Read this page carefully. It includes the General Terms of Use that regulate the access, navigation and use of the “Xygeni” services (the “Service”), placed in the URL https://xygeni.io (the “Web site”) and any subdomains such as http://in.xygeni.io (the “Web UI”) and others, all of them owned by Xygeni Security, S.L. (Xygeni).

The Web sites’ access, navigation and use involve, on its behalf, the express acceptance and binding by you (User) of all terms of the present General Terms of Use (hereinafter the Terms of Use or the Terms).

Their observance and compliance will be needed for any person to gain access, navigate or use the Web sites and the Service. If you disagree with these Terms, do not access, navigate, or use these Web sites or Services.

1. Introduction And Company Detail

Xygeni Security, S.L., a company registered in Calle Pasion 4 2 planta, 47001, Valladolid, Spain, is the author and owner of the Service and the Web sites.

To contact Xygeni directly and effectively, you can use the email address info@xygeni.io.

2. Object and application field

The present Terms regulate the access and use of the Software and Services offered by Xygeni through the Web sites and the Service and its use by its Users.

Xygeni reserves the right to modify the presentation, configuration and contents of the Service, as well as the required conditions for access and use. The access and use of the Service, after the coming in force of its modifications and changes in the Terms, assume the acceptance of those by the Users.

Notwithstanding the above, the access to particular contents and the use of particular parts of the Service can be subjected to particular conditions that, according to the cases, will substitute, complete and/or modify the current Terms. In the case of contradiction, the terms of the particular conditions over this General Terms of Use will prevail.

Before using and/or contracting these parts of the Service offered by Xygeni, you must carefully read the particular terms created in its case, to such effect by Xygeni. The use and/or the contract of these parts of the Service involve the acceptance of the particular terms that regulate, in the published version by Xygeni, at the moment that this use and/or contract is caused.

These Terms of Service refer to the following additional terms, which also apply to your use of the Services:

• Our Privacy Policy, which sets out the terms on which we process any personal data we collect from you or that you provide to us, including our cookies policy that sets out information about the cookies on the Platform.
• Our Security Policy, which describes how we will process any personal data on your behalf.

3. Restricted Use of Xygeni Products and Services

3.1 Scope of Permitted Use

The services provided by Xygeni are intended solely for the purpose of assessing and analyzing the customer’s own software or third-party software used within it. The customer agrees to utilize the services exclusively for internal security analysis and improvement of their own Software Supply Chain.

3.2 Prohibition on External Disclosure

The customer is expressly prohibited from using Xygeni’s services for the purpose of assessing, analyzing, or otherwise providing information on the security posture, vulnerabilities, or potential security flaws in the Software Supply Chain of any software to external parties not directly affiliated with the customer’s own software development or maintenance. It includes but is not limited to, providing security assessment services, vulnerability reports, or security consultancy to third parties using data obtained from Xygeni’s services.

3.3 Consequences of Unauthorized Use

In the event of a breach of this clause:

a. Service Termination: Xygeni reserves the right to immediately terminate the provision of services to the customer without prior notice.

b. Legal Action: Xygeni retains the right to take any legal actions deemed necessary to address the breach. This includes seeking remedies for any damages incurred and enforcement of compliance through legal proceedings.

c. Acknowledgment and Agreement

The customer acknowledges that this restriction is necessary to protect the proprietary and confidential nature of Xygeni’s services and methodologies. By using Xygeni’s services, the customer agrees to comply with the terms outlined in this clause.

4. Access

For access and navigation through the Service’s functionalities, a previous registration is required through the selection by the User of identification, password and other identification details that will be saved in Xygeni’S Users Registration.

The password will be personal, non-transferable, and will be created by the User at the moment it is contracted and will have a temporary unlimited validity. The Service provides the needed functionality so that the User can change the password when is considered appropriate.

