Privacy policy
v1.1.0
February 12, 2026
I. Who are we?
Cygrid GmbH (“Cygrid”) is a provider of cybersecurity software products and services. The object of the company is the development, operation, marketing, and distribution of software products, as well as consulting services, especially in the field of cybersecurity. This privacy policy will help you to understand how we collect and use your personal data on this website and in our app and during the course of our business.
Responsible for the processing of your data is: Cygrid GmbH, Fregestr. 38 A, 12161 Berlin, Germany, e-mail: info@cygrid.io
Contact details of our Data Protection Officer are: ISiCO GmbH, Am Hamburger Bahnhof 4, 10557 Berlin, Germany, e-mail: privacy@cygrid.io. Please note: emails sent to this address are not read exclusively by our Data Protection Officer. For confidential matters, please request direct contact first.
II. Data Processing on our website and for our business
1. Visiting our Website
Each time you visit our website, we process data that your browser automatically transmits to enable you to open up the website. This includes the so-called http header information, in particular: IP address of the requesting device; date and time; address of the requested website and path of the requested file; if applicable, the previously accessed website/file; information about the browser and operating system used; request information such as language, type of content, encoding of content, character sets.
The processing of this data is necessary to enable the visit of the website, to ensure the permanent operability and security of our systems as well as for non-personal statistics on website visits and the general administrative maintenance of our website. The data is stored in internal log files for the purposes described above, temporarily and limited to the most necessary content, in order, for example, to find the cause of repeated or criminal calls that endanger the stability and security of our website and to take action against them.
The legal basis for this processing is Art. 6 (1) (b) GDPR, insofar as the page view occurs in the course of the initiation or execution of a contractual relationship with us, and otherwise Art. 6 (1) (f) GDPR due to our legitimate interest in enabling website access and permanent functionality and security of our systems.
2. Communication with Cygrid
You have various options for contacting us. These include the contact form, live chat, email, phone or on our social media platforms. In this context, we process your data exclusively for the purpose of communicating with you. The legal basis for this processing is Art. 6 (1) (b) GDPR, insofar as your information is required to answer your enquiry or to initiate or execute a contract, and otherwise Art. 6 (1) (f) GDPR due to our legitimate interest in you contacting us and us being able to answer your enquiry.
We use the tools Hubspot (Hubspot Inc.) to manage our professional contacts and for marketing, sales and customer service purposes.
With the consent of the party called we record certain phone calls and metadata (number, time) for training and quality control purposes as well as for fraud prevention and documentation of verbal contracts. Legal basis is Art. 6 (1) (a) GDPR and the party called can withdrawal their consent at any time. In the case of our employees, the legal basis for call recording is Art. 6 (1) (b) GDPR, insofar as the processing is necessary for the performance of the employment relationship (e.g. recording for training purposes). We store call recording data only as long as necessary to fulfill the purposes for which we collected the data.
3. Newsletter
You have the possibility to subscribe to our newsletter, in which we will inform you regularly about news regarding our products, services and promotions and special offers from our partners.
For sending newsletters, we use MailerLite Limited, an Irish registered company with its registered office at 88 Harcourt Street, Dublin 2, D02 DK18, Ireland, as an email service provider. To subscribe to our newsletter, we use the so-called double opt-in, meaning we will send you newsletters by email if you confirm in our notification email by clicking on a link that you are the owner of the email address provided. If you confirm your email address, we will store your email address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The storage serves the sole purpose of sending you the newsletters and to be able to prove your registration. In addition, we measure whether our newsletter can be delivered at all.
The legal basis for the processing is your consent pursuant to Art. 6 (1) (a) GDPR. You can revoke this at any time with effect for the future by unsubscribing from the newsletter. A corresponding unsubscribe-link can be found in each newsletter. A message to the contact details provided above or in the newsletter (e.g., by e-mail or letter) is of course also sufficient for this purpose.
4. Business Contacts
When you contact us via our website (e.g., contact form, email links) or otherwise in connection with our business-to-business services, we process your personal data such as name, job title and business contact details in order to handle your enquiry, communicate with the organization you work for, and manage related contractual discussions and business relationships. We may also use business contact data obtained from publicly accessible sources to identify and approach potential business contacts. Processing is based on our legitimate interests in maintaining and developing business relationships, or, where required, on your consent.
For these communication purposes, we may use different service providers (e.g., email, hosting, customer relationship management and communication tools) who process personal data on our behalf and only in accordance with our instructions, subject to appropriate contractual and technical safeguards.
