The policies are available only in English

Sithub Platform

Privacy Policy

1. INTRODUCTION AND PRINCIPLES

1.1 Purpose of this Policy

This Privacy Policy (hereinafter referred to as the "Policy") describes the principles and practices of data processing when using the Sithub platform. The Policy is an integral part of the Terms of Service and should be read in conjunction with them.

1.2 Privacy by Design Principle

Sithub is built on the architectural principle of data collection minimization. Privacy is not an additional feature—it is a fundamental characteristic of the system architecture.

1.3 Applicable Legislation

This Policy has been developed taking into account:

The Law of the Republic of Kazakhstan "On Personal Data and Their Protection"
The EU General Data Protection Regulation (GDPR)—for users from the European Union
Other applicable data protection regulations in the User's jurisdiction

1.4 Data Controller and Processor

For personal data processed in connection with subscriptions:

Data Controller: Silence AI
We determine the purposes and means of processing subscription information

For data processed on the Platform:

Data Controller: User (you control your code and development data)
Data Processor: Not applicable—we do not process your development data

2. ARCHITECTURAL PRIVACY GUARANTEES

2.1 Core Principle of Data Isolation

User source code is processed exclusively on the User's local infrastructure. The Sithub architecture is designed to prevent the transmission of source code to the Provider's servers.

2.2 Technical Implementation of Isolation

Repository Management:

Operates completely on your infrastructure
Contains no network data transmission functions for code
All repositories stored locally

Security Scanning:

Operates completely on your infrastructure
Vulnerability detection runs locally
Scan results remain on your servers
No code fragments transmitted externally

Update Service:

The only component that communicates with the Provider's servers
Transmits only the data specified in section 3.2
Downloads vulnerability databases to your infrastructure
The scanning module is isolated from network functions

2.3 What This Means in Practice

The Provider has no technical ability to access:

Source code stored on the Platform
Security scan results
Commit history and code changes
File names and project structure
Repository metadata

Important Clarification: This guarantee is valid provided Sithub is operated correctly in accordance with the technical documentation and in the absence of User actions to manually transmit data to external services.

3. INFORMATION WE COLLECT

3.1 Subscription Information (Required)

To provide services, we collect the following information:

Corporate Information:

Organization name (for corporate subscriptions)
Contact email for communication
Country of registration (for compliance with applicable laws)

License Information:

License key hash (irreversible cryptographic transformation)
Subscription activation date
Subscription expiration date
Subscription status (active/inactive/suspended)

Payment Information:

Payment details are processed by third-party payment processors
The Provider does not store complete bank card data
We store only information about the payment method type and the last four digits of the card

Legal Basis (for users from the EU): Performance of contract (GDPR, Article 6(1)(b))

3.2 Technical Data from Sithub (Automatic)

When verifying the license and requesting updates, Sithub transmits:

Authentication Data:

License key hash
Cryptographic session token (temporary)

Technical Metadata:

Request timestamp (date and time in UTC format)
Installed Sithub version (e.g., "2.1.3")
Installation identifier hash (irreversible transformation of unique ID)
IP address (automatically recorded by the server, used to prevent abuse)

Legal Basis: Legitimate interests of the Provider in preventing fraud and ensuring security (GDPR, Article 6(1)(f))

Retention Period: 90 days

3.3 Technical Telemetry (Optional)

If you explicitly consent, we may collect additional technical information to improve service quality:

Usage Information:

Frequency of update requests
Security update download statistics
Time of last successful update

Error Reports:

Stack traces without source code
Error messages
System environment information (OS, version, architecture)
System call logs (without user data)

Important: Error reports undergo automatic filtering to remove any code fragments or confidential data before transmission.

Legal Basis: Consent (GDPR, Article 6(1)(a)) - You can withdraw consent at any time in Sithub settings

3.4 Information We DO NOT Collect

We explicitly do not collect, process, or store:

Source Code:

Code in repositories
File contents
Code fragments
Comments in code

Analysis Results:

Security scan results
Discovered vulnerabilities in your code
Code quality reports

Development Metadata:

File and directory names
Project structure
Commit history
Commit messages
Branch information

User Information:

Developer names
Developer email addresses
Team structure
Access rights within the organization

Credentials:

