← Back to site

Privacy Policy

Last updated: 3 May 2026

Summary. Cyber is a Microsoft 365 security-posture, hygiene and storage scanner. By default it runs read-only. Scoped, audit-logged remediation actions are available to verified tenant administrators who explicitly enable them. We collect the minimum data needed to run your account, scan your tenant on a schedule, show you findings, and bill you. We do not pull or store file contents, share URLs, or access tokens. We do not sell or share personal information for cross-context behavioural advertising. We do not use your metadata to train AI models.

Contents

1. Who we are

Cyber is operated by olyteck from France under SIRET 993 174 499 00018. For the purposes of the EU General Data Protection Regulation (GDPR), olyteck is the data controller for the personal data described in this policy when processed to run your account; for the metadata we scan from your Microsoft 365 tenant, we act as a data processor for your organisation (the controller). You can reach our privacy contact at [email protected].

2. Data we collect

Account data (about you)

  • Entra Object ID (OID), UPN, and email of the user who signed in
  • Display name, if Entra returns one
  • Whether the user is a tenant admin inside Cyber
  • Timestamps for account creation, last login, and session activity

Tenant data (about your Microsoft 365 tenant)

  • Microsoft Entra tenant ID and tenant display name
  • Graph IDs of scanned objects (sites, drives, users, apps) and their display names
  • Counts, severity flags, and first-seen / last-seen timestamps per finding
  • Scan-run metadata (when it ran, how long, outcome)

Usage data

  • IP address and user-agent of requests that hit the app
  • Audit-log entries for privileged actions (logins, CSRF-gated mutations, admin promotions)

Billing data

  • Stripe customer identifier, subscription status, and invoice metadata
  • We do not store full card numbers or CVC — those go directly to Stripe

3. The SAFE-payload rule

This is the most important thing in this policy. The Service is designed so that, when it scans your Microsoft 365 tenant, the only things it persists to its own database are the minimum identifiers needed to correlate findings across runs:

SAFE payload — stored in Cyber's database:
• Graph IDs (tenant, site, drive, user, app)
• Display names, counts, timestamps, severity flags
• Scan-run metadata (when it ran, how long it took, outcome)

NEVER stored:
• File contents (bodies, attachments, OCR text)
• Share URLs (we record that a share exists, not the link)
• Access tokens, refresh tokens, or credential material

In practice this means: if the scanner spots a SharePoint site shared with "Anyone", the row we write says "site SiteName (graph id <x>) has N Anyone-links, severity warning, first seen on date D". The actual sharing URLs are not fetched and not stored. The same rule applies to OneDrive drives, Teams-backed sites, user accounts, and consented OAuth apps.

Access tokens used to call Microsoft Graph on your behalf are held in memory for the duration of a single scan and discarded immediately afterwards. Where a workflow strictly requires a refresh token (e.g. client-credentials flows for a per-tenant application), it is stored encrypted and scoped to your tenant only.

4. How we use your data

  • To authenticate sessions via your Microsoft tenant.
  • To run scheduled scans of the tenant modules you enabled, and — where you explicitly trigger them — admin-initiated remediation actions.
  • To produce findings, dashboards, saved executive reports, and weekly digests.
  • To bill you accurately and issue invoices.
  • To send transactional email — welcome, scan-failure alerts, weekly digest, billing receipts. These are part of the service and you cannot opt out without closing the account.
  • To send the optional marketing onboarding sequence to users who explicitly ticked the "Send me Cyber product tips" checkbox at trial signup. See §15 for details and how to opt out.
  • To produce anonymous, aggregate page-view statistics on our public marketing pages (own server-side counter + optional Google Analytics, the latter only after you click "Accept" on the cookie banner). See §14.
  • To detect abuse and secure the platform.
  • To comply with our legal and accounting obligations in France and the EU.

What we do not do: we do not sell or share your personal information for cross-context behavioural advertising; we do not use your metadata or logs to train AI models; we do not share your findings with advertisers; and we do not fetch the contents of your files.