The User agrees to make diligent use of the password and to maintain it in secret, not to transmit it to any third party or Xygeni. Consequently, the User is responsible for the adequate custody and confidentiality of any identifiers and/or passwords that have been selected as a registered User of Xygeni and undertake not to hand over its use to others, either temporarily or permanently, and to not allow access to others. It will be the User’s exclusive responsibility if the Service is used illegally by a third party that uses a password caused by careless use or the loss by the User.

In virtue of the above, the User has an obligation to notify the administrator of the Service immediately about any fact that allows the inappropriate use of the identifiers and/or passwords, such as theft, loss or unauthorized access, to proceed to the immediate cancellation. Meanwhile, if such a fact is not disclosed, Xygeni will not assume and is exempted from any liability whatsoever that results from the inappropriate use of the identifiers or passwords used by unauthorized third parties.

5. Intellectual and industrial property rights

The Web sites and the Service are regulated by Spanish law.

In no case can be understood that the access and navigation of the User in the Web sites or the use, purchase and/or contracting of the offered Service through the Web site involves, either totally or partially, a resignation, waiver, transmission, license or assignment of rights by Xygeni. The User is granted exclusively a right to use privately, exclusively to enjoy the benefits of the Service according to these Terms.

The references to names and trademarks or registered brands, logos or other distinctive symbols, either being Xygeni’s ownership or third companies, have the ban over the use without Xygeni’s consent or its legitimate owner. In no case, unless expressly stated, the access or use of the Web sites and/or their contents and/or the Service confer rights to the User over the trademarks, logos and/or distinctive symbols in this, including the ones protected by law.

All rights are reserved to the intellectual and industrial property over the contents and/or the Service, and, in particular, it’s forbidden to modify, copy, reproduce, communicate publicly, transform or distribute in any way the total or part of the contents and/ or services included in the Web sites for public or commercial purposes without the prior express and written authorization by Xygeni or in the case, the titleholder of the corresponding rights.

6. Rights on Software Supply Chain Assets

Xygeni does not claim any intellectual property rights related to your software artefact, code, projects, or any materials you share with us through the Service.

However, to facilitate to the User the usage of our Services, it is necessary for the scanner to examine segments of the configurations and projects. They never are transmitted to our servers. Xygeni only transmits the result and findings regarding security. The information that we handle includes, but is not restricted to, data about the project, such as its name and metadata, data about the project’s dependencies, including open-source and closed-source tools readily accessible, how they are referenced within the project, and environmental data (“Inventory Information”). For these reasons, we require, and you grant us a global, non-exclusive, royalty-free license to store, utilize, reproduce, display, and transmit the Inventory Information and any other materials sent through the Service, to the extent required for your utilization of the Services, including monitoring services. This license will continue to be in effect until you or we decide to terminate these Terms of Service.

Beyond the rights you have accorded to us above, we also need you to grant us a license to store, use, reproduce, display, and transmit the Inventory Information and any other materials sent through the Service for analytical reasons (like understanding the project’s state at the time of its deletion) and for enhancing our Services. This license will remain active unless and until you send an email to support@xygeni.io  specifically requesting us to remove such data from our database. For clarity, this license will not terminate upon the cessation of these Terms of Service or if you remove the associated project from the project page on our Platform.

7. Use of the Service

The User agrees to use the Service in accordance with the law and the current Terms. The User forces itself to abstain from using the Service with unlawful effects or opposite from the established in this Terms of Use.

Using the Service, the User declares the approval of these Terms, agreeing not to transmit, issue, o put in the disposition of third parties any type of material that by any way violates the legislation currently in force.

Any free account used for the Xygeni Platform expressly waives any right to use the service for any commercial purpose.

We commit that the Services will function largely as outlined in the Documentation. However, this commitment does not cover any non-compliance resulting from your usage of the Services in violation of our instructions or these Terms of Service or any changes made to the Services or the software used to provide the Services by an unauthorized third party. You acknowledge and agree that we are not obligated to adjust the software to accommodate your usage of the Services.

We reserve the right to enforce quotas and usage limits (to any resources, including the API and scans) at our sole discretion, with or without notice, which may result in the disabling or throttling of the user’s account for any amount of time.

