Last Updated: May 6, 2026

This Privacy Policy describes how Eureka DevSecOps Inc. (“Eureka”, “we”, “us”, or “our”) collects, uses, discloses, and protects information when you use our Application Security Posture Management (ASPM) platform and related services (collectively, the “Service”). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

We are committed to maintaining the highest standards of data privacy and security, particularly given the sensitive nature of vulnerability data and source code analysis that our platform performs.

Interpretation and Definitions

Account: A unique account created for you to access our Service.
Active Contributing User: A user who commits code to repositories being scanned during a billing period.
Company: Refers to Eureka DevSecOps Inc., the data controller responsible for your personal data.
Device: Any device that can access the Service such as a computer, mobile device, or tablet.
Personal Data: Information that relates to an identified or identifiable individual.
Repository Data: Source code, configuration files, and related technical data from code repositories integrated with our Service.
Service: The Eureka DevSecOps ASPM platform, including the web application, CLI tools, and associated APIs.
Usage Data: Data collected automatically through use of the Service.
Vulnerability Data: Security findings, scan results, and related metadata generated by security analysis tools.
You: The individual accessing or using the Service, or the organization on whose behalf such individual is acting.

Data we collect

Account and Authentication Data

When you create an account or authenticate with the Service, we collect:

Name and email address
OAuth authentication tokens from GitHub, Google, or Microsoft
GitHub username and repository access permissions
Organization affiliations and team memberships

Repository and Source Code Data

To perform security analysis, we process:

Source code files from connected repositories
Configuration files and dependency manifests
Repository metadata (names, URLs, branches, commit information)
File paths and directory structures
Code snippets containing identified vulnerabilities

Vulnerability and Security Analysis Data

Our Service generates and stores:

Security vulnerability findings and descriptions
Common Weakness Enumeration (CWE) classifications
OWASP Application Security Verification Standard (ASVS) mappings
Severity ratings and risk assessments
Scan history and audit trails
Vulnerability state changes and remediation tracking
Raw scanner output from integrated security tools

Usage Data

We automatically collect:

IP addresses and browser information
Device identifiers and operating system details
Pages visited and features used within the Service
Time and date of access
Diagnostic and performance data

Data We Do NOT Collect

We do not collect or store payment card information (processed through third-party payment processors)
We do not use customer data, source code, repository contents, or vulnerability findings to train AI models, with or without anonymization
We do not collect biometric data, health information, or sensitive personal identifiers
We do not track browsing activity outside our Service

How we use your data

Service Provision

We use collected data to:

Perform security analysis and vulnerability scanning of your source code
Generate AI-powered OWASP ASVS mappings for identified vulnerabilities
Provide enhanced vulnerability descriptions and remediation guidance
Maintain scan history and vulnerability tracking
Enable integration with GitHub and other development platforms
Generate reports and export vulnerability data

AI Processing

We use AI services to:

Map vulnerabilities to OWASP ASVS security categories
Refine vulnerability titles and descriptions for clarity
Provide contextual remediation guidance

Important: Our AI processing uses caching for known vulnerabilities and processes data through secure, privacy-preserving APIs. We do not use customer source code or vulnerability data to train AI models.

Account Management

We use your information to:

Manage your account and authentication
Process billing and subscriptions
Send service updates and security notifications
Respond to support requests

Service Improvement

We analyze anonymized usage data to:

Monitor and improve platform performance
Identify and fix technical issues
Develop new features and capabilities
Enhance security scanner integration and accuracy

Data storage and security

Data Location

Your data is stored on secure cloud infrastructure provided by Microsoft Azure. Data processing and storage occurs in data centers that comply with industry-standard security certifications. For customers requiring specific data residency, we offer options to store data in their own Azure cloud environment through our hybrid deployment model.

Security Measures

We implement robust security measures including:

Encryption in transit using TLS 1.2 or higher
Encryption at rest for stored data
Multi-factor authentication support
Regular security audits and penetration testing
Role-based access controls and least-privilege principles
Continuous monitoring and incident response procedures

Note: While we employ industry-leading security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using commercially reasonable safeguards.

Data Retention

We retain data as follows:

Account Data: Retained while your account is active and for 90 days after account closure
Vulnerability Data: Retained for the duration of your subscription plus 90 days
Scan History: Retained according to your subscription plan; typically 90 days of history
Usage Data: Retained for up to 24 months for analytics and service improvement
Legal/Compliance Records: Retained as required by applicable law

You may request deletion of your data at any time by contacting us at [email protected].

