Privacy Policy

How VigilChain collects, uses, shares, and protects your information.

Effective Date: March 27, 2026

Overview

VigilChain, Inc. and its affiliates ("VigilChain," "Company," "we," "us," or "our") respect your right to privacy and your ability to control the Personal Information you share with us. "Personal Information" means any information that relates to an identified or identifiable natural person. We have developed this Privacy Policy to inform you about our privacy practices for our public-facing website at www.vigilchain.com ("Site"), our application security posture management platform at app.vigilchain.com, and related products and services we provide (collectively, the "Services").

This Privacy Policy describes how VigilChain collects, uses, shares, discloses, and processes Personal Information you provide through the Site, through account registration, and through your use of the Services. It also describes your choices and rights regarding the use, access, and deletion of your Personal Information.

If you are located in the European Economic Area ("EEA") and are subject to the protections of the European Union's General Data Protection Regulation 2016/679 ("GDPR"), please see Section 12: EEA and GDPR Supplement below. If you are a resident of California, please see Section 13: California Privacy Notice below.

1. Our Collection of Personal Information

Below are the categories of Personal Information we may collect and the circumstances in which you may provide it to us:

Account Information

When you create an account, we collect your name, email address, organization name, job title, and role. If you are invited to join an existing tenant, the inviting administrator provides your email address, and we collect additional profile information when you accept the invitation. We keep track of your preferences when you configure settings within your account.

Payment Information

If you subscribe to a paid plan, our third-party payment processor collects billing details including payment card information. We receive confirmation of payment status and subscription tier, but we do not store credit card numbers on our servers.

Communications

When you contact us via email, a contact form, or other means, we collect the content of your messages, any attachments, and the information you choose to provide. If you participate in surveys, feedback requests, or early access programs, we collect the responses you submit. Participation in surveys is voluntary.

Information Collected Through the Platform

  • Security findings: When you connect scanner integrations or initiate scans, we receive and store vulnerability findings, scan metadata, severity information, and related asset information within your tenant.
  • Source control metadata: We access repository names, branch information, file paths, CI/CD configuration files, and CODEOWNERS files necessary for chain discovery and owner identification. We do not access or store your application source code unless explicitly required for a scan you initiate (such as SCA scanning of a repository you designate).
  • Cloud infrastructure metadata: We collect resource identifiers, service configurations, container image references, network topology, security group rules, and related infrastructure metadata from your connected cloud accounts via read-only API access. We cannot modify, create, or delete resources in your cloud environment.
  • Workflow integration data: When you configure ticket synchronization, we exchange finding information and ticket status with your connected issue trackers as directed by you.

Automatically Collected Information

  • Log data: Our servers automatically record information when you visit the Site or use the Services, including your IP address, browser type and version, operating system, referring URL, pages visited, actions taken, and timestamps.
  • Cookies: We use strictly necessary cookies for authentication and session management. Authentication tokens are stored in httpOnly secure cookies and are never exposed to client-side JavaScript. We do not use third-party advertising or tracking cookies. See Section 8: Use of Cookies for more detail.
  • Usage data: We collect information about how you interact with the platform, including features used, pages viewed, search queries, and actions taken, in order to operate and improve the Services.

Information from Third Parties

We may receive Personal Information from third parties in limited circumstances, such as when an administrator invites you to join a tenant, when you authenticate through a single sign-on provider, or when a third-party service provider assists us with payment processing or communications. We combine such information with Personal Information we collect directly only as necessary to provide the Services.

2. How We Use Your Information

We use the Personal Information we collect to:

  • Provide, operate, maintain, and improve the Services
  • Create and manage your account and tenant
  • Deduplicate, correlate, and prioritize security findings across your connected sources
  • Map deployment chains between your repositories, container images, cloud services, and network exposure points
  • Generate risk scores, vulnerability narratives, and remediation guidance
  • Process AI-assisted classification, deduplication confirmation, and analysis as described in Section 4: AI Processing
  • Send transactional communications (finding alerts, invitation links, status updates, and account notifications)
  • Respond to your requests, inquiries, and support tickets
  • Detect, investigate, and prevent fraud, abuse, unauthorized access, and security incidents
  • Comply with legal obligations, enforce our Terms of Service, and protect our rights
  • For any other lawful purpose to which you consent

3. Data Isolation and Multi-Tenancy

VigilChain is architected with multi-tenant data isolation as a foundational design principle. Your organization's data is scoped to your tenant at the database level using row-level security policies. These policies are enforced by the database engine itself — not by application code alone — ensuring that queries from one tenant cannot access another tenant's findings, assets, chain data, or configuration.

