Privacy Policy
SafeDep Inc. – Privacy Policy
Last updated: July 12, 2025
- Who We Are
SafeDep Inc. (“SafeDep,” “we,” “us,” or “our”) provides software-as-a-service (“SaaS”) products that help organizations secure their software supply chain. Our principal place of business is:
SafeDep Inc.8 The Green, #13020Dover, DE 19901, USAThis Privacy Policy explains how we collect, use, disclose, and protect information through our websites safedep.io, api.safedep.io, platform.safedep.io, app.safedep.io, and any related services (collectively, the “Services”).
- Scope
By accessing or using any SafeDep Service, you acknowledge that you have read this Privacy Policy and agree to its terms. If you do not agree, do not use the Services.
- Information We Collect
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Account Data | Username, email address, tenant domain name | You / your organization | Create & maintain accounts; authenticate users |
| Authentication Data | OAuth / SSO tokens* | Auth0 (identity provider) | Secure access; session management |
| Billing Data | Name, address, tax IDs, last 4 digits of card (handled by Stripe) | You ➜ Stripe | Invoice, collect payments, prevent fraud |
| Code Repository, Open Source Software (OSS) Data | Repository URLs, package coordinates, dependency metadata, commit history, scan results (may be public or private) | Integrated source-code hosts, CI pipelines, user uploads | Perform analysis, generate security insights |
| Analytics Data | Device/browser type, pages visited, events, IP address (truncated/anonymized where possible) | Cookies/SDKs (PostHog, Google Analytics, similar future tools) | Improve product & UX, diagnose issues |
| Open-Source Telemetry | Anonymous usage statistics from our CLI / self-hosted agents | Opt-in code execution | Product improvement (can be disabled) |
Note: Auth0 stores password hashes and MFA secrets; SafeDep never sees or stores raw passwords.
We do not intentionally collect “sensitive personal information” (e.g., government IDs, health data).
- How We Use Information
- Provide & operate the Services (account creation, authentication, security scanning).
- Process payments & fulfill orders (through Stripe).
- Improve, test, and maintain our Services and defenses.
- Communicate with you (transactional emails, security alerts, product updates).
- Prevent fraud, abuse, or legal violations.
- Comply with legal obligations and enforce our Terms of Service.
- Legal Bases for Processing
SafeDep is a U.S. company and does not actively market to EU residents. If you access the Services from the European Economic Area or similar jurisdictions, we process your data under the following bases:
- Contractual necessity – to deliver the Services you request.
- Legitimate interests – to secure and improve our platform.
- Legal obligation – to meet U.S. or other applicable laws.
- Cookies & Tracking
We use cookies, local storage, and similar technologies to:
| Type | Purpose |
|---|---|
| Essential | Login sessions, CSRF protection, load-balancing |
| Analytics | Understand feature usage (PostHog, Google Analytics) |
| Preference | Remember UI settings |
You can usually disable cookies via browser settings, but parts of the Services may not function.
- Sharing & Disclosure
We do not sell personal information. We share it only:
| Recipient | Reason / Safeguards |
|---|---|
| Stripe | Payment processing; PCI-DSS compliant |
| Auth0 | Identity management; SOC 2 & ISO 27001 certified |
| Analytics vendors (e.g., PostHog, Google) | Performance & product metrics; IP anonymization where feasible |
| Hosting providers & subprocessors (e.g., AWS, GCP) | Secure cloud infrastructure; encrypted at-rest & in-transit |
| Professional advisers & auditors | Confidentiality obligations |
| Law enforcement | Only if required by valid subpoena, warrant, or court order. We will attempt to notify affected users unless legally prohibited. |
- Data Retention
| Data Type | Retention Period |
|---|---|
| Account & billing records | Active subscription + 7 years (for tax & audit) |
| Repository/scan data | Until you delete the project or 90 days after subscription ends (whichever is earlier) |
| Analytics & logs | ≤ 24 months, aggregated thereafter |
You may request earlier deletion where legally permissible (Section 10).
- Security Measures
- TLS 1.2+ encryption in transit; AES-256 at rest
- Logical tenant separation; least-privilege RBAC
- Automated dependency & container scanning
- 24 × 7 monitoring and incident-response program
- Regular third-party penetration tests & SOC 2 Type II controls in progress
No system is 100 % secure, but we take commercially reasonable steps to protect your data.
- Your Choices & Rights
Depending on your jurisdiction, you may have rights to:
- Access a copy of your personal data
- Correct inaccurate data
- Delete your data (“Right to be forgotten”)
- Object / restrict certain processing
- Port data to another provider
- Opt-out of analytics or open-source telemetry
To exercise any right, email [email protected]. We will verify your identity and respond within 30 days (or shorter if required by law).
- Children’s Privacy
The Services are not directed to children under 13. We do not knowingly collect information from anyone under 13. If you believe a child has provided us data, contact us for deletion.
- International Transfers
SafeDep is U.S.-based. If you access the Services from outside the U.S., you consent to transferring your information to—and storing it in—the United States, where privacy laws may differ.
- Third-Party Links
Our Services may link to third-party sites (e.g., GitHub). We have no control over their privacy practices. Review their policies before providing data.
- Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be announced via email or an in-app banner. Continued use of the Services after the update constitutes acceptance.
- Contact Us
For questions, concerns, or complaints about privacy:
Privacy OfficerSafeDep Inc.