We're a security company that built its product around one architectural decision: your data doesn't leave your cloud. That decision determines how this policy reads. We collect almost nothing — and what we do collect, we'll tell you about here.
Three categories. Nothing else.
Name, work email, company, role, IP address at sign-up, payment method (handled by Stripe — we never see card numbers). Used to operate your account and bill you.
How you use the console — which pages you visit, which agents you configure, which incidents you investigate. Captured via our own product (yes, we eat the dog food). No third-party analytics, no ad pixels, no Google Analytics, no Segment, no Mixpanel.
When an agent surfaces an incident in your environment, the specific log events relevant to that incident are pulled into the control plane for triage. Scope is constrained at query time by the agent — usually a minutes-long window, a single principal, a single resource. Never the full firehose.
Account & billing data to operate your account. Telemetry to improve the product (privately, for you — the same data is exposed in your own console). Incident-scoped log data to triage, contain, and document the incident — and only for as long as that takes.
Your logs: in your cloud account, in your region, under your IAM. Vulneron never copies them at rest.
Incident slices: in the Vulneron control plane, in the region you select at workspace creation (us-east-1, eu-west-1, ap-southeast-1).
Inference traffic: routed to the closest in-region model endpoint. Anthropic and OpenAI calls use zero-retention configurations — no caching, no training, no logging on their side.
Incident slices: 90 days by default, configurable down to 7 days or up to 7 years (compliance requirement). Account data: lifetime of the account + 30 days. Billing records: 7 years (regulatory). Telemetry: 13 months rolling.
Under GDPR, UK GDPR, CCPA/CPRA, and Singapore's PDPA you have the right to access, correct, port, and delete your personal data. Email privacy@vulneron.com — we respond within 30 days. No SAR queue, no third-party forms.
One rule, paraphrased into many: don't use Vulneron to attack systems you don't own or don't have written authorization to test. The Attack agent only runs against environments you've explicitly designated in-scope through the console. We'll cut access to anyone using it outside that boundary, and cooperate with law enforcement where relevant.
Specifically prohibited: targeting third-party SaaS without contract; targeting customer-of-your-customer systems; using Vulneron for credentialed access in lieu of a pentest with proper rules of engagement.
Material changes: 30 days' email notice and a banner in the console. Non-material: this page is updated and the change date logged on the trust center. Past versions are diffable.
Privacy questions: privacy@vulneron.com. EU representative: eu-rep@vulneron.com. UK representative: uk-rep@vulneron.com.