Platform administrators may access tenant data only through time-limited, audited impersonation sessions that require documented justification. Impersonation actions are logged to a separate platform audit trail and are never recorded in the customer's own audit log.

4. AI Processing

VigilChain uses artificial intelligence to classify scanner rules into a canonical taxonomy, confirm ambiguous deduplication decisions, analyze CI/CD configuration files for chain discovery, and generate vulnerability narratives and remediation guidance. When AI processing is applied to your data:

  • Processing occurs on your tenant's data in isolation. Your findings are never combined with another tenant's data for AI processing.
  • We send the minimum context necessary to the AI provider — typically rule names, file paths, configuration snippets, and finding metadata. We do not send your full source code, credentials, secrets, or personally identifiable information of your end users.
  • AI outputs (classifications, narratives, risk assessments) are stored within your tenant and subject to the same access controls and row-level security as all other tenant data.
  • If you provide your own AI API key through our bring-your-own-AI capability, your key is stored using zero-knowledge encryption. No one — including VigilChain platform administrators — can access your raw API key.

5. How We Share Your Information

We do not sell your Personal Information or your security findings. We share information only in the following circumstances:

  • Service providers: We engage third-party providers for infrastructure hosting, email delivery, payment processing, and AI inference. These providers process data on our behalf under contractual obligations that require them to protect your information, use it only for the purposes we specify, and not disclose it to other parties.
  • Workflow integrations: When you configure ticket synchronization, we transmit finding information to your connected issue tracker (and receive status updates from it) as directed by you. We share only the data necessary for the integration you configured.
  • Legal requirements: We may disclose Personal Information if required by law, regulation, subpoena, court order, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud.
  • Business transfers: In connection with a merger, acquisition, reorganization, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your Personal Information.
  • With your consent: We may share your Personal Information with other third parties when you have provided explicit consent or direction to do so.

VigilChain does not share your Personal Information with third-party advertisers. We do not serve ads in our products or allow third parties to advertise within the Services.

6. Data Retention

We retain your Personal Information for as long as your account is active or as needed to provide the Services to you. The specific retention period depends on the type of information and the legal basis for processing:

  • Account and tenant data: Retained for the duration of your subscription and for 30 days following account deletion to allow data export, after which deletion is initiated.
  • Security findings and chain data: Retained within your tenant for the duration of your subscription. Upon account termination, this data is included in the 30-day export window and then deleted.
  • Audit logs: Retained for 12 months after account deletion for security, compliance, and dispute-resolution purposes.
  • Communications and support inquiries: Retained for as long as necessary to resolve your inquiry and for a reasonable period thereafter for quality assurance and legal compliance.
  • Automatically collected data: Server logs and usage data are retained for up to 12 months for operational and security purposes, then aggregated or deleted.

Where retention is required by applicable law or necessary to resolve disputes or enforce our agreements, we may retain certain information beyond these periods.

7. Data Security

We implement technical and organizational measures designed to protect your Personal Information against unauthorized access, loss, misuse, alteration, and destruction. These measures include:

  • Encryption in transit using TLS 1.2 or higher for all connections
  • Encryption at rest using AES-256 for stored data
  • Row-level security at the database layer for tenant data isolation
  • Authentication via bcrypt-hashed passwords (12 rounds) with optional TOTP-based multi-factor authentication
  • Session tokens stored in httpOnly secure cookies — never in browser localStorage or sessionStorage
  • Read-only cross-account access to your cloud infrastructure — we cannot modify your resources
  • Secrets and API keys stored in a dedicated secrets management service, not in environment variables or source code
  • Web application firewall (WAF) protection on all public-facing endpoints
  • All compute resources operate within private network subnets with no direct internet exposure
  • Regular security assessments and dependency scanning of our own platform

While we strive to protect your Personal Information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and we encourage you to protect your own account credentials and to enable multi-factor authentication.

8. Use of Cookies

VigilChain uses cookies in the following limited manner:

  • Strictly necessary cookies: We use httpOnly secure cookies to manage authentication sessions. These cookies are essential for the Services to function and cannot be disabled. They contain encrypted session tokens and do not track your browsing activity across other websites.
  • Refresh token cookies: A separate httpOnly cookie, scoped to the authentication refresh endpoint, manages session renewal. This cookie is not accessible to JavaScript and is not sent with requests to other endpoints.

We do not use third-party advertising cookies, social media tracking pixels, or analytics cookies that track your activity across other websites. We do not participate in cross-site behavioral advertising. For a complete list of cookies we use, please see our Cookie Policy.