In particular, we have implemented rate-limiting measures to enhance system stability in the face of rising request volumes. This system is under continuous observation to guarantee it minimally affects users while maintaining system robustness. Each user is limited to a maximum of requests per minute according to the licensing and volume contracted, though this may be adjusted in the future. As a reference, the default rate limit is calculated by dividing the maximum API calls in the contract by 480.  We advise that API calls should be moderated, irrespective of the existing limit. Requests exceeding the customer threshold will receive a 429 status code, indicating ‘Too many requests’ for the duration of the rate-limit interval.

In particular and by indicative and not exhaustive merely title, the User agrees not to capture details with advertising purposes, not to send any type of advertisement online, nor chain messages, and not transmit, not spread or give to third parties through the Service provided by the Web site, information, messages, graphics, sound or image files, photographs, recordings, software and generally any class of material, data or contents that without exhaustive encouragement:

• incur in unlawful, illegal or opposite to good faith and public order activities.
• in any way to violate, underestimate or attempt against the fundamental rights and public freedom recognized constitutionally or the International trades and in the rest of the legal order;
• lead, incite or promote criminal, defamatory, slanderous or violent acts;
• lead, incite or promote acts, attitudes or discriminated ideas on sex, race, religion, creed or age;
• include criminal, violent or degrading messages;
• induce or incite to involve in dangerous carry-out, risk or harmful to health and mental balance;
• to be false, ambiguous, inaccurate, exaggerated or untimely in a way to induce to an error of the object or of the intentions or the communicating purpose;
• they are protected against any intellectual or industrial property rights belonging to third parties without the user obtaining previously from the holders the authorization necessary to carry out the use;
• violate the business secrets to third parties;
• infringe the honor rights, to the personal and family privacy or peoples image;
• infringe regulations about privacy communications;
• prompt by the characteristics (as like format, extension, etc) difficulties with the normal function of the services.

Occasionally, we might add new services, features, or functions to our existing Services. These Terms of Service will govern these additions unless distinct or supplementary terms accompany them. In such a case, you must accept these separate or additional terms to gain access and utilize these new services, features, or functionality.

7.1 Free Trial Conditions

8. Managed Services

For those authorized Xygeni Partners that want to use Xygeni to provide services for their customers, it is allowed following these guidelines:

• The Partner will use different Xygeni Accounts for every customer.
• If the Partner is going to analyze the activity of several developers, the Xygeni Platform must be configured and dimensioned for that number of developers and activity.

Intentionally misuse of these guidelines may result in an account deactivation.

9. Characteristics and required conditions

For a correct display and navigation through the Web site, it requires: a) A monitor with a minimum resolution of at least 1440 x 900 pixels, and b) The use of some of the next navigators: Microsoft Edge, Firefox, Chrome or Safari in its latest version

Analyzing the software assets, pipelines and tools provided by the user, it is possible and normal that by different technical reasons, it cannot all be analyzed. Users also have to notice that metrics and indicators obtained by the Service can oscillate depending on the configuration of the policies applied, the version and configuration of the scanner and detectors, or other circumstances.

If the number of issues found when scanning customer software assets, pipelines and tools exceed an important amount (i.e. 10.000), that could impact the overall Service quality, that specific scan can be cancelled, notifying Users. These limits also apply to the exportation of data from the platform in any form: CSV, Sarif, or future formats.

The Services may encounter restrictions, delays, and other issues typically associated with using communication networks and facilities.

10. Support and maintenance services

The Support and Maintenance Services provided by Xygeni include all those evolutive & corrective maintenance operations necessary for the appropriate execution of the Service.

In the case that the User detects any abnormality, problem, technical defaults, defects or failure concerning the functionality of the Service (Incidence), Xygeni commits disposure to the User of all necessary materials to proceed to the correction in the established periods in accordance to the incidence level.

The Support Service does not include the incidences or abnormalities resolution caused by incorrect use of the Service.

The procedure to report from the User to Xygeni and the service provision by this to the User will be provided through the Customer Support tool provided by the Service and by e-mail.

Technical support for attention and troubleshooting is provided Monday through Friday during working hours.

