How we protect the protectors' data.
A cyber insurer should be able to show its own posture. This page describes exactly what we hold, where it lives, which third parties touch it, and the limits we build in. Every statement below is drawn from our codebase, nothing more.
What we collect, and why
The list is short on purpose. We collect what a check or a policy needs, and we say so in plain English.
Your name, email address, and a password.
To sign you in and address you properly. Nothing more is required to hold an account.
An email address or username you choose to check, or a company domain.
Only to run the check you asked for. Inputs are validated first; private hosts and reserved IP ranges are refused.
DNS records, TLS certificates, security headers, certificate-transparency entries, breach records.
All of it is public record. The audit never touches your private systems; it reads what the internet already shows.
Files you choose to upload. PDF, PNG, or JPEG only.
So your policy records and claim evidence live in one place, attached to your household.
The conversation you have with the dashboard concierge agent.
Stored with your account so the agent keeps context between sessions.
Your plan name and subscription state. Card numbers never reach our servers.
Payment happens on Stripe’s hosted checkout; we receive the outcome, not the card.
How it is stored
Passwords are never stored. We keep an scrypt hash derived with a per-account random salt, and we compare it in constant time. A password must be at least 12 characters and include a number and a symbol.
Sessions are signed, httpOnly, secure cookies that expire after 30 days. In production the server refuses to run without a real signing secret; there is no built-in fallback.
Application records, accounts, policies, intake drafts, live in Netlify Blobs, the managed store scoped to this site. There is no separate database to misconfigure.
The document vault accepts PDF, PNG, and JPEG, verified by reading each file's actual leading bytes rather than trusting its declared type. Each household member is capped at 50 documents and 250 MiB in total, 4.5 MB per file.
You can delete your account from the dashboard at any moment; the stored record is removed and your session is cleared. Privacy requests are honored within 30 days, as set out in our privacy policy.
Our AI stack
The public audit and the dashboard concierge run on Anthropic's Claude models, called through the official @anthropic-ai/sdk and routed via OpenRouter. There are no hand-rolled calls to model APIs anywhere in the codebase.
The audit agent reasons over evidence we gather first: DNS, TLS certificates, security headers, transparency logs, breach records. It reads public evidence only and never reaches into private systems. Its score is informational and never sets your price; plans are fixed-price tiers from a published catalog.
Public audit reports are cached for up to 30 minutes against a one-way hash of the target, then regenerated. Concierge conversations are stored with your account; the agent reads your most recent messages for context and periodically condenses older history into a summary. Every agent request is rate-limited per IP and bounded: a fixed cap on tool calls and a hard wall clock under a minute.
Subprocessors
Six third parties touch the platform. Each one exists for a single, named reason.
Hosting, serverless runtime, and the data store for accounts, policies, and vault documents.
Payments and billing. Hosted checkout; card data stays with Stripe.
Routes our AI requests to the model provider.
Claude models behind the public audit and the concierge.
Optional Google sign-in. Active only when configured; password accounts never touch it.
Breach corpus consulted for the email exposure checks you request.
we do not sell personal information. full detail in the privacy policy.
Report a vulnerability
If you find something, we want to hear it from you first. We publish a security disclosure file under RFC 9116 at /.well-known/security.txt, and reports go to security@syba.io. Reports are handled within 72 hours; critical findings within 24.
Good-faith research within scope falls under our safe-harbor policy: we will not pursue legal action for testing that avoids privacy violations and service interruption, interacts only with accounts you own, and gives us reasonable time to remediate before public disclosure.