9. Your Rights Regarding Your Personal Information

Depending on your jurisdiction, you may have some or all of the following rights regarding your Personal Information:

  • Right of access: You may request confirmation of whether we process your Personal Information and, if so, request a copy of that information.
  • Right to rectification: You may request correction of inaccurate Personal Information we hold about you.
  • Right to erasure: You may request deletion of your Personal Information when it is no longer necessary for the purposes for which it was collected, or when the information is incorrect.
  • Right to restrict processing: You may request that we restrict certain processing of your Personal Information under specific circumstances.
  • Right to data portability: You may request a copy of your Personal Information in a structured, commonly used, machine-readable format.
  • Right to object: You may object to certain processing of your Personal Information, including processing for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing performed before withdrawal.

To exercise any of these rights, please contact us at privacy@vigilchain.com. We will take appropriate steps to verify your identity before processing your request and will respond within the timeframe required by applicable law.

Opting Out of Communications

You may opt out of non-essential communications (such as product updates or announcements) at any time by using the unsubscribe link in any such email or by contacting us at privacy@vigilchain.com. Transactional communications related to your account, security alerts, and service notifications are not subject to opt-out, as they are necessary for the operation of the Services.

10. International Data Transfers

VigilChain is based in the United States and processes data in the United States. If you are located outside the United States, your Personal Information will be transferred to and processed in the United States. We implement appropriate safeguards for international data transfers as required by applicable law, including standard contractual clauses approved by the European Commission where applicable.

11. Children's Privacy

The Services are not intended for individuals under the age of eighteen (18). We do not knowingly collect or receive Personal Information from children under the age of eighteen (18). If you are under the age of eighteen (18), you should not use the Services or provide any Personal Information to us. If we learn that we have collected Personal Information from a child under the age of eighteen (18), we will take steps to delete that information promptly. If you believe a child has provided Personal Information to us, please contact us at privacy@vigilchain.com.

12. EEA and GDPR Supplement

If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, this section provides additional information about how we process your Personal Information (referred to as "personal data" under the GDPR) and the legal bases for that processing.

Legal Bases for Processing

We process your personal data on the following legal bases:

  • Performance of a contract: Processing necessary to provide the Services to you, including account management, finding ingestion, chain discovery, and risk scoring.
  • Legitimate interests: Processing necessary for our legitimate interests, including improving the Services, ensuring platform security, preventing fraud, and conducting analytics. We balance these interests against your rights and do not process personal data where your interests override ours.
  • Consent: Processing based on your explicit consent, such as participation in surveys, early access programs, or optional communications. You may withdraw consent at any time.
  • Legal obligation: Processing necessary to comply with applicable legal requirements.

Data Controller

VigilChain, Inc. is the data controller for Personal Information collected through the Site and in connection with account registration. When processing security findings and infrastructure data submitted by customers through the Services, VigilChain acts as a data processor on behalf of the customer (the data controller).

Supervisory Authority

If you are located in the EEA, the United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates applicable law.

Data Privacy Framework

VigilChain is committed to complying with applicable data transfer frameworks, including the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom (and Gibraltar), and Switzerland to the United States.

13. California Privacy Notice

This California Privacy Notice supplements the information in this Privacy Policy and applies solely to residents of the State of California, in accordance with the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA").

Categories of Personal Information Collected

The categories of Personal Information we collect are described in Section 1 above and include: identifiers (name, email, IP address), commercial information (subscription and billing records), internet or network activity (usage data, log data), professional or employment-related information (job title, organization), and inferences drawn from the above (such as account preferences).

How We Use and Share Personal Information

Our use of Personal Information is described in Section 2 above. Our sharing practices are described in Section 5. We do not sell Personal Information. We do not share Personal Information with third parties for cross-context behavioral advertising.

Your California Privacy Rights

As a California resident, you have the following rights under the CCPA/CPRA:

  • Right to know: You may request disclosure of the categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of Personal Information we have collected from you, subject to certain exceptions.
  • Right to correct: You may request correction of inaccurate Personal Information.
  • Right to opt out of sale or sharing: We do not sell Personal Information or share it for cross-context behavioral advertising. No opt-out action is required.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise your California privacy rights, please contact us at privacy@vigilchain.com. We will verify your identity before processing your request and will respond within the timeframe required by applicable California law.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will notify you of material changes by posting the updated policy on this page and updating the effective date. For material changes that significantly affect how we process your Personal Information, we will provide additional notice by email or through the Services at least 30 days before the changes take effect. Your continued use of the Services after changes become effective constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us at:

VigilChain, Inc.
Email: privacy@vigilchain.com
Web: www.vigilchain.com/contact

For security vulnerability reports, please contact security@vigilchain.com.