CybeDefend
Voltar à página inicial
Trust · Security

Security at CybeDefend

How CybeDefend protects your code and your data: compliance posture, infrastructure, encryption, AI guardrails, and how to report a vulnerability.

Last updated [email protected]

We build a security product. We are held to the same standard as the customers we protect, and then some. This page is the single source of truth for how CybeDefend handles security at the platform layer.

If you spot something that looks wrong, write to [email protected]. We acknowledge inside 24 hours.

Our security stance

CybeDefend's product runs inside the AI coding agent loop. That means we sit on the path between a developer's prompt and a production deployment. We treat that responsibility as load-bearing. Our security posture is built around three commitments:

  1. Default deny. Every internal service authenticates and authorizes every request. No "internal-only" trust boundary, no shared-secret backdoor.
  2. Customer code is sacred. Source we receive is processed for the verdict, then dropped. It is never used to train any general-purpose model, by us or by our sub-processors.
  3. Honest verdicts. When we surface an issue we say why and how to fix it. When we can't verify, we don't page.

Compliance posture

SOC 2

Type II — audit in progress, controls in place

ISO 27001

Audit in progress, controls in place

GDPR · NIS2 · DORA

EU regulatory alignment

We align our control framework with SOC 2 Type II and ISO/IEC 27001 and the requirements of GDPR, NIS2 and DORA. Both certifications are currently in progress — controls are implemented and operating, the formal third-party audits are under way. Where a public attestation is available, we ship it on request to enterprise customers under NDA; write to our legal team.

We are an early-stage company; we publish what is in scope today, not aspirational claims. The state of our certifications evolves with the platform; ask us for the current letter of attestation before contracting.

Data residency

Customers select an EU or US data region at signup. The two regions are independent platforms, separate infrastructure, separate sub-processors, separate access controls.

  • EU region, primary tenant. Hosted on EU-resident infrastructure. EU-resident sub-processors only for the storage tier. Targeted at customers subject to GDPR, NIS2 or DORA.
  • US region, secondary tenant. Hosted on US infrastructure. Targeted at customers who require US data residency.

A current list of named sub-processors is published at /legal/subprocessors and updated when material changes occur. We notify enterprise customers in advance of any material change.

Encryption

  • In transit. TLS 1.2+ on every public endpoint. mTLS between internal services. HSTS preloaded on www.
  • At rest. AES-256 on every datastore, primary databases, object storage, backups.
  • Secrets. Customer API keys, OAuth tokens and webhook secrets are stored in a segmented secret manager with hardware-backed keys. Operators do not have read access to plaintext secrets.

Access control

  • Single sign-on for the CybeDefend team, Google Workspace with hardware-key MFA enforced.
  • Just-in-time access to production. No standing admin. Every elevated session is time-boxed, recorded, and reviewed.
  • Least privilege at the service layer. Each service is scoped to the smallest set of resources it needs. Lateral movement is constrained by network policy and by per-tenant key separation.
  • Customer-side, the platform supports SSO (SAML / OIDC) on the Enterprise plan, plus SCIM for user provisioning.

AI guardrails

CybeDefend's AI layer runs on open-weight Mistral-family models that we self-host on sovereign EU infrastructure (Scaleway). We do not call third-party AI APIs (Anthropic, OpenAI, Google AI, Cohere, Mistral La Plateforme, etc.). Customer Code, prompts and completions are processed exclusively on infrastructure CybeDefend operates.

  • No model training on your data. Customer Code, prompts and completions are not used to train any model — ours or anyone else's.
  • Zero retention beyond what is required to serve the request and to display the resulting findings in your dashboard.
  • Per-tenant scopes. No prompt or output crosses a tenant boundary inside our infrastructure.
  • Prompt allow-listing. The set of prompts the platform can issue is defined by us, not by users; agent prompts are sandboxed.
  • No outbound to external AI APIs. Network egress from the inference layer to third-party LLM providers is blocked at the infrastructure level.

When a customer connects CybeDefend to their own AI coding agent (Claude Code, Cursor, Windsurf, etc.) via our MCP server, that agent runs on the agent vendor's own infrastructure under the customer's contract with that vendor — CybeDefend's only role in that flow is answering tool calls back to our self-hosted inference layer.

How we handle your code

When you submit source code, configuration files or container images for analysis (collectively "Customer Code"):

  • We process the Customer Code only for the purposes of producing the security verdict you asked for.
  • We do not retain the raw Customer Code beyond the time required to produce the verdict, plus the short retention window required by your reporting plan (e.g., to display the issue in your dashboard).
  • We never use Customer Code to train any model, ours or our sub-processors'.
  • Cybe AutoFix patches are generated, verified against your tests, and shipped back to your repository. We do not mirror your repository long-term.

This is contractually backed by our Data Processing Addendum.

Monitoring & incident response

  • 24×7 telemetry on platform health, latency, error rates and authentication anomalies.
  • On-call rotation with paging on customer-impacting alerts.
  • Incident-response runbook with severity levels, communication paths and a 24-hour customer notification window for confirmed security incidents touching customer data.
  • Annual third-party penetration test of the production stack. Executive summary available under NDA.
  • Continuous internal security review of every service at the time it is deployed.

Sub-processors

The current list of named sub-processors and the data each one processes is published at /legal/subprocessors. We commit to 30 days' advance notice of any material change for enterprise customers.

Vulnerability disclosure

We welcome and reward responsible disclosure.

Scope, anything under cybedefend.com, eu.cybedefend.com, us.cybedefend.com, our public APIs, our MCP server, and the IDE extensions we publish under the CybeDefend organization.

Out of scope, social engineering, physical attacks, denial of service, third-party services hosted under our subdomains.

How to report:

  • Email [email protected].
  • PGP key fingerprint: published on request, ask in your first message.

We acknowledge inside 24 hours, triage inside 5 business days, and aim to remediate in line with severity. We do not pursue legal action against researchers acting in good faith within the scope above.

For coordinated disclosure timelines we follow a 90-day embargo by default; we will work with you on a faster timeline if a fix can be shipped sooner, or a slower one if user-side action is required.

Table of contents
  1. 01Our security stance
  2. 02Compliance posture
  3. 03Data residency
  4. 04Encryption
  5. 05Access control
  6. 06AI guardrails
  7. 07How we handle your code
  8. 08Monitoring & incident response
  9. 09Sub-processors
  10. 10Vulnerability disclosure
Contact

Queres reportar uma vulnerabilidade?

[email protected]Open the contact form
Começar

Instala grátis no teu IDE. Primeiro scan em 5 minutos.

Sem cartão de crédito. Sem chamada de setup. Escolhe o agente, cola o comando e o Cybe aplica as tuas regras a partir do próximo prompt.

Região
claude mcp add cybedefend --transport http https://mcp-eu.cybedefend.com/mcp

MCP alojado, sem instalação. Basta registar o URL no teu agente.

Marcar uma demo de 20 min