By correct maintenance reasons, the Service could be non-operative during the time necessary to update to a version that can resolve incidents. The unavailability time of the Service owing to maintenance processes will be conveniently notified to the Users with at least three hours advance notice, preferably through email. However, you understand that such notice may not be feasible in urgent situations. Maintenance windows will be excluded from the platform availability calculation. It will carry out during the timetable with less impact on the User operations.

11. Communication Licence

In case the User sends any type of information to Xygeni through the Web sites or the Service using the channels established to that end at the Web sites or the Service, the User declares, guarantees and accepts that has the right to do it freely, that such information doesn’t infringe any intellectual property rights, brands, patents, commercial secrets or any other third party rights, such information doesn’t have confidential character and that such information isn’t harmful to third parties.

The User assumes the responsibility and will keep Xygeni harmless of any communication made personally or on his/her behalf. This responsibility includes, without limitation, the accuracy, legality, originality and title of such information.

12. Responsibilities and guarantees

Xygeni cannot guarantee the reliability, utility or veracity of the Service or the information given through the Web site.

In consequence, Xygeni is not responsible for (i) the continuity of the contents of the Service; (ii) the error absence in such contents or products; (iii) the absence of viruses and/or the rest of harmful components in the Service or the Server that supplies it; (iv) the invulnerability of the Service and/or the impregnability of the security measures that are adopted from the same; (v) the lack of utility or performance of the contents and products of the Service; (vi) the damages that are caused, to itself or to a third person, any person that infringes the conditions, rules or instructions that Xygeni establishes on the Service or through the violation of the security Systems of the Service.

This nevertheless, Xygeni declares that has adopted all the necessary precautions, in the possibilities and the technology state, to (i) ensure the proper functioning of the Service and (ii) avoid the existence and transmission of viruses and other harmful components to the users.

If the User knew of the existence of any illicit content that is illegal, opposite to the laws or that could suppose a violation of the intellectual and/or industrial property rights will have to notify immediately to Xygeni so they can proceed to adopt the necessary matters.

The User agrees to the following limitations on Xygeni:

• Exemption from Certain Losses: We will not be held accountable for any loss you experience, including but not limited to profits, business operations, expected savings, goodwill, business opportunities, interruption of business activities, loss or corruption of data, or any special, indirect, or consequential damages that may arise under these Terms of Service.
• Limitation on Liability: Our total liability to you, whether in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution, or otherwise, in relation to the execution or planned execution of these Terms of Service will not exceed the larger of i) the total amount paid to us in the 6 month period before the claim arose.

Furthermore, given the nature of the Services, we are not responsible for any harm resulting from errors or omissions in any content or in any information, instructions, or scripts that you provide to us in relation to the Services or any action (or inaction) on our part at your direction.

Any warranties, conditions, representations, or other terms that are implied by statutory or common law concerning the Services, Documentation, Service Data, and the Platform we provide are wholly excluded, as far as the law allows.

13. Indemnity

The User agrees to protect, compensate, and absolve Xygeni of any responsibility against any claims, legal actions, proceedings, losses, damages, expenses, and costs (including but not limited to court costs and reasonable attorney fees) that arise from or are associated with your use of the Services, Documentation, or Platform in violation of these Terms of Use or any other agreements mentioned in them.

14. Links

14.1 Links to other Web pages

In the case of in the Web sites, the User could find links to other web pages through different buttons, links, banners, etc.; third parties would manage these. Xygeni doesn’t have faculty, human or technical resources to know, control, or approve all the information, contents, products or services given by other websites to those that can establish links from the Web site.

In consequence, Xygeni does not assume any type of responsibility by any aspect relative to the web page that could establish a link from the Web site, concretely, by way of example and not limitation over the functionality, access, details, information, files, quality and reliability on the products and services, their own links and/or any of their contents in general.

In this way, if the Users had effective knowledge of the illicit developed activities through these web pages of third parties, they would have to communicate immediately to Xygeni for the effects to proceed to disable the access link to the same.