We retain your name and business contact details only for as long as necessary for the purposes described above and in accordance with applicable retention requirements. You may request erasure or correction at any time; we will delete or update your data unless we are required to retain it for legal reasons.
5. Registration to the Cygrid SaaS platform and on-prem deployments
To use the functionalities of the Cygrid platform in full, registration is required for access to the SaaS platform. For on-prem deployments (where applicable), registration is required to enable provisioning, licensing and administration. Certain offerings such as demos or trial versions may be made available without prior registration, depending on the configuration and the scope of the evaluation.
Registration can take place in two ways: (i) registration is performed by us upon request by the customer (manual provisioning), or (ii) registration is completed by the user via a self-service registration process, depending on the customer’s setup and the product configuration. Data required for registration is marked as mandatory fields. Without this data, registration is not possible. In connection with registration and access to the platform, we may process in particular the following data:
first and last name
business email address
company affiliation/organization (e.g., company name, tenant);
phone number
office location
job title
account name/username
password or authentication data
After registration, additional information may be requested and configuration data may be processed in order to enable the use of product features in a production setting, including the setup of interfaces/integrations with customer systems and applications. Further details on such processing are provided in Section 6.
The legal basis for processing the data required for account creation (mandatory fields) is Art. 6(1)(b) GDPR (performance of a contract / pre-contractual steps). To the extent security and verification data is processed as part of using the service, this is also based on Art. 6(1)(f) GDPR (legitimate interest in secure provision of the service, detecting misuse/attacks, troubleshooting and ensuring auditability). For any other information, the legal basis is our legitimate interest pursuant to Art. 6(1)(f) GDPR, in particular to personalize and administer the user account, or your consent pursuant to Art. 6(1)(a) GDPR, insofar as you have provided it.
6. Data Processing within the Cygrid SaaS Platform
Cygrid generally acts as a processor on behalf of its customers within the meaning of Art. 28 GDPR. The customer remains the controller and determines which systems are connected, which data is made available, which features are enabled, and how results are used. The following information therefore primarily describes processing performed on the customer’s instructions and within the customer’s responsibility as controller. As part of the registration process (see Section 5), Cygrid enters into a data processing agreement with the customer pursuant to Art. 28 GDPR.
6.1 Core functionality and integrations
The Cygrid platform is designed to connect to the customer’s environment via interfaces and integrations in order to identify, assess and reduce security risks. Depending on the customer’s tool landscape and configuration, Cygrid may connect to identity and access systems (e.g., SSO, IAM/IGA), SaaS applications and cloud services, repositories and code platforms (including permission scanning), security tooling and signals (e.g., cloud threat intelligence), email and collaboration systems, and data protection tooling such as DLP. Integrations can be implemented through APIs and connectors, customer-initiated exports/imports, or manual configuration. Where enabled by the customer, the platform may also process publicly accessible information (e.g., from public web sources) as additional context.
6.2 Data categories and customer configuration
Depending on the connected systems and the customer’s configuration, Cygrid may process identity and account data, access and authorization data (e.g., roles, groups, entitlements), and related technical, security and activity data (e.g., log events, timestamps, IP address, audit trails) to provide the service. Customers may additionally connect contextual information relevant for prioritization (for example, indicators of business criticality). The platform is intended for enterprise environments, including regulated sectors; the specific data categories processed depend on what the customer provides and instructs Cygrid to process, and may in principle include any personal data contained in the connected systems. This can also encompass special categories of personal data such as sensitive HR information or payment and billing data, if the customer connects such systems and configures the platform accordingly. In any case of data processing on the Cygrid SaaS platform, Cygrid processes the data strictly on the customer’s documented instructions as a processor and implements appropriate technical and organizational measures; the customer remains responsible for ensuring a valid legal basis and any required notices and consents for the processing.
6.3 Identity graph, risk scoring and recommendations
Cygrid consolidates and correlates the retrieved identity, permission and asset information to create an identity and asset graph and to identify potential attack paths and other security-relevant patterns. On this basis, the platform produces risk scores and recommendations intended for security purposes, such as prioritizing remediation and reducing excessive privileges. The customer controls whether and how such outputs are used internally. Cygrid does not, by itself, take decisions with legal or similarly significant effects on individuals; any decisions and organizational actions remain the responsibility of the customer.
6.4 Technical enforcement (customer-controlled)
Where enabled, the platform can support technical enforcement and remediation workflows in connected systems, for example by preparing or executing changes to access rights or tokens. The degree of automation and any approval steps are determined by the customer’s configuration and instructions.
6.5 Hosting, recipients and subprocessors
The Cygrid SaaS Platform is hosted and operated on AWS in Frankfurt (Germany). To provide and secure the service, we use carefully selected service providers acting as processors (subprocessors) within the meaning of Art. 28 GDPR. Depending on the customer configuration and enabled features, disclosures to subprocessors may occur for the purposes of hosting and operation, authentication and access management, security controls and monitoring, delivery of service communications, provision of AI features where enabled, and analytics/reporting where enabled. A current list of subprocessors (including purpose and processing location) forms part of our Data Processing Agreement (DPA) and can be accessed by registered customers upon request or via the customer portal; we notify customers of material changes in accordance with the DPA.
7. Job Applications
You can apply for open positions at Cygrid or our partners through our website as well as by email or LinkedIn message. The purposes of the data processing are the selection of applicants for the possible establishment of an employment or other engagement relationship (e.g., internship, working student position, trainee program, contractor or freelancer engagement, volunteer role) and the optimization of our HR processes. For these purposes, we process the following personal data: contact details (name, email, telephone number); details of your qualifications (skills, certifications, experience, employment history); information about your expectations and eligibility to work in the relevant country. Some information may be collected from other sources including: publicly available profile data (job agencies and dedicated sites like LinkedIn); contact details, information about qualifications, skills, experience, employment history from people who are reference for you.
Recruitee (Recruitee B.V.) is used as a service provider for the application management.
The legal basis for the processing of your application data is Art. 6 (1) (b) and Art. 88 (1) GDPR in conjunction with applicable EU member state law.
If we accept your application and a contractual relationship is established, we store your application data for as long as it is necessary for the contractual relationship and to the extent that legal regulations require us to retain it. If we reject your application, we will store your application data for a maximum of six months after rejecting your application, unless you give us your consent to store it longer in our talent pool; in that case, we will retain your application data for up to five years or until you withdraw your consent, whichever occurs first.
Processing for the purpose of carrying out the application process is based on Art. 6(1)(b) GDPR. Retention in the applicant pool is based on your consent pursuant to Art. 6(1)(a) GDPR. Processing for internal evaluation and improvement of our recruiting processes is based on Art. 6(1)(f) GDPR (legitimate interest in improving our processes), provided that such processing does not override your interests and rights.
III. Sharing data
Sometimes we need to share your data with:
· our business clients to the extent and only whereas it is necessary for the provision of services to them;
· our vendors and suppliers that we use to operate our business and provide services such as providers of software and IT systems, security, storage, legal, advisory, audit and insurance services;
· law enforcement or other government and regulatory agencies or other third parties, where we are required by law to do so.
Data collected by us will only shared, if there is a legal basis for this under data protection law in the specific case, in particular if:
· you have given your express consent to this;
· the disclosure is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest,
· we are legally obliged to disclose your data, in particular if this is necessary for legal prosecution or enforcement due to official requests and legal proceedings, or
· this is legally permissible and necessary the processing of contractual relationships with you or for the implementation of pre-contractual measures, which take place upon your request.
Part of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this policy, this may include data centers that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting companies. Currently, this website is hosted by a third-party service provider Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, The Netherlands. If we share data with our service providers, they may only use the data to perform their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have suitable technical and organizational measures in place to protect the rights of the data subjects, and are regularly monitored by us.
If we use services providers that are based in countries outside the EU or the EEA or process personal data there, i.e. countries whose level of data protection does not correspond to that of the EU. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses or binding corporate rules. Where this is not possible, we base the transfer of data on exceptions to Art. 49 GDPR in particular your express consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.
If a third country transfer is provided for and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the consent banner, you will also be informed of this.
IV. Use of Cookies and other tools
We also use optional tools to improve the user experience on our website and to offer you more functions (“functional tools”). While these are not strictly necessary for the basic functions of the website, they can bring significant benefits to visitors, particularly in terms of user-friendliness and the provision of additional communication, display or payment channels. This may include, in particular, the integration of external content such as maps and videos as well as the login via an existing account from social networks. For Detailed information please refer to our cookie policy https://www.cygrid.io/legal/cookie-poilicy
V. Social Media
We maintain online presences in social media in order to communicate there with customers and interested parties, among others, and to provide information about our products and services. As part of the operation of our online presences, it is possible that we may access information such as statistics on the use of our online presences provided by the social networks. Please see the list below for details and links to the social network data that we, as operators of the Online Presence, can access. The collection and use of these statistics is generally subject to joint responsibility. Where this applies, the relevant agreement is listed below.
