Trust Center
Security, compliance, and data handling at Cygent.
The single source for evaluating Cygent's security posture. Procurement teams, security reviewers, and compliance reviewers — everything you need to decide whether Cygent meets your bar lives on this page or behind an NDA available on request.
Last updated June 1, 2026
Attestations & coverage
Request documentsSOC 2 Type 2
Audited against the AICPA Trust Services Criteria. Report available under NDA.
Request reportIndependent Pentest
Grey-box engagement on container isolation and multi-tenant boundaries. All findings remediated as of May 31, 2026.
Request letterGDPR · UK · Swiss · CCPA
Data Processing Agreement incorporates EU SCCs (Modules Two and Three), UK IDTA, and Swiss FDPIC amendments.
Request DPAUS Data Residency
Customer data hosted in the US. Infrastructure on OVHcloud, Vercel, and PlanetScale — all US regions.
No Model Training Policy
Customer data is never used to train AI models.
Cygent does not use, and does not permit its sub-processors to use, customer data — including smart contract code, findings, prompts, completions, or embeddings — to train, fine-tune, or otherwise improve any generally available models. This commitment is enforced at three layers:
01
OpenRouter account-level setting
Our OpenRouter account restricts routing to providers that do not log or train on input data. Customer requests are never routed to a training-eligible endpoint.
02
Application-layer enforcement
Every CARA inference request is sent with the `provider.data_collection: "deny"` parameter — defense in depth against routing changes upstream.
03
Direct-provider contracts
Anthropic and OpenAI commit by contract not to train on data submitted through their APIs. Cygent does not opt into any model-improvement programs.
Security posture
How Cygent handles data, access, and incidents — at the layers that matter to procurement and security review teams.
Per-customer isolation
Each customer receives a dedicated, containerized instance with its own database, queue, and configuration.
No shared tenancy. Customer data is never co-located at the storage layer.
Encryption
AES-256-GCM at the application layer for integration tokens. Storage volumes additionally encrypted by underlying providers.
TLS 1.2+ for all external connections. Secrets managed via 1Password and Varlock; out of source control.
GitHub App permission ceiling
Cygent can open PRs, post review comments, and create issues on customer-selected repos only.
Cygent cannot merge PRs, push to protected branches, modify repository settings, or access repos not explicitly granted.
Battle Mode sandbox isolation
Each red-team / blue-team battle runs in its own ephemeral sandbox. Contracts, state, and keys are scoped to that run.
Local Anvil mode has no outbound network access. State is torn down after the battle completes.
Incident response
Documented incident response procedures.
72-hour customer notification SLA on any Personal Data Breach.
Personnel security
Background screening where permitted by law. Confidentiality obligations in employment and contractor agreements.
Security and privacy training on hire and periodically thereafter. Periodic access reviews.
Data Residency
Customer data is hosted in the United States.
The three load-bearing infrastructure sub-processors — OVHcloud, Vercel, and PlanetScale — are all US-hosted. Transfers from the EU, UK, and Switzerland to LLM inference providers and customer-connected integrations are covered by the EU SCCs, UK IDTA, and Swiss FDPIC amendments in the DPA.
Sub-processors
The current list of sub-processors that process customer data on Cygent's behalf. Cyfrin provides 30 days' notice before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure | ||
| OVHcloud | Hosting of per-Organization instances, orchestrator, and agent containers | United States |
| Vercel | Control-plane web application; application logs and analytics | United States |
| Managed database | ||
| PlanetScale | PostgreSQL hosting for platform and agent data | United States |
| LLM aggregation | ||
| OpenRouter | Unified API routing for inference, configured to restrict routing to non-training providers | United States |
| LLM inference | ||
| Anthropic | Claude model family for analysis, validation, and exploit generation | United States |
| OpenAI | GPT-5 family for analysis, validation, report generation, and text embeddings | United States |
| Moonshot AI | Kimi K2.5 — opt-in only, engaged when customer explicitly selects this model | Varies |
| Authentication | ||
| GitHub / Google | OAuth identity providers (customer chooses which to connect) | United States |
| Transactional email | ||
| Resend | Account and Service notifications | United States |
| Meeting-bot recording | ||
| Recall.ai | Joining customer-invited Meet, Zoom, Teams calls — opt-in only | United States |
Procurement Packet
Need SOC 2, the pentest letter, the DPA, or our architecture diagrams?
Request the full packet under NDA — typically delivered within one business day. Reach out from a procurement or security review email and we'll send the full bundle.