Establishing any link from the Web sites to another unknown Web site will not involve any relation, collaboration or dependency between Xygeni and the responsible of the unknown Web site.

14.2 Links in other web pages with destination to the Web sites

If any User, entity or website wishes to establish any type of link with destination to the Web sites will have to abide by the below stipulations:

• The link can only be directed to the main page or home of the Web site, except with the express and written authorization from Xygeni.
• The link has to be complete and absolute. That is, it has to take the User through a click to the URL address of the Web sites and has to cover completely all the screen extension of the main page of the Web site.
• The page that establishes the link cannot be declared in any case that Xygeni has authorized this link unless Xygeni has done this expressively or by written. If the entity that carries out the link from their page to the Web sites correctly would wish to include it in the web page of the brand, name, commercial name, label, logo, slogan, or any other type of identificative elements of Xygeni and/or from the Web sites will have to count previously with the express and written authorization.
• Xygeni doesn’t authorize the establishment of a link to the Web sites from those web pages that have material, information or illicit containing illegal, degrading, obscene, and in general, that contravene the moral, the public order or the social rules generally accepted.
• Xygeni doesn’t have faculty or human resources and technology to know, control or approve all the information, contents, products or services facilitated by other websites with links established with destiny to the Web sites. Xygeni doesn’t assume any responsibility in any aspect relative to the external Web sites that establish the link with destiny to the Web sites, in concrete, example and is not restricted over the functionality, access, details, information, files, quality and reliability of the products and services, the own links and/or any of the contents, in general.

15. Usage Data Analysis

Scans and WebUI usage tools report back details such  as the tool version, other tools versions such as node or npm version, arguments and inputs to the Scanner and specifics about the actions’ duration, success or failure. We use this information for analysis and to enhance our Services. It provides Xygeni with insights into how the platform is utilised, guiding our product development choices.

Should you wish to opt out of this data collection, you may do so by contacting us.

16. Termination

You are at liberty to end these Terms of Use with us whenever you wish, for any reason. This can be done by requesting us to delete your account via an email to support@xygeni.io and discontinuing all usage of the Services, Documentation, and Service Data.

We reserve the right to terminate these Terms of Use with you instantly and without prior notice if you violate these Terms of Use in a significant or repeated manner, if the Services are discontinued, if we lose the privilege to provide you with the Services, or if the provision of the Services becomes illegal.

Upon termination:

• All rights and privileges that were granted to you under these Terms of Use, including the license as per rights on software supply chain assets, will become void.
• You are required to discontinue all activities permitted by these Terms of Use, including the use of Web sites, Services, Documentation, and Service Data.
• All fees that are due to us under these Terms of Use will become payable and will be billed immediately, irrespective of any other clause, and
• You are required to immediately uninstall, delete, or remove from all equipment and infrastructure in your possession or control, and either destroy all copies of any software that was used in the provision of the Services, including our scanner tool.

17. General

We hold the right to modify these Terms of Use at any point, as per our judgement. Any such alterations will come into effect 10 days after the updated Terms are published on the Site. Your ongoing site usage following this period signifies your acceptance of these changes.

We strive to maintain the utmost accuracy. However, we cannot guarantee that the content presented on the Web site is accurate, complete, dependable, up-to-date, or free of errors. We retain the right to modify the Content, or any portion of it, based on our sole discretion, without any obligation to provide prior or subsequent notice of such changes. Any usage of the content, or any part of it, is entirely at your own risk and responsibility.

The customer and Xygeni operate as independent entities. None of these Terms of Use provisions establishes a partnership, joint venture, agency, or employment relationship between you and Xygeni. It is imperative that you refrain from making or assuming any guarantees, representations, commitments, or obligations on behalf of Xygeni under any circumstances.

Privacy Policy

This Data Protection Policy is an integral part of the Terms of Use of the Service “Xygeni” (the “Service”) of Xygeni Security, S.L. (Xygeni), placed in the URL https://xygeni.io (the “Web site”) and any subdomains such as http://in.xygeni.io (the “Web UI”) and others, all of them owned by Xygeni Security, S.L. (Xygeni). Include cookies policy in accordance with the EU directive.

1. Personal character data protection

Pursuant to Organic Spanish Law 15/1999 of 13th of December, of Personal Character Data Protection, Xygeni communicates that:

• The personal data given by you through this Web sites belonging to Xygeni will be incorporated to Xygeni’s files duly registered at the Data Protection General Registry.
• The purpose of those files is to send promotional information through any way (correspondence, telephone, e-mail, mailing, o any other computer network) about the products and services of Xygeni and the Management of the Services offered through the Web sites.
• You guarantee that the details contributed are real, exact, complete and updated, being responsible for any harm, direct or indirect, any breach can cause that. In case the data disclosed belong to a third party, you guarantee that you have informed it about the contents of this document and that you have obtained authorization to provide this data to Xygeni to that end.
• When personal data are obtained through application forms, it’s necessary that you contribute at least those marked with an asterisk. If the necessary relevant data weren’t supplied, Xygeni could not accept and manage the Web sites Service or the consult made.
• In response to Xygeni’s aim to guarantee data security and confidentiality, the required security levels for personal data protection have been adopted, and the available technical measures have been installed to avoid loss, bad use, alteration, unauthorized access and theft of personal data given through the Web site. Xygeni acknowledges that it has not and will not acquire any intellectual or industrial property right over any information or data given by the client through the Web sites and acknowledges that the relevant laws and regulations might protect this information. Xygeni undertakes to keep confidential this information and not disclose it unless so obliged by the relevant competent Authorities or Courts.
• None of the data will be transferred, sold or rented out under no circumstances. Pursuant to Spanish Law 34/2002 of 11th of July of Society Services Information and Electronic Trade, you have the right to consult your data, cancel the subscription, or change your preferences at any time. To exercise this right, you can send a formal notice to this address: Xygeni Security, S.L. in Calle Pasion 4 2 planta, 47001, Valladolid (Spain), or email the following email address: info@xygeni.com.
• Per legal provisions, Xygeni is committed to fulfilling its obligation of personal data confidentiality and duty to protect them and will take the necessary measures to prevent alteration, loss or unauthorized access, given the current state of technology. We also inform you that we use services from other providers to store the information, but those are limited to storing it, and in any case, Xygeni will use it for any other purpose.

2. Use of Cookies

Xygeni could treat information about the visitors on the Web sites. Such as, this Web sites can use cookies and other usual invisible systems through those that can obtain information about the visit frequency of the most selected contents and geographic location, as with other details to optimize and improve the navigation on the Web site.

TYPES OF COOKIES

The Xygeni websites provide a detailed list and associated information of the specific cookies used and specifically ask for acceptance according to the RGPD requirements.

Other third-party cookies are installed on all visitors on other sites, even if they are not registered users in the correspondent platforms:

• Xygeni in Facebook. Cookies: datr, reg_fb_gate y reg_fb_ref. Their purpose is detailed on the Facebook cookie usage page.
• Xygeni in Twitter. Cookies: guest_id, __utma, __utmb, __utmc, __utmz, original_referer y _twitter_sess. Their purpose is detailed on the Twitter cookie usage page.

Xygeni understands that the navigation through the Web sites declares the acceptance for the pickup and treatment of such information. In any case, the navigators of common use contain security functions that permit the User to avoid using cookies and/or other pickup detail navigation systems at any point.

3. Company name and brand

Customers agree during the term of their Xygeni account to list their company name and brand on the Xygeni Web Sites.

4. Holder details

Holder: Xygeni Security, S.L. CIF: B09620287.

Registered address: CALLE PASION 4 2 PLANTA,47001 VALLADOLID.

Email Address: info@xygeni.com 

Registered details: Register office in Valladolid, Volume: 68 Folio: 86 Section: 2 Entry: 22000020

Security Policy

Xygeni uses some of the most advanced technology for Internet security available today. Secure Socket Layer (SSL) technology protects your information using encryption and authentication servers for both your equipment and data between the data centres, ensuring that data in transit is safe, secure and available only to registered users in your organization.

In addition to SSL encryption, your account/data are protected by a mandatory User ID and Password. Any password-protected Service areas can be accessed only with a valid password and additional (optional) MFA authentication mechanisms. Each password owner is responsible for keeping the password secret and confidential and for notifying Xygeni if the password may have been stolen or otherwise might be misused. For more information, please see our Terms of Use.

1. Data storage

Our servers are securely located in a state-of-the-art facility that Amazon, a premier hosting provider and advanced connectivity solutions, manages. Xygeni has chosen Amazon because of its reputation for quality service and support and its unparalleled reputation for reliably posting many of the internet’s most trafficked Web Systems.

2. User data persistence

Users can decide to delete their account anytime. When a customer account is deleted, all associated data is also deleted from the platform.

Deleting a customer account in the platform does not mean unsubscribing from periodical email marketing communications. Users can always unsubscribe from these communications directly by clicking the appropriate link in the received emails.

3. User data privacy

Xygeni adheres to a strict policy for ensuring the privacy of your personally identifiable information (such as full name, address, e-mail address, and/or other identifiable information). We will never share your information with third parties outside Xygeni unless you give express permission for us to do so or unless we are required to do so under applicable law. For more information, please see our Privacy Policy Statement.

4. Scanner and Sensor data persistence

Xygeni does not store code or other private information of the software artefacts, pipelines, or any other code or configuration. The only information transmitted to Xygeni is related to the security issue and meta information that enable its explanation and potential mitigation actions.

Xygeni Service follows these procedures:

• Normally, Xygeni findings and extracted meta information are uploaded by the scanner (on customer request) to the platform and stored there.
• Results of the scanner can remain local to the User’s equipment, although in that case, the User is completely and the only responsible for managing that information.
• Xygeni Sensor intercepts events in several SCM and CI/CD systems. It communicates them and its meta information to the platform, where it is analyzed to detect any anomaly or suspicious activity.

Xygeni implements the following scanner analyses and sensor persistence policy:

• An active account always has access to its data through the API, Web sites, and any other mechanism designed for that goal based on contracted licensing.
• The resultant details of the Service will be stored until 3 months after the subscription ends. They are removed automatically after this period.
• Scans Data removed by user requests will be irretrievably deleted.
• For trial accounts, all analyses and events are stored, and the above policies still apply.

A few special considerations (exceptions) to the code privacy behaviour are the following:

• The lines in which Xygeni Scanner had detected an issue will be kept as part of the analysis results to document the user where such security vulnerability has occurred. 
• In case of requested support, the Xygeni team could require access to the affected source file for debugging and product enhancement purposes until the resolution of the issue. In this case, the file is only used in development environments and will be erased after resolution.

5. Amazon Services

5.1. Data centre and equipment security

All perimeter doors require key card access and a matching biometric palm or fingerprint scan. Visitors are only allowed escorted access to the data centre and NOC as needed. All internal doors leading to the data centre also require an additional card scan for access. All customer equipment is located in locked cabinets or cages within the data centre.

5.2. People and Access

Amazon Support maintains an account on all hosted systems and applications for the purposes of maintenance and support. In some cases, selected Xygeni support engineers may also have access to hosted applications and data. Only employees with the highest clearance have access to application data and code. Authentication is done via individual passphrase-protected public keys rather than passwords, and the servers only accept incoming SSH connections from securitized gateways and the Xygeni virtual network (VPC) hosted in Amazon. Application data is only accessible with appropriate credentials, ensuring that there is no possibility of one customer having access to another customer’s data without explicit knowledge of their login information.

5.3. SAS70

In Addition to regular audits, including 3rd party application penetration testing, the Amazon facilities have undergone a successful SAS70 Type II audit. SAS70 certifies that a service organization has had an in-depth audit of its controls (including control objectives and control activities), which in the case of Amazon, relates to operational performance and security to safeguard customer data.

5. Backup

Database backups are performed daily for the Xygeni Service and maintained for at least seven days.