Privacy Policy

CYBEREYE is a product operated by Jonathan & Cyber (“CYBEREYE”, “we”, “us”, or “our”), a cybersecurity firm founded by Johnny Jonathan and based in Israel. Our marketing website is siemsoc.ai and our application is available at app.siemsoc.ai.

This Privacy Policy explains how we handle personal data in connection with the CYBEREYE service. Questions, requests, and complaints may be directed to our privacy contact / Data Protection Officer at johnny@vciso.co.il.

CYBEREYE is an AI-driven cybersecurity consolidation platform that:

• connects to a customer’s existing security tools through API keys (read-only) and pulls the customer’s security findings, alerts, and logs;
• offers an optional white-labeled endpoint agent (the “CYBEREYE Agent”) that a customer may install on its workstations and servers to report endpoint security telemetry; and
• stores that security data on a per-customer basis and lets the customer ask questions that are answered using AI (Anthropic Claude).

We act in two distinct capacities:

• Data processor — for the customer security data we process on a customer’s behalf (alerts, logs, events, and endpoint telemetry). The customer is the data controller and determines the purposes and means of that processing. We process this data only on the customer’s documented instructions.
• Data controller — for the account and billing data we collect to operate the service and our business relationship with the customer.

A Data Processing Addendum (DPA) incorporating the GDPR Article 28 terms and the EU Standard Contractual Clauses is available to all customers on request at johnny@vciso.co.il.

We process the following categories of data:

• Account data (we are controller) — login email address, workspace name, and billing contact details.
• Usage data (we are controller) — queries submitted, features used, and service, security, and error logs needed to operate and secure the platform.
• Customer security data (we are processor) — security telemetry such as alerts, logs, and events pulled from connected tools and reported by the CYBEREYE Agent. This data may contain personal data, including user email addresses, IP addresses, hostnames, device identifiers, and usernames.

We process personal data for the following purposes and lawful bases:

• To provide the service (connecting tools, ingesting and storing security data, generating AI answers, operating the CYBEREYE Agent) — performance of a contract with the customer. Where we act as processor, the customer’s own lawful basis applies to the underlying personal data.
• To secure, maintain, and improve the platform, prevent abuse and fraud, and ensure availability — our legitimate interests in running a secure and reliable service.
• To send account, billing, and service communications — performance of a contract and our legitimate interests.
• For optional communications where required (e.g. certain product marketing) — your consent, which you may withdraw at any time.

We do not sell personal data, and we do not use customer security data to train our own or third-party machine-learning models.

We engage the following sub-processors to deliver the service. Each is bound by contractual obligations consistent with this Policy and applicable data protection law.

We maintain a current list of sub-processors and will provide reasonable advance notice of any new sub-processor on request.

Our primary processing takes place in the EU (Frankfurt). Some sub-processors — notably Anthropic — are based in the United States, which may involve transfers of personal data outside the EEA.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards, principally the European Commission’s Standard Contractual Clauses (SCCs). We are based in Israel, which benefits from a European Commission adequacy decision, meaning data may flow between the EEA and Israel without additional measures.

Customer security data is retained for a period configurable by each customer, with a default of 12 months and a maximum of 24 months. After the applicable period, data is deleted or irreversibly anonymised in the ordinary course.

Account and billing data is retained for the duration of the customer relationship and for as long as needed afterwards to meet legal, accounting, and tax obligations.

We apply technical and organisational measures appropriate to the risk, including:

• encryption in transit (TLS) and at rest (AES-256-GCM for stored credentials);
• strict per-tenant isolation enforced at the database layer (row-level security) so that one customer can never access another customer’s data;
• least-privilege access controls for personnel and systems; and
• audit logging of access and significant system events.

Subject to applicable law, you have the right to: access your personal data; request rectification of inaccurate data; request erasure; request restriction of processing; obtain portability of data you provided; and object to processing based on legitimate interests. Where processing is based on consent, you may withdraw it at any time without affecting processing carried out before withdrawal.

Where we act as a data processor, requests relating to customer security data are generally directed to the relevant customer (the controller); we will assist the customer in responding. For account data, contact us at johnny@vciso.co.il and we will respond within the timeframes required by law.

You also have the right to lodge a complaint with a supervisory authority — for example, the Israeli Privacy Protection Authority or the data protection authority of your EU/EEA member state.

We keep cookies to a minimum. We use strictly necessary cookies for authentication and to keep you signed in. We do not use third-party advertising cookies and we do not engage in cross-site tracking. Any analytics we run is limited to what is needed to operate and secure the service.

We maintain procedures to detect, investigate, and respond to security incidents. In the event of a personal data breach, we will notify affected customers without undue delay and, where we act as processor, assist the customer in meeting its own notification obligations to supervisory authorities and data subjects under applicable law.

CYBEREYE is a business product that is not directed to children. The service is not intended for individuals under the age of 16, and we do not knowingly collect personal data from them.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the service after an update takes effect constitutes acceptance of the revised Policy.

For any privacy question, request, or complaint, contact our privacy contact / Data Protection Officer at johnny@vciso.co.il.