Data sharing and disclosure

Third-Party Service Providers

We share data with limited third-party service providers who assist in operating our Service:

Cloud Infrastructure: Microsoft Azure (data hosting and processing)
AI Services: OpenAI API (vulnerability analysis and ASVS mapping). Data sent to OpenAI is governed by their API terms, which prohibit training on customer-submitted data and limit retention to 30 days for abuse monitoring.
Authentication: GitHub, Google, Microsoft OAuth providers
Payment Processing: Stripe (we do not store payment card information)

All service providers are contractually obligated to protect your data and use it only for the purposes we specify. They are prohibited from selling or otherwise disclosing your data to third parties.

Legal Requirements

We may disclose your data if required by law or in good faith belief that such action is necessary to:

Comply with legal obligations or respond to valid legal requests
Protect and defend our rights or property
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of users or the public

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

No Sale of Personal Information

We do not sell, rent, or trade your personal information to third parties for monetary consideration. We do not share your vulnerability data, source code, or security findings with any third party except as explicitly described in this Privacy Policy.

Your rights and choices

Access and Correction

You have the right to access and update your personal information. You can review and modify your account details through the Service interface or by contacting us at [email protected].

Data Portability

You can export your vulnerability data and scan results in machine-readable formats (PDF, JSON, SARIF) directly through the Service.

Deletion

You may request deletion of your account and associated data at any time. Upon request, we will delete your data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

Marketing Communications

You may opt out of marketing communications by following the unsubscribe link in any marketing email or by adjusting your notification preferences in your account settings. You cannot opt out of essential service communications (security alerts, billing notifications).

Do Not Track

Our Service does not respond to Do Not Track (DNT) browser signals. We do not track your browsing activity across third-party websites.

Canadian Privacy Compliance

As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). If you believe your privacy rights have been violated, you may file a complaint with the Privacy Commissioner of Canada at www.priv.gc.ca or 1-800-282-1376.

Geographic Availability

The Service is intended for use by businesses and individuals located in Canada, the United States, and other jurisdictions outside the European Economic Area (EEA), the United Kingdom, and Switzerland. We do not actively market or offer the Service to data subjects in the EEA, UK, or Switzerland, and we have not appointed a representative under Article 27 of the GDPR. If you are located in the EEA, UK, or Switzerland, please do not use the Service.

CCPA

This privacy notice section for California residents supplements the information contained in Our Privacy Policy and it applies solely to all visitors, users, and others who reside in the State of California.

Categories of Personal Information Collected

In the preceding 12 months, we have collected:

Identifiers: Name, email address, IP address, account name
Commercial Information: Subscription and service usage records
Internet Activity: Interaction with our Service, browsing behavior within the platform
Professional Information: Employment-related data (if provided), repository access information

Your California Rights

California residents have the right to:

Know: Request disclosure of categories and specific pieces of personal information collected
Delete: Request deletion of your personal information (subject to exceptions)
Opt-Out: Opt out of the sale or sharing of personal information (we do not sell personal information)
Correct: Request correction of inaccurate personal information
Limit Use: Limit the use and disclosure of sensitive personal information
Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

Exercising Your Rights

To exercise these rights, contact us via:

Email: [email protected]
Mail: 555 W Hastings St #1200, Vancouver, BC V6B 4N6, Canada

We will respond to verifiable requests within 45 days. You may designate an authorized agent to make requests on your behalf by providing written authorization.

Children’s Privacy

The Service is intended for business users and is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will take steps to delete it promptly. If you believe we may have collected information from a child under 16, please contact [email protected].

Cookies and Tracking

We use cookies and similar tracking technologies to enhance Service functionality, analyze usage patterns, and maintain session security.

Types of Cookies We Use

Essential Cookies: Required for authentication and core Service functionality
Functional Cookies: Remember your preferences and settings
Analytics Cookies: Help us understand how you use the Service (anonymized)

You can control cookies through your browser settings. Disabling essential cookies may affect Service functionality.

Third-Party Links and Integrations

Our Service integrates with third-party platforms (GitHub, Microsoft, Google) through OAuth authentication. When you connect these services, you are subject to their respective privacy policies. We encourage you to review the privacy policies of any third-party services you connect to our platform.

We are not responsible for the privacy practices of third-party services, even when accessed through our Service.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law. Notification will be provided without undue delay and include:

Description of the breach and affected data
Potential consequences
Measures taken to address the breach
Recommended actions for affected users

Where required by applicable law, we will notify the relevant regulatory authority within the timeframes prescribed by that law.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes via:

Email notification to your registered email address
Prominent notice within the Service
Updated “Last Updated” date at the top of this policy

We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

Privacy Officer

Email: [email protected]

Eureka DevSecOps Inc.
555 W Hastings St #1200
Vancouver, BC V6B 4N6
Canada