1 Who We Are
CyberLetics ("we", "our", "us") is a cybersecurity software-as-a-service platform designed for Indian small and medium enterprises (SMEs). We are the Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023 for all personal data processed through our platform.
Data Fiduciary Contact
Email: team@cyberletics.com
Platform: cyberleticss.netlify.app
Jurisdiction: India
2 Data We Collect
2.1 Account & Organisation Data
When you sign up, we collect:
- Full name and email address
- Organisation name and GST number (optional — used for DPDPA compliance scoring)
- Password (stored as a bcrypt hash — never in plain text)
- Role within the organisation (OWNER, ADMIN, or VIEWER)
- Subscription plan and trial status
2.2 Usage & Operational Data
We automatically collect:
- Login timestamps and session metadata
- API request logs (IP address, endpoint path, HTTP status code, response time) — retained 30 days
- Error events sent to Sentry (anonymised stack traces — no personal data)
- Security score history and compliance status changes
2.3 Team & Invitation Data
When you invite team members, we temporarily store their email addresses and invitation tokens (valid for 48 hours). Uninvited tokens are automatically deleted.
3 Device Agent Data
The CyberLetics Device Agent is a lightweight program installed by your IT administrator on company-owned devices. It periodically sends a telemetry report to our API. The agent only runs on devices you explicitly enrol.
| Data field | What it is | Purpose |
|---|---|---|
| hostname | Device computer name | Device identification |
| ipAddress | Local network IP address | Network monitoring |
| macAddress | Network interface MAC address | Unique device fingerprint |
| os / osVersion | Operating system and version | Patch compliance tracking |
| deviceType | Workstation, Server, or Laptop | Inventory categorisation |
| antivirusInstalled | Whether antivirus software is present | Endpoint security score |
| firewallEnabled | Whether the host firewall is active | Endpoint security score |
| diskEncrypted | Whether full-disk encryption is enabled | Data protection score |
| pendingUpdatesCount | Number of OS updates waiting to install | Patch management |
| lastPatched | Date of last successful OS update | Patch compliance tracking |
The agent communicates using a SHA-256 hashed API key stored in C:\ProgramData\CyberLetics\config.json (Windows) or /etc/cyberletics/config.json (Linux/macOS). The raw API key is never stored on our servers.
3.1 File Scan Data
If your administrator configures file scanning, the agent can submit file hashes (not file contents) to the VirusTotal API for malware detection. We do not upload actual files; only cryptographic hashes (SHA-256) are transmitted. VirusTotal's own privacy policy governs that interaction.
3.2 Security Alert Data
The agent may send security event alerts (e.g., unauthorised login attempt, port scan detection) via a webhook. These alerts contain a title, description, severity level, and timestamp. No personal employee data is included in these payloads.
4 How We Use Your Data
- ✓To create and manage your organisation account and team memberships
- ✓To display your device inventory, security alerts, and compliance dashboard
- ✓To calculate your Security Score and DPDPA 2023 compliance status
- ✓To send transactional emails: account verification, password reset, alert escalations, weekly security digests, and report download notifications
- ✓To cross-reference your device software against the NIST National Vulnerability Database (NVD) for known CVEs
- ✓To detect and prevent fraud, abuse, and unauthorised access
- ✓To improve the platform using aggregated, anonymised usage patterns
5 Legal Basis for Processing
Under the DPDPA 2023, we process personal data on the following bases:
- Consent — you provide consent at account creation and when enrolling devices.
- Contractual necessity — processing is required to deliver the services you have subscribed to.
- Legitimate use — operational security (fraud prevention, uptime monitoring, error tracking).
- Legal obligation — compliance with applicable Indian law, including responding to lawful government requests.
You may withdraw consent at any time by requesting account deletion (see Section 10).
