Privacy Policy
How we collect, use, store, and protect personal data in connection with our platform and marketing website
1. Data Controller
SNYFT s.r.o.
ICO: 24383732
Registered office: Brno, Czech Republic
Email:
Data Protection Officer:
SNYFT s.r.o. ("SNYFT", "we", "us", "our") operates the SNYFT Security Platform, a cloud-native Security Information and Event Management (SIEM) system. This Privacy Policy describes how we collect, use, store, and protect personal data in connection with our platform and marketing website (snyft.cz).
2. Categories of Data Collected
2.1 Account Data
When you register for or use the SNYFT platform, we collect:
- Full name
- Email address
- Company name and business details
- Role and job title (if provided)
- Password (stored as a cryptographic hash; we never store plaintext passwords)
2.2 Security Log Data
The core function of the SNYFT platform is to ingest, analyze, and correlate security events from your cloud infrastructure. Depending on your configured integrations, the following categories of log data may be processed:
- AWS CloudTrail management and data events
- VPC Flow Logs (network traffic metadata)
- DNS query logs
- Amazon GuardDuty findings
- Authentication events (login attempts, MFA events, session data)
- IP addresses (source and destination)
- AWS ARNs (Amazon Resource Names) identifying resources and principals
- Usernames and user identifiers
- Hostnames and domain names
- User agent strings
- Event timestamps and metadata
2.3 Usage Analytics
We collect anonymized usage data to improve the platform:
- Page views and navigation patterns
- Feature usage frequency
- Session duration
- Browser type and screen resolution
This data is aggregated and cannot be used to identify individual users.
2.4 Payment Data
Payment processing is handled entirely by Stripe, Inc. SNYFT does not store, process, or have access to your credit card numbers, bank account details, or other payment instrument data. We receive only:
- Confirmation of payment status
- Subscription plan and billing period
- Invoice history and amounts
3. Legal Basis for Processing
We process personal data on the following legal bases under the General Data Protection Regulation (GDPR):
| Contract performance (Art. 6(1)(b)) | Account creation, platform access, security monitoring services, billing |
| Legitimate interest (Art. 6(1)(f)) | Platform security improvements, fraud prevention, application error monitoring, security incident investigation |
| Legal obligation (Art. 6(1)(c)) | Tax record-keeping, regulatory reporting, compliance with court orders or lawful requests from authorities |
| Consent (Art. 6(1)(a)) | Optional threat intelligence integrations (HIBP, AbuseIPDB, Shodan), marketing communications |
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4. AI Processing Disclosure
The SNYFT platform uses artificial intelligence to enhance security analysis. We distinguish between two modes of AI processing:
4.1 Platform-Managed AI
SNYFT uses Amazon Bedrock (deployed in the EU region) for the following automated processing:
- Threat analysis — Automated triage and severity assessment of security alerts
- Report narratives — Generation of human-readable executive summaries and compliance reports
- Investigation assistance — AI-guided analysis during security incident investigations
All platform-managed AI processing occurs within the EU. Data sent to Amazon Bedrock is subject to the AWS Data Processing Agreement and is not used by AWS to train or improve AI models.
4.2 Customer-Configured AI (BYOK)
Customers may optionally configure their own AI provider for enhanced analysis by supplying their own API key:
- OpenAI (if configured by the customer)
- Anthropic (if configured by the customer)
When a customer enables BYOK AI, selected data (such as alert summaries or log excerpts) is sent to the provider chosen by the customer. SNYFT does not control the data processing practices of these third-party providers. Customers are responsible for reviewing the privacy policies and data processing terms of their chosen BYOK provider.
4.3 No Automated Decision-Making
AI outputs within the SNYFT platform are advisory only. No automated decisions with legal or similarly significant effects are made solely on the basis of AI processing within the meaning of Article 22 of the GDPR. All critical security decisions (alert escalation, incident response, access revocation) require human confirmation.
5. Sub-Processors
SNYFT engages the following sub-processors for the provision of its services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure (compute, storage, database, networking, encryption) | EU (Germany) |
| Amazon Web Services, Inc. | Email delivery (SES) | EU (Germany) |
| Amazon Web Services, Inc. | AI model inference (Bedrock, platform-managed) | EU |
| Cloudflare, Inc. | CDN, bot protection, object storage | EU |
| Functional Software, Inc. (Sentry) | Application error monitoring | EU (Germany) |
| Stripe, Inc. | Payment processing | EU/US (PCI DSS compliant) |
| HaveIBeenPwned (Troy Hunt) | Email breach intelligence (optional, customer-activated) | UK |
| AbuseIPDB (Marathon Studios) | IP reputation intelligence (optional) | US |
| Shodan (Shodan.io) | IP intelligence (optional) | US |
HIBP Passwords API uses a k-anonymity model in which only a partial hash prefix is sent to the service. No personal data (passwords or email addresses) is transmitted. This is a technical security measure and does not constitute sub-processing of personal data.
MaxMind GeoLite2 is a locally installed IP geolocation database. No data is sent to MaxMind at runtime. It is a technology component, not a sub-processor.
Customer-configured integrations (such as Jira, Slack, OpenAI, or Anthropic under BYOK) are initiated and controlled by the customer. These services act as the customer’s own processors and are not SNYFT sub-processors. Customers are responsible for their own data processing agreements with these providers.
6. Data Retention
Data retention periods depend on the customer’s subscription tier:
| Tier | Hot Storage (Searchable) | Cold Archive | Total Maximum Retention |
|---|---|---|---|
| Trial | 14 days | None | 14 days |
| Start | 90 days | 18 months | 18 months |
| Professional | 180 days | 18 months | 18 months |
| Enterprise | Custom (per contract) | Minimum 18 months | Per contract |
Cold archive storage provides long-term retention for compliance purposes (e.g., NIS2 Directive, Czech Act on Cybersecurity). Archived data can be restored to searchable storage upon request.
Account data is retained for the duration of the customer relationship and for a period of 3 years thereafter for legitimate business and legal purposes, unless a shorter period is requested.
Trial accounts that are not converted to a paid plan are frozen after 14 days and permanently deleted after 45 days, including all associated data.
7. International Data Transfers
7.1 Default: EU-Only Processing
By default, all customer data is processed and stored exclusively within the European Union, specifically in the AWS eu-central-1 (Frankfurt, Germany) region. This includes compute, database, storage, and AI inference workloads.
7.2 Non-EU Sub-Processors (Optional)
Certain optional threat intelligence integrations involve data transfers to non-EU countries:
- HaveIBeenPwned (UK): Post-Brexit, the UK is covered by an EU adequacy decision.
- AbuseIPDB (US) and Shodan (US): Transfers are protected by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework, as applicable.
These integrations are optional and are only activated when explicitly enabled by the customer.
7.3 Customer-Configured Transfers
When a customer configures BYOK AI integrations (OpenAI, Anthropic) or third-party tools (Jira, Slack), data may be transferred to locations determined by the customer’s configuration. These transfers are initiated by the customer and fall under the customer’s own responsibility as data controller.
8. Security Measures
SNYFT implements comprehensive technical and organizational measures to protect personal data, including but not limited to:
- Encryption at rest and in transit using industry-standard cryptographic algorithms (AES-256, TLS 1.2+)
- Logical tenant isolation at the database level, ensuring strict separation of customer data
- Role-based access control (RBAC) with multi-factor authentication (MFA) available on all subscription tiers
- Comprehensive audit logging of all administrative actions and data access events
- Regular security assessments, including vulnerability scanning and code review
- Incident response procedures with defined escalation paths and notification timelines
- Data minimization principles applied to all processing activities
- Secure software development lifecycle with automated security testing
9. Data Subject Rights
Under the GDPR (Articles 15–22), you have the following rights regarding your personal data:
| Access (Art. 15) | Request a copy of your personal data and information about its processing |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten") |
| Restriction (Art. 18) | Request limitation of processing of your personal data |
| Portability (Art. 20) | Receive your personal data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest |
To exercise any of these rights, contact our Data Protection Officer at .
We will respond to your request within 30 days. If we need more time (up to an additional 60 days for complex requests), we will inform you of the extension and reasons within the initial 30-day period.
10. Cookies
The SNYFT platform uses only essential cookies required for its operation:
| Cookie | Purpose | Type |
|---|---|---|
| Session cookie | User authentication and session management | httpOnly, Secure, SameSite |
| CSRF token | Cross-site request forgery protection | httpOnly, Secure, SameSite |
We do not use analytics cookies, marketing cookies, or third-party tracking cookies. No cookie consent banner is required because we use only strictly necessary cookies as defined under Article 5(3) of the ePrivacy Directive (2002/58/EC).
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- Material changes: We will provide at least 30 days’ advance notice via email to the account owner’s registered email address before material changes take effect.
- Non-material changes: Minor clarifications or formatting updates may be made without advance notice.
- Version history: A version history of this policy is maintained and available upon request.
We encourage you to review this Privacy Policy periodically. Your continued use of the SNYFT platform after the effective date of a revised policy constitutes acceptance of the changes.
12. Contact Information
For questions about this Privacy Policy or our data processing practices:
SNYFT s.r.o.
Email:
Data Protection Officer:
Supervisory Authority:
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Czech Data Protection Office:
Urad pro ochranu osobnich udaju (UOOU)
Pplk. Sochora 27 170 00 Praha 7 Czech Republic
Website: www.uoou.cz
Email: posta@uoou.cz
This Privacy Policy is effective as of 21 March 2026.