Cloudryption
Log in Book a Demo

Legal & Compliance

Privacy Policy

How Cloudryption collects, uses, and protects your personal data.

Effective date: May 2026  ·  Applies to: cloudryption.com and the Cloudryption platform

1. Who We Are

Cloudryption is an enterprise cloud security platform that helps organisations model cloud infrastructure risk, identify attack paths, and prioritise security remediation. Cloudryption operates within the European Union.

For the purposes of the General Data Protection Regulation (GDPR) (EU) 2016/679, Cloudryption is the Data Controller for personal data processed in connection with the cloudryption.com website and the Cloudryption platform.

Contact: contact@cloudryption.com

2. Data We Collect

We collect only the personal data necessary to provide and secure the platform. The categories we process are:

Account data — collected when you register for the Cloudryption platform:

  • Email address (used as the primary account identifier)
  • Username or display name
  • Hashed password (bcrypt — the plaintext password is never stored or logged)
  • Time-based one-time password (TOTP) secret, if you enrol multi-factor authentication
  • Email verification token (short-lived, used once to confirm your address)
  • Account creation timestamp and last-login timestamp

Contact and enquiry data — collected when you submit a contact form, request a demo, or book a pilot discussion:

  • Full name
  • Work email address
  • Company or organisation name (optional)
  • Inquiry type (e.g. demo request, pricing, support)
  • Message body

Technical and operational data — collected automatically when you use the website or platform:

  • IP address and request path (in server access logs)
  • HTTP request method, status code, and response size
  • User-agent string (browser/client type)
  • Timestamps of API requests
  • Session tokens (JSON Web Tokens, stored client-side)

We do not collect payment card data, government identity numbers, health data, or any special-category data under GDPR Art. 9.

3. Legal Basis for Processing

We rely on the following legal bases under GDPR Art. 6:

  • Performance of a contract (Art. 6(1)(b)) — processing your account data (email, username, password hash, TOTP secret) is necessary to provide you with access to the Cloudryption platform and to authenticate your identity on each request.
  • Legitimate interests (Art. 6(1)(f)) — processing technical and operational logs (IP addresses, request metadata, timestamps) is necessary for the security, reliability, and integrity of the platform. Our legitimate interest is the prevention of unauthorised access, detection of abuse, and diagnosis of service issues. This processing does not override your fundamental rights.
  • Consent (Art. 6(1)(a)) — when you voluntarily submit a contact form or demo request, you consent to us processing the data you provide in order to respond to your enquiry. You may withdraw consent at any time by contacting us at contact@cloudryption.com.

4. How We Use Your Data

  • Authentication — to verify your identity on login and on each authenticated API request using signed JWTs.
  • Email verification — to confirm your email address is valid and that you control it before activating your account.
  • Multi-factor authentication — if you enrol TOTP, your TOTP secret is used to verify one-time codes at login.
  • Responding to enquiries — contact and demo form submissions are forwarded to the Cloudryption team by email so that we can respond to your request.
  • Security monitoring — request logs are used to detect anomalous behaviour, brute-force attempts, and service abuse.
  • Service operation and improvement — aggregate, non-identifying metrics derived from operational logs help us understand platform health and improve reliability.

We do not use your personal data for advertising, behavioural profiling, or sale to third parties.

5. Data Retention

  • Session tokens (JWTs) — expire automatically after a short period of inactivity or on explicit logout. They are invalidated server-side and are not persisted in the database beyond their TTL.
  • Email verification tokens — single-use tokens are invalidated immediately upon successful verification and are not retained after expiry.
  • Server access logs — retained for a rolling period (default 90 days) for security and diagnostic purposes, then deleted automatically.
  • Contact and enquiry submissions — retained for a reasonable business period necessary to respond to and manage the enquiry, and then deleted. You may request earlier deletion (see §9).
  • Account data — retained for the lifetime of your account. If you request account deletion, your personal data is removed within 30 days, except where retention is required by applicable law.

6. Third-Party Processors

Cloudryption uses a limited number of third-party service providers to operate the platform. Each processor is bound by data processing agreements and is permitted to use your data only as directed by us.

  • Email delivery — transactional emails (account verification, enquiry notifications) are sent via an SMTP relay or Amazon Web Services Simple Email Service (AWS SES). These providers receive the recipient email address and email content necessary to deliver the message.

We do not sell, rent, or trade personal data. We do not share personal data with advertising networks, data brokers, or analytics platforms.

If data is transferred outside the European Economic Area (EEA) — for example, to AWS infrastructure — the transfer is protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

7. Cookies and Session Storage

Cloudryption uses a minimal set of browser-side storage mechanisms strictly necessary to operate the platform:

  • Authentication token (session JWT) — stored in browser local storage or a session cookie to maintain your logged-in state across page loads. This token expires automatically and is cleared on logout.

We do not use advertising cookies, tracking pixels, cross-site trackers, or analytics cookies. No third-party scripts that set cookies are loaded on the platform.

Because we use only strictly necessary storage, we do not present a cookie consent banner. If you disable cookies and local storage in your browser, authentication will not function.

8. Data Security

We apply appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit — all communication between your browser and the platform uses TLS (HTTPS). Non-TLS connections are rejected in production.
  • Password hashing — passwords are hashed using bcrypt before storage. The plaintext password is never written to disk, logs, or databases.
  • Multi-factor authentication — TOTP-based MFA is available to all accounts to provide a second layer of authentication security.
  • JWT expiry and invalidation — session tokens have short expiry times and are invalidated on logout to limit the window of exposure if a token is intercepted.
  • Access control — platform access is enforced by role-based authorisation on every API endpoint. Unauthenticated requests cannot access user data or platform resources.
  • Dependency scanning — the platform runs automated vulnerability scanning on its software dependencies as part of the build pipeline.

No system can guarantee absolute security. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33, and affected individuals where required by Art. 34.

9. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights. You may exercise any of these rights by contacting us at contact@cloudryption.com.

  • Right of access (Art. 15) — you may request a copy of the personal data we hold about you and information about how it is processed.
  • Right to rectification (Art. 16) — you may request that inaccurate or incomplete personal data is corrected.
  • Right to erasure / "right to be forgotten" (Art. 17) — you may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent (for consent-based processing), or where processing is unlawful.
  • Right to data portability (Art. 20) — where processing is based on your consent or on a contract, and carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format.
  • Right to restriction of processing (Art. 18) — you may request that we restrict processing of your data in certain circumstances, such as while a dispute about accuracy is resolved.
  • Right to object (Art. 21) — you may object at any time to processing based on our legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Rights related to automated decision-making (Art. 22) — Cloudryption does not make decisions about individuals solely by automated means that produce legal or similarly significant effects. This right is therefore not applicable to our current processing.

10. How to Exercise Your Rights

To exercise any of the rights described above, or to ask a question about this policy, please contact us by email:

Email: contact@cloudryption.com

We will respond to your request within 30 days of receipt, as required by GDPR Art. 12. We may ask you to verify your identity before processing a request that relates to personal data. We will not charge a fee for reasonable requests.

If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement. A list of national supervisory authorities is maintained by the European Data Protection Board (EDPB).

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the effective date shown at the top of this page.

If we make material changes that significantly affect how we process your personal data, we will provide notice through the platform or by email to registered users where appropriate.

Your continued use of the Cloudryption platform or website after the updated policy takes effect constitutes acceptance of the revised terms. If you do not agree with the updated policy, please discontinue use of the platform and contact us to request deletion of your account.