transit and at rest
- Tenant isolation
- Audit log
- Read-only by design
Don't trust our word — re-check the proof.
Diligence has two axes: the controls we run (below), and whether our output is verifiable at all. Both are yours to check — without taking anything on faith.
Verify a proof, offline
Drop any signed proof bundle into the verifier and your browser re-computes the hash chain and re-runs the reachability check. The verifier runs entirely in your browser — we cannot see what you check, and nothing uploads. Open the verifier →
Read how every number is computed
The ALE math, the compliance-scoring provenance, the attack-path heuristics — every input cited, with the limits named. We cannot claim a control we cannot observe: governance and policy controls need a separate attestation, and the methodology says so. Read the methodology →
See the real artifacts
The actual PDFs the engine produces — board pack, compliance, attack paths — rendered from a seeded sample estate, no signup. Every figure carries its proven-or-modeled label. Download the sample reports →
What our program aligns with
Our security program is built to map onto the criteria customers ask about.
SOC 2
AlignedControls built to the SOC 2 Trust Services Criteria — security, availability, and confidentiality.
GDPR / UK-GDPR
AlignedA Data Processing Agreement, a public subprocessor register, and export and deletion on request.
ISO 27001
AlignedAn information-security management approach modelled on the ISO 27001 control set.
Secure SDLC
PracticeOWASP-guided development, dependency and secret scanning on every change, least-privilege access throughout.
“Aligned” means our controls are built to follow these criteria — it is not a claim of certification or a completed third-party audit.
What we've implemented
The technical measures protecting customer data, in plain language.
Encryption, in transit and at rest
TLS 1.2+ everywhere with HSTS preload. Data encrypted at rest.
Authentication
Clerk for password and session security; SSO/SAML for Enterprise. MFA enforced on every operational admin account. No custom auth code.
Tenant isolation
Every query is scoped to the customer's organisation. Cross-tenant access boundaries are enforced in code and covered by a dedicated isolation test suite.
Audit log
A timestamped record of every data-modifying action, available in-product to your org admins and exportable as CSV.
Secrets management
Secrets live in a managed vault, never in source. CI scans every change for leaked credentials before it merges.
Read-only by design
CyberTwin is upload-based today. If read-only integrations ship, connectors use scope-minimum credentials sealed with KMS envelope encryption, encrypted at rest, with every sync logged.
How we handle your data
The short version. The full Privacy Policy and DPA are linked at the bottom of this page.
What we collect
Account details, the environment data you upload, and operational logs. Marketing analytics are cookieless — page path and referrer only.
How long we keep it
While your account is active. After cancellation the account is read-only for 90 days so you can export, then retained a further 90 days for re-activation before deletion — 180 days total. Audit logs are kept 12 months; billing records as tax law requires.
Your rights
Access, correction, deletion, and portability on request — email privacy@cybertwin.io and we respond within 30 days. You own the artifacts the engine produces.
Data residency
Need your data to live in a specific region? Region-pinned residency is available on Enterprise — contact us to scope it for your organisation.
Who we share data with
The third parties that process customer data on our behalf, and what each one touches.
| Subprocessor | Purpose | Data accessed |
|---|---|---|
| Fly.io | Application hosting, compute, and the persistent volume holding the database. The sole processor of customer data at rest. | All account, environment, finding, and audit-log data; uploaded documents |
| Anthropic | LLM narrative generation (Claude API) | Profile metadata, structured engine output (no document content); zero-retention API mode |
| Clerk | Authentication, session management, SSO/SAML | Auth identifiers (email, hashed password, MFA factors) |
| Resend | Transactional email | Recipient email addresses, message content |
| Sentry | Error monitoring | Stack traces, request metadata; PII-scrubbing rules applied before send |
| PostHog | Marketing-site product analytics (EU Cloud) | Marketing-page behaviour only. Loaded on public pages exclusively — never inside the authenticated product, so no environment, finding, or exposure data reaches it. |
| Ad conversion measurement and audience building (Insight Tag) | Marketing-page visit signals for ad attribution. Public pages only — the tag never loads inside the authenticated product. |
We notify customers in writing before adding a subprocessor.
Found a vulnerability?
Email security@cybertwin.io. We acknowledge within 24 hours and aim to triage within 72. Our public security.txt lives at /.well-known/security.txt.
Request the security pack
Email security@cybertwin.io and we'll send the DPA, the subprocessor list, our encryption-in-transit certificate, and an infrastructure architecture overview. Typical turnaround: same business day.