Passwords
API keys
Access tokens
SSH keys
Certificates

4. PURPOSES AND LEGAL BASES FOR PROCESSING

4.1 Subscription Management

Purpose: Providing access to Sithub and updates

Processed Data: Subscription information, License status

Legal Basis: Performance of contract (GDPR, Article 6(1)(b)); For Kazakhstan: consent to personal data processing upon entering into a contract

Actions: Verification of license activity, Processing subscription renewals, Sending subscription status notifications, Providing access to security updates

4.2 Delivery of Security Updates

Purpose: Ensuring vulnerability databases are up-to-date

Processed Data: License key hash, Sithub version, Request timestamps

Legal Basis: Performance of contract (GDPR, Article 6(1)(b))

Actions: Authentication of update requests, Transmission of vulnerability databases, Transmission of security patches, Monitoring update service functionality

4.3 Service Quality Improvement

Purpose: Development and improvement of security databases

Processed Data: Technical telemetry (only if you have consented), Anonymous error reports

Legal Basis: Consent (GDPR, Article 6(1)(a))

Actions: Research of new threats and vulnerabilities, Improving vulnerability detection accuracy, Development of new security signatures, Fixing bugs in Sithub components

Information Sources: Results of threat analysis conducted by the Threat Hunters division of Silence AI. NOT your code.

4.4 Legal Compliance

Purpose: Fulfilling legal obligations

Processed Data: Subscription information, Payment records

Legal Basis: Legal obligation (GDPR, Article 6(1)(c)); For Kazakhstan: requirements of tax and accounting legislation

Actions: Storage of payment records (7 years—tax legislation requirement), Responses to court orders, Providing information to regulatory authorities (only with lawful basis), Fraud prevention

4.5 Abuse Prevention

Purpose: Protection against fraud and violations of Terms

Processed Data: Request IP addresses, Frequency of update requests, Usage patterns

Legal Basis: Legitimate interests (GDPR, Article 6(1)(f)) - Our legitimate interests: fraud prevention, protection against license abuse

Actions: Detection of suspicious activity, Blocking compromised licenses, Prevention of unauthorized distribution

5. DATA STORAGE AND SECURITY

5.1 Data Stored by the Provider

Only the following is stored on the Provider's servers:

Data Type	Location	Encryption	Retention Period
Subscription information	Republic of Kazakhstan	AES-256	Duration + 1 year
Payment records	Payment processor	PCI DSS compliant	7 years (legal requirement)
License key hashes	Republic of Kazakhstan	Bcrypt	Duration + 1 year
Request logs	Republic of Kazakhstan	TLS 1.3 in transit	90 days
Security databases	Republic of Kazakhstan (mirrors in EU)	Not required (public information)	Permanently (product)

5.2 Data Stored on User Infrastructure

Exclusively on your infrastructure:

All source code
Security scan results
Commit history
Repository metadata
User information and access rights
Downloaded vulnerability databases

Responsibility: The User independently ensures the storage, backup, and security of this data.

5.3 Technical Security Measures

The Provider applies the following measures to protect data stored on our servers:

Encryption:

At rest: AES-256 for databases with confidential information
In transit: TLS 1.3 (minimum TLS 1.2 not accepted)
Hashing: Bcrypt for license keys (irreversible transformation)

Access Control:

Multi-factor authentication for administrative access
Principle of least privilege for employees
Logging of all administrative actions
Regular access rights audit

Network Security:

Perimeter firewalls
Intrusion detection systems (IDS/IPS)
DDoS protection
Regular vulnerability scanning

Monitoring and Response:

24/7 security monitoring
Automatic alerts for suspicious activity
Incident response plan
Regular security drills

5.4 Security Audit

Annual independent security audit by a third-party firm
Regular penetration testing
Publication of summary reports (without disclosing vulnerabilities)

5.5 Incident Notification

In case of a security incident affecting your data:

User Notification: within 72 hours of discovery
Regulator Notification (for users from the EU): within 72 hours (GDPR requirement)
Kazakhstan Regulator Notification: in accordance with personal data legislation

6. DATA TRANSFER AND DISCLOSURE

6.1 Internal Use

Only Provider employees who need it to perform their duties have access to User data:

System administrators (for infrastructure maintenance)
Support service (for solving technical problems)
Accounting (for payment processing)

All employees sign confidentiality agreements.

6.2 Third-Party Data Processors

We use the following categories of third-party processors:

Payment Processors:

For processing subscription payments
PCI DSS compliant
Examples: Stripe, PayPal, Kaspi.kz (for clients from Kazakhstan)
Have their own privacy policies

Hosting Providers:

For hosting update servers
Location: Republic of Kazakhstan (main servers), EU (mirrors for EU clients)
Operate in accordance with Data Processing Agreements (DPA)

Monitoring and Security Services:

For ensuring infrastructure operability and security
Access limited to technical metadata (logs, metrics)
No access to subscription information

Important: All third-party processors:

Sign Data Processing Agreements (DPA)
Comply with the principle of access minimization
Do not use data for their own purposes

6.3 Transfers to Law Enforcement

We may disclose information to law enforcement or regulatory authorities:

When Required:

By court order
By subpoena
When there is a legal obligation under applicable law

Procedure:

Verification of request legality by legal department
Provision of only minimally necessary information
User notification (unless prohibited by court order)
Documentation of all requests for transparency report

What CANNOT Be Provided:

Source code (as we do not store it)
Scan results (as they are stored locally by the User)

6.5 What We NEVER Do

The Provider will never:

Sell User data to third parties
Rent data for marketing purposes
Monetize data beyond subscription payment
Transfer data to data brokers
Use data for targeted advertising

7. INTERNATIONAL DATA TRANSFERS

7.1 Server Location

Main Servers: Republic of Kazakhstan

7.2 Transfers from EU to Kazakhstan (for users from the EU)

Legal Basis for Transfer: The Provider uses Standard Contractual Clauses (SCC) approved by European Commission Decision 2021/914.

Additional Safeguards:

Data encryption in transit (TLS 1.3)
Data encryption at rest (AES-256)
Limited data access
Regular security audit

SCC Access:

Standard Contractual Clauses are available for review upon request
Send request to: info@silence.codes
SCC are automatically included in the Data Processing Agreement (DPA) for corporate clients from the EU

7.3 What Is Transferred Internationally

When used from outside Kazakhstan, the following is transferred:

Subscription information (for license management)
Requests to download security updates
Security databases (downloaded to you)

What Is NOT Transferred:

Source code (remains on your local infrastructure)
Scan results (processed locally)
Developer information (managed locally)

8. DATA SUBJECT RIGHTS

8.1 Applicability of Rights

The rights described in this section apply:

For all Users: basic rights in accordance with Kazakhstan legislation
For Users from the EU: extended rights in accordance with GDPR
For Users from other jurisdictions: rights in accordance with applicable legislation

8.2 Right of Access (GDPR, Article 15)

You have the right to obtain:

Confirmation of whether we process your personal data
A copy of your personal data
Information about processing purposes, data categories, recipients
Data retention period
Information about your rights

How to Exercise: Send a request to info@silence.codes. We will respond within 30 days (GDPR) or 15 days (Kazakhstan legislation). We will provide data in a structured, commonly used format (JSON or PDF).

8.3 Right to Rectification (GDPR, Article 16)

You have the right to correct inaccurate personal data: correction of contact information, update of organization name, correction of payment details.

8.4 Right to Erasure / "Right to be Forgotten" (GDPR, Article 17)

You have the right to request deletion of your personal data. Limitations: We cannot delete data if its storage is required by law (e.g., payment records—7 years) or necessary for contract performance (while subscription is active).

8.5 Right to Restriction of Processing (GDPR, Article 18)

You can request restriction of processing of your data while data accuracy is being verified, if processing is unlawful but you do not want deletion, or if data is needed by you for legal purposes.

8.6 Right to Data Portability (GDPR, Article 20)

You have the right to receive your data in a structured, machine-readable format (JSON, CSV, XML). Send a request to info@silence.codes specifying preferred format.

8.7 Right to Object (GDPR, Article 21)

You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate overriding legitimate grounds.

8.8 Right to Withdraw Consent (GDPR, Article 7(3))

If processing is based on consent, you can withdraw consent at any time. In Sithub settings: disable "Send telemetry" option or send a request to info@silence.codes.

8.9 Right to Lodge a Complaint with Supervisory Authority

For users from the EU: You have the right to lodge a complaint with the data protection supervisory authority of your country.

For users from Kazakhstan: You can contact the authorized body for the protection of personal data subjects' rights of the Republic of Kazakhstan.

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 Cookie Usage

The Provider uses a minimum number of cookies:

Strictly Necessary Cookies (do not require consent):

Session cookie for authentication in personal account
Cookie for saving language preferences
Security cