Privacy Policy
What we collect, how we use it, who we share it with, and the rights you have.
What we collect, how we use it, who we share it with, and the rights you have.
VigilChain, Inc. ("VigilChain," "we," "us," or "our") is a Delaware corporation. This Privacy Policy describes what personal information we collect, how we use it, whom we share it with, and the rights you have regarding that information.
This Privacy Policy applies to:
app.vigilchain.com (the "Platform");api.vigilchain.com (the "API").Collectively, the Site, Platform, and API are the "Services."
Scope note. VigilChain's Services are currently offered to customers located in the United States. We do not currently support customers located in the European Economic Area, the United Kingdom, or Switzerland. If you are located outside the United States and interact with our Services (for example, by visiting the Site), your information is processed in the United States. If we expand our customer eligibility in the future, we will update this Privacy Policy with appropriate disclosures and safeguards.
When you visit www.vigilchain.com, we collect:
When you create an account and use the Platform, we collect:
When you connect sources (repositories, cloud accounts, scanners) or initiate scans, the Platform processes:
Customer Content may incidentally contain personal data — for example, email addresses in source code comments, or usernames in configuration files. Where personal data appears in Customer Content, we treat it as Confidential Information under the Terms of Service and apply the same technical and organizational protections that apply to all Customer Content. You remain the controller of any personal data contained in Customer Content you submit.
We receive information about you from third parties in limited cases:
We use the personal information we collect to:
We do not use your personal information for third-party advertising, and we do not sell your personal information.
We engage the following service providers to operate the Services. Each is bound by contractual data-protection terms.
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Amazon Web Services, Inc. | Infrastructure hosting: compute, database, cache, object storage, email delivery, DNS, CDN, logging, secrets management. Production AI inference via Amazon Bedrock (Anthropic Claude served inside VigilChain's AWS account). | All customer data categories, including AI prompts and responses for the production Bedrock surface | United States (us-east-1) |
| Anthropic, PBC | Claude model provider. On the production path, Claude is served via AWS Bedrock inside VigilChain's AWS account; Anthropic remains a contractual counterparty under Anthropic's Commercial Terms (two-layer DPA) but does not access prompts or responses on this path. The direct Claude API is used only for tenants that have configured their own Anthropic API key (Bring Your Own AI Key) and for internal operator tooling that does not process customer data. | Source code excerpts and finding metadata, as needed to perform AI analysis | United States |
| GitHub, Inc. (Microsoft) | Source code hosting and CI/CD for VigilChain's own platform code; OIDC trust for keyless AWS deployments | No customer data | United States |
| PostHog, Inc. | Product and marketing site analytics; JavaScript error capture | Page views, events, user identifiers for logged-in users, IP-derived approximate location, JavaScript exceptions | United States |
| Formspree, Inc. | Marketing-site form processing (demo requests, contact form) | Name, email, company, subject, and message content from form submissions | United States |
| Google LLC | Web fonts (Google Fonts) loaded at runtime on the marketing website | IP addresses and user-agent strings, incidental to font delivery | United States |
Note on AI processing. Production AI inference for all tenants without their own Anthropic API key is served by Anthropic Claude through AWS Bedrock, hosted inside VigilChain's AWS environment. Under the AWS Bedrock service terms and Anthropic's Commercial Terms, your prompts and the model's responses are not used to train Claude or any other model and are not retained by Anthropic on this path. If you configure your own Anthropic API key (Bring Your Own AI Key), AI requests for your tenant are routed directly to your Anthropic account and are governed by your contractual relationship with Anthropic. See Section 10 for the full disclosure.
We do not share personal information with advertisers, data brokers, or third parties for cross-context behavioral advertising.
VigilChain is based in the United States and processes data in AWS us-east-1 (N. Virginia). We do not currently transfer customer data outside the United States.
Our Services are currently offered to customers located in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland and interact with the marketing website or communications, you understand and consent to the processing of your information in the United States. The United States may have different data protection standards than your country of residence.
If we expand our services to customers located in the European Economic Area, the United Kingdom, or Switzerland in the future, we will implement appropriate transfer mechanisms — such as the Standard Contractual Clauses approved by the European Commission — and update this Privacy Policy accordingly.
We do not currently claim participation in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework.
We retain personal information for as long as it is necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:
Where retention is required by applicable law, or necessary to resolve disputes or enforce our agreements, we may retain certain information beyond these periods.
You may request deletion of your personal data at any time by contacting privacy@vigilchain.com. We complete deletion requests within 30 days and confirm in writing, subject to any lawful retention obligations that may apply.
We implement technical and organizational measures designed to protect personal information against unauthorized access, loss, misuse, alteration, and destruction:
While we strive to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and we encourage you to protect your account credentials and to enable multi-factor authentication.
Depending on where you are located and how you interact with our Services, you may have the following rights regarding your personal information. We will not discriminate against you for exercising any of these rights.
If you are a California resident, you have the right to:
If you are a resident of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, or another US state with a comprehensive privacy law, you have similar rights to those described above — including rights to access, delete, correct, and opt out of targeted advertising (which we do not conduct). The specific rights available depend on the applicable state law.
Although our Services are not currently offered to customers located in these regions, if we process your personal data incidentally (for example, because you visit our marketing website), you may have rights under the GDPR or equivalent laws, including the right to:
Our legal bases for processing personal data include the performance of a contract with you or your organization, our legitimate interests in operating and securing the Services, compliance with legal obligations, and your consent where required.
Customers who require a Data Processing Agreement to comply with the GDPR, UK GDPR, CCPA, or similar regulations may contact legal@vigilchain.com to request our DPA template.
To exercise any of the rights described above, contact us at privacy@vigilchain.com. We will take reasonable steps to verify your identity before responding, and we will respond within the timeframe required by applicable law.
We take a minimal approach to cookies and tracking. A summary of what we use:
app.vigilchain.com (the Platform): strictly necessary cookies only — vc_session, vc_refresh, and vc_csrf. These cookies are used for authentication and request-forgery protection. They are httpOnly, secure, and are not used to track your browsing activity.www.vigilchain.com (the marketing website): analytics cookies set by PostHog (ph_*_posthog) to understand how visitors use the site. These cookies store an anonymous device identifier; they do not track you across other websites.We do not use advertising cookies, social media tracking pixels, or cookies for cross-site behavioral advertising.
For the complete list of cookies, their purposes, and how long they persist, see our Cookie Policy.
For a plain-language visual summary of what is sent to AI providers, in which call, and at what retention window, see Data Flow & AI Processing. The text below is the legally binding policy.
The Services use artificial intelligence models — Anthropic Claude served through Amazon Bedrock inside VigilChain's AWS environment by default — to classify security findings into a canonical taxonomy, confirm ambiguous deduplication decisions, analyze CI/CD configurations for deployment chain discovery, and generate finding narratives and remediation guidance.
When AI processing is applied to your data:
Our training commitment. VigilChain does not use Customer Content to train, fine-tune, or enhance artificial intelligence or machine learning models owned or operated by VigilChain, without your prior written consent. This commitment is reflected in the modification of Section 1.6 of the Common Paper Cloud Service Standard Terms contained in our Terms of Service.
Third-party AI training and retention. On the production AWS Bedrock path (default for all tenants without their own Anthropic API key), Anthropic does not use your prompts or responses to train Claude or any other model, and does not retain prompts or responses, per the AWS Bedrock service terms and Anthropic's Commercial Terms. AWS-side logging follows VigilChain's published retention policy and is governed by VigilChain's AWS account configuration. On the direct Anthropic API path (used only for tenants that have configured Bring Your Own AI Key, and for internal operator tooling), Anthropic's standard Commercial Terms apply: prompts may be retained by Anthropic for up to 30 days for trust-and-safety review and are not used for model training. Bring Your Own AI Key traffic is governed by your direct contractual relationship with Anthropic, not by VigilChain's. A Data Processing Agreement that reflects these flows is available on request at legal@vigilchain.com.
Limitations of AI outputs. AI-generated information may be incorrect, incomplete, or inaccurate. AI outputs are advisory and are not a substitute for qualified human review of security-critical decisions.
We may use Usage Data (how you and other users interact with the Platform) that has been aggregated and de-identified, such that it cannot reasonably be used to identify you, your organization, Users, or Customer Content, to maintain, improve, and promote our products and services.
The Services are not intended for individuals under the age of eighteen (18). We do not knowingly collect personal information from anyone under 18. If you are under 18, you should not use the Services or provide personal information to us. If we learn that we have collected personal information from an individual under 18, we will delete that information promptly. If you believe an individual under 18 has provided personal information to us, please contact privacy@vigilchain.com.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy at this URL with an updated effective date. For material changes that significantly affect how we process your personal information, we will provide additional notice by email or through the Services at least 30 days before the changes take effect. Your continued use of the Services after changes become effective constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or our data practices, or to exercise your privacy rights:
VigilChain, Inc., a Delaware corporation.