6 Data Retention
| Data type | Retention period |
|---|---|
| Account & organisation data | Until account deletion + 30 days |
| Device telemetry records | Until device is removed from organisation |
| Security alerts | 12 months (rolling) |
| API request logs | 30 days |
| Refresh tokens | 7 days (auto-purged daily) |
| Team invitation tokens | 48 hours (auto-purged) |
| Generated reports (PDF) | 90 days |
| Error/crash traces (Sentry) | 30 days |
Account deletion removes all personal data from active systems within 30 days. Backup copies are purged within 90 days of account closure.
7 Data Storage & Security
Your data is stored in a PostgreSQL database hosted by Supabase on AWS in the ap-south-1 (Mumbai) region, keeping your data within India.
- All data in transit is encrypted with TLS 1.3
- Database connections use SSL and are scoped to the CyberLetics API server only
- Passwords are hashed with bcrypt (cost factor 12) — never stored in plain text
- API keys are stored as SHA-256 hashes — the raw key is shown once at creation and never stored
- Access tokens (JWT) expire after 15 minutes; refresh tokens expire after 7 days
- Database access is restricted to the API server and authorised engineering staff with MFA
Despite these measures, no method of electronic transmission or storage is 100% secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by applicable law.
8 Third-Party Services
We use the following sub-processors to operate the platform. We share only the minimum data necessary for each service to function.
| Service | Purpose | Data shared |
|---|---|---|
| Supabase / AWS (Mumbai) | PostgreSQL database hosting | All stored platform data |
| Render | Node.js API server hosting | API request payloads in transit |
| Netlify | Static frontend hosting (HTML/CSS/JS) | Browser IP (CDN logs only) |
| Resend | Transactional email delivery | Recipient email address, email content |
| Sentry | Error monitoring & crash reporting | Anonymised stack traces (no personal data) |
| Razorpay | Payment processing & subscription billing | Order amount, currency, plan tier. No card numbers are stored by CyberLetics. |
| Google Safe Browsing | URL threat detection in Website Scanner | Scanned URL only (no user identity or org data) |
| VirusTotal (Google) | File hash malware scanning | File SHA-256 hashes only (no file content) |
| NIST NVD API | CVE vulnerability data feed | No personal data — read-only public API |
Each of these providers maintains its own privacy policy and data processing agreements. We have entered into Data Processing Agreements (DPAs) with all sub-processors that handle personal data.
9 Cookies & Session Tokens
CyberLetics uses a minimal number of browser storage mechanisms:
-
HTTP-only Secure Cookie (refresh token)
A single HTTP-only, Secure, SameSite=Strict cookie stores your 7-day refresh token. It cannot be accessed by JavaScript. This is the only cookie we set.
-
sessionStorage (access token + user profile)
A short-lived JWT access token (expires in 15 minutes) and your basic profile (name, email, role) are stored in
sessionStorage. This data is automatically cleared when you close the browser tab.
We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookie services.
10 Your Rights Under DPDPA 2023
As a Data Principal under India's Digital Personal Data Protection Act, 2023, you have the following rights:
Right to Access
Request a summary of the personal data we hold about you and how it has been processed.
Right to Correction
Request correction of inaccurate or incomplete personal data, including your name and email.
Right to Erasure
Request deletion of your account and all associated personal data. Processed within 30 days.
Right to Grievance Redressal
File a complaint with our Grievance Officer (see Section 13) and receive a response within 48 hours.
Right to Nominate
Nominate another individual to exercise these rights on your behalf in the event of death or incapacity.
Right to Withdraw Consent
Withdraw consent at any time. This will result in account closure and data deletion.
To exercise any of these rights, contact us via the Contact page or email team@cyberletics.com. We will respond within 72 hours.
11 Children's Privacy
CyberLetics is a business-to-business platform intended for use by organisations and their employees. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that a child's data has been submitted, we will delete it promptly.
12 Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to all organisation owners for material changes
- Require re-acknowledgement of the policy on next login for significant changes
Continued use of the platform after the effective date of a revised policy constitutes your acceptance of the changes.
13 Contact & Grievance Officer
For privacy questions, data requests, or to file a grievance under DPDPA 2023, please contact our Grievance Officer: