At Cycode, we take our users' privacy seriously. As a result, Cimon collects and uses only the information that is required to deliver you a great and secure experience and to continue and improve it, and data that is no longer necessary is deleted.
Here are the main things you should know about the data Cimon collects.
Data NOT collected by Cimon
We never forget to balance our goal of improving Cimon with the help of additional data with our users' privacy rights and security needs. As a security tool- protecting data is what we're all about!
So, the following data never leaves your environment and is not shared with anyone, including Cimon:
- Source Code
Data that Cimon collects
Our tool collects the following types of data to provide its service and to improve and protect user experience:
- Workflow Definition - Cimon GitHub App requests minimal access to the environment, as explained here. GitHub App has access to source code repositories; however, we access only workflow definitions for the following purposes:
- Identifying whether Cimon is installed
- Automate pull request onboarding
- Cimon version
- This helps us understand which version of our tool you are using, which is essential for troubleshooting and improving our product.
- Metadata about the CI runner environment:
- This includes information about the environment in which Cimon is running, such as the operating system and system architecture, which helps us ensure compatibility and optimize our tool's performance.
- E.g., OS version, architecture (amd64/arm), GitHub runner version.
- Configuration used:
- This includes information about the configuration options you have given, such as the rules you have chosen to enforce.
- E.g., allowed IPs, allowed domains, prevention mode.
- Metadata about the project analyzed by Cimon:
- This includes information about the project that you are analyzing using Cimon, such as the repository name, organization name, and workflow name. This information is used to help you monitor Cimon installations in the platform.
- E.g., organization name, repository name, workflow name.
- Generated report:
- The report that has been generated, including information on any pipeline issues identified.
- E.g., detection status, network connections, and executed processes.
- Provenance document:
- The document is uploaded to the platform for further analysis and enrichment.
- E.g., SLSA provenance with the subjects and runner information.
- Error logs:
- If Cimon encounters issues, Cimon logs will be sent for further analysis.
Use of collected data
We use the data that Cimon collects for the following main purposes:
- Present you and your authorized users with relevant data, notifications and finding reports in the Cimon platform dashboard, so you can take appropriate actions.
- Assist you in creating security policies based on findings and analysis: We analyze the data collected by Cimon to help you create security policies that are specific to your project. As a result, friction is reduced and security policies are kept up-to-date.
- Maintain, support, secure and continue to improve Cimon and our service: We analyze aggregated and de-identified data (which, for the avoidance of doubt does not include personal information) collected by our tool to identify trends and patterns that help us support, secure and improve Cimon so it provide better service to you.
We use the services of certain third-party services to provide, maintain, support, and protect Cimon, including, for instance, cloud hosting, database and log management, support, and usage and performance analytics. All such third-party services are authorized to handle data solely for the purpose of fulfilling their assigned responsibilities and are obligated not to use or disclose it for any other purpose.
An up-to-date list of our sub-processors can be shared upon request.