6. Sub-processors

We use a short list of vendors to run the Service. Each of them acts as a data sub-processor under a written processing agreement. The list below is authoritative; the DPA repeats it with full legal references.

  • Microsoft Ireland Operations Ltd. — Microsoft Graph API, called on your behalf to produce findings. Tenant data resides in your own Microsoft 365 region.
  • Stripe Payments Europe, Ltd. (Ireland) — subscription billing.
  • EU-region cloud hosting provider — application hosting, database, scheduled cron workers.
  • Transactional email provider — sends receipts, weekly digests, scan-failure alerts, and (only with explicit opt-in) the trial-onboarding sequence. Its "From" address is [email protected].
  • Google Ireland Ltd. — Google Analytics 4 on the public marketing pages, only after a visitor clicks "Accept" on the cookie banner. IP anonymisation is on; Google Signals and Advertising features are off; the tag does not run inside the authenticated app.

7. Payments

Paid subscriptions are processed by Stripe Payments Europe, Ltd. (Ireland). We receive a transaction reference, amount, currency, subscription state, and the last four digits of the card. Full card data is entered directly into Stripe's hosted Checkout and never touches our servers. Stripe's own privacy policy applies to that part of the flow.

8. Storage & retention

Application data is hosted in the European Union. We keep:

  • Account data — while your tenant is active, plus 30 days after deletion.
  • Active (unresolved) findings — kept as long as they remain unresolved on your tenant.
  • Resolved findings — 180 days (then deleted automatically by the retention job).
  • Scan-run history — 90 days for scheduled runs; 180 days for admin-triggered manual deep scans.
  • Audit log — 24 months (then deleted automatically).
  • Public-page analytics — 25 months (CNIL ceiling for the cookieless server-side counter); the optional Google Analytics tag follows GA's own default cookie lifetimes (up to 2 years) and is only set after you click Accept.
  • Billing records — 10 years, because French accounting law requires it.

9. Sharing with third parties

We only share data with:

  • The sub-processors listed in §6, strictly to run the Service.
  • Microsoft, which receives the API calls we make on your behalf.
  • Tax authorities, lawyers, auditors, or courts when legally required.

All of the above are bound by written processing agreements and appropriate security obligations.

10. International transfers

Where a sub-processor (notably Stripe and Microsoft) processes data outside the European Economic Area, transfers rely on EU Standard Contractual Clauses and, where available, the EU-US Data Privacy Framework. We do not intentionally store your account or scan data outside the EU.

11. Your rights

If you are in the EU, the UK, or otherwise subject to GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct data that is inaccurate or incomplete
  • Delete your account and, on request from a tenant administrator, your tenant's data
  • Export your data in a portable format
  • Restrict or object to specific processing activities
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with the French data-protection authority (CNIL) at cnil.fr

To exercise any of these rights, email [email protected] from the address associated with your account. We respond within 30 days.

12. Automated processing

The scanner produces severity flags ("critical", "warning", "info") on findings using deterministic rules — for example, "this share link is set to Anyone-with-the-link" → critical. These flags do not produce legal effects on individual data subjects. They are decision-support for your administrators, not automated decisions within the meaning of GDPR Art. 22. We do not profile individuals, score employees, or feed findings into any external automated decision system.

13. Security

  • Traffic is served over HTTPS only.
  • Session cookies are HttpOnly, Secure, and SameSite=Lax. Session IDs rotate on login and on every privilege change.
  • Mutating admin actions (promote / demote / billing) are protected by CSRF tokens.
  • Parameterised SQL throughout — no user input is concatenated into queries.
  • Brute-force login attempts against Entra are rate-limited by Microsoft, not us; we observe the OAuth callback outcome only.
  • Scans run under a dedicated Entra application granted via your tenant's admin consent, using client credentials — not a user's session.

No online service can promise absolute security. If you suspect a breach, email [email protected] immediately.