The legal basis for data processing is Art. 6 (1) (f) GDPR, based on our legitimate interest in effective information and communication with users, and Art. 6 (1) (b) GDPR, in order to stay in contact with and inform our customers and to carry out pre-contractual measures with interested parties.
For the legal basis of the data processing carried out by the social networks under their own responsibility, please refer to the data protection notices of the respective social network. The links below also provide you with further information on the respective data processing and the options to object.
Facebook and Instagram (USA and Canada: Meta Platforms Inc., 1601 Willow Road, Menlo Park, California 94025, USA; all other countries: Meta Platforms Ireland Ltd., Serpentine Avenue, Block J, Dublin 4, Ireland)
· Privacy policy: https://www.facebook.com/about/privacy/
· Information on processing of insight data in joint controllership: https://www.facebook.com/legal/terms/information_about_page_insights_data
X formerly Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland), Privacy policy: https://x.com/de/privacy
LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland).
· Privacy policy: https://www.linkedin.com/legal/privacy-policy
· Information about the processed Page Insights data and the contact option in case of data protection inquiries: https://legal.linkedin.com/pages-joint-controller-addendum
TikTok (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, 4 Lindsey Street, London, EC1A 9HP, United Kingdom).
· Operation of a TikTok Business account in joint controllership on the basis of an agreement on joint processing of personal data: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms
· Information on processed data (TikTok Analytics): https://www.tiktok.com/legal/page/global/information-about-tiktok-analytics/en
· Contact option for privacy requests: https://www.tiktok.com/legal/report/privacy
· Privacy policy (EEA): https://www.tiktok.com/legal/page/eea/privacy-policy/de
XING / kununu (New Work SE, Am Strandkai 1, 20457 Hamburg, Germany)
· Privacy policy / Opt-out: https://privacy.xing.com/de/datenschutzerklaerung
· Google / YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
· Privacy policy: https://policies.google.com/privacy
· Opt-out: https://myadcenter.google.com/
· Privacy policy: https://www.reddit.com/policies/privacy-policy
· Opt-out / settings: https://www.reddit.com/settings/privacy
VI. How long do we keep your personal data?
In principle, we store personal data only as long as necessary to fulfill the purposes for which we collected the data. The data will be deleted after the purpose has been fulfilled, unless we still need the data until the expiry of the statutory limitation period for evidence purposes for claims under civil law, due to statutory retention obligations or there is another legal basis under data protection law for the further processing of your data in the specific individual case.
For evidentiary purposes, we must retain contractual data in particular for three years from the end of the year in which the business relationship with you ends. Any claims become statute-barred at this point at the earliest in accordance with the standard statutory limitation period. Even after this, we still have to store some of your data for accounting reasons. We are obliged to do so because of legal documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified there for the retention of documents are two to ten years.
VII. Your data protection rights
You have certain rights with respect to data processing at Cygrid. Please bear in mind that this is a general overview intended to aid your understanding, and that the exact scope of your rights is of course based on the legal provisions of Art. 15 to 22 GDPR: Right to information about which of your data we process (Art. 15 GDPR); Right to have your data rectified (Art. 16 GDPR); Right of erasure (Art. 17 GDPR); Right to restriction of the processing of your data (Art. 18 GDPR); Right to data portability (Art. 20 GDPR).
If your data is processed by us on the basis of Art. 6 (1)(f) GDPR (legitimate interests), you have the right to object on grounds relating to your particular situation. In addition, you have the right to object to the promotional use (direct marketing) of your data at any time. In this case, your personal data will no longer be processed for these purposes. Also, you have the right to revoke your consent – if you have given consent in certain cases – to the processing of your data at any time (Article 7 (3) GDPR). The revocation does not affect the lawfulness of the processing carried out until the revocation of consent.
You also have a right to lodge a complaint to any data protection supervisory authority. The data protection authority responsible for Cygrid is “Berliner Beauftragte für Datenschutz und Informationsfreiheit”, Alt-Moabit 59-61, 10555 Berlin.
VIII. Updates to this Policy
We occasionally update this privacy statement, for example, when we adapt our website or when legal or regulatory requirements change.