CipherM is solo-founded and pre-Enterprise. We're honest about what's in place today vs in flight. Reach the founder at legal@cipherm.io to start a procurement conversation.
Third-party services that may receive customer data in the course of providing CipherM. Email privacy@cipherm.io to subscribe to change notifications.
Where is data stored?
CBOM artifacts, metadata, and account data are stored on CipherM's managed application host (US region) with automated off-host backups. Vercel serves static marketing assets. Stripe holds billing data only when Pro is active. The subprocessor list above is updated before any customer data is processed.
Is data encrypted?
In transit: HTTPS/TLS everywhere. At rest: provider-managed disk encryption plus automated off-host backups. Application-level encryption for private CBOMs is on the roadmap.
Can we self-host?
Not yet for the registry. The OSS cipherm-scan CLI is fully self-hostable today (Apache-2.0). Self-hosted registry is a Year 2 Enterprise option.
Do you process PII?
Email addresses (waitlist, account login). Optional CBOM uploader account name. No PII in CBOM artifacts themselves — those contain only your code's cryptographic patterns.
How are incidents disclosed?
Per the security policy at /security: acknowledged within 72 hours, fix within 30/90 days, public credit on the changelog and security advisory.
What's your retention policy?
Server logs: 30 days. Public CBOMs: indefinite (deletable on request). Waitlist: until you ask us to forget you. Account data: until account deletion + 30-day grace.
Email legal@cipherm.io with your standard form attached. Reasonable turnarounds: DPA in 3 business days, SIG-Lite / CAIQ in 5.
Talk to founder →