14. Cookies & analytics

Strictly necessary

The session cookie (DM_SESSION), the CSRF token (stored inside the session, not its own cookie), and the cyber_explain_seen marker that hides the permissions-explainer screen on retries are required for the site to work. They are not subject to consent under ePrivacy Art. 5(3) / French LCED Art. 82.

Public-page analytics

On the marketing pages we run two analytics layers, with very different consent treatment:

  • Server-side, cookieless counter (own code, own database). Records anonymous statistics — page label, truncated IP (/24 v4, /48 v6), browser-class bucket, and a daily-rotating visitor hash — without setting any cookie or client-side identifier. Retention 25 months. Honours the DNT: 1 request header. CNIL-exempt under the "exempted measurement" criteria, so it runs without a banner.
  • Google Analytics 4. Only loads after you click "Accept" on our consent banner. IP anonymisation on; Google Signals and Advertising features off. Until consent is given, no request is sent to googletagmanager.com and no Google cookie is set. Reject is offered with the same prominence as Accept and persists for 6 months.

Inside the authenticated app (/teams_adm/, /teams_usr/, /admin/) we run no third-party analytics at all.

The full breakdown — exact cookie names, lifetimes, third parties, and how to revoke consent — is in the Cookie Policy.

15. Marketing email

When you start a trial we ask, on the same screen as the Microsoft permissions explainer, whether we may send you an optional onboarding sequence — about ten short messages over the first four weeks. The checkbox is unticked by default. We enrol you only if you tick it. Every message contains a one-click unsubscribe link and the List-Unsubscribe header per RFC 8058 (so Gmail's one-click unsubscribe button works too).

We record consent on your user row (timestamp + source). To withdraw, click any unsubscribe link in any message we sent you, or email [email protected] and we will remove you within 10 business days (CAN-SPAM) / immediately on receipt (GDPR/PECR — withdrawal of consent is effective from the moment we receive it).

Transactional email (login, scan-failure alerts, weekly digest, billing receipts) is not subject to this opt-in: it is part of the service you signed up for and is sent on the basis of contract performance (Art. 6(1)(b) GDPR). You can opt out of the weekly digest and the per-incident alert pings independently from your tenant-admin settings.

16. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you specific rights. This section is your "notice at collection".

  • Categories of personal information we collect. Identifiers (work email, UPN, Entra Object ID), professional information (your role inside the tenant), internet/network activity (IP truncated for analytics, sign-in timestamps).
  • Sources. Directly from you when you sign in, and from Microsoft Graph as authorised by your tenant administrator.
  • Business purposes. Operating, securing and improving the Service; billing; transactional and (with your consent) marketing email.
  • Sale or sharing. We do not "sell" personal information and we do not "share" it for cross-context behavioural advertising as those terms are defined under the CPRA. We have therefore not enabled a Do Not Sell or Share My Personal Information link because there is nothing of that kind to opt out of.
  • Sensitive personal information. We do not intentionally collect or use sensitive personal information and we do not use it to infer characteristics about you.
  • Retention. See §8.
  • Your rights. Right to know, right to delete, right to correct, right to limit use of sensitive personal information (not relevant — see above), and the right not to be discriminated against for exercising any of these rights. To exercise them, email [email protected] from the address associated with your account; we respond within 45 days (extendable once by 45 days, with notice, as permitted by the CPRA).
  • Authorised agent. You may appoint an agent to make a request on your behalf. We will require proof of the agent's authority and may require you to verify your own identity directly with us.

17. Minors

Cyber is a B2B tool intended for use by authorised administrators of an organisation. It is not directed at children under 16. If you believe a minor has signed up, email us and we will close the account and delete the data.

18. Changes to this policy

When we make a material change we update the "Last updated" date at the top and, where the change affects your rights, notify your tenant admins by email. Continued use after the change means you accept the updated policy.

19. Contact

Questions about privacy? Email [email protected] — or the general support address [email protected].

Operator: olyteck — SIRET 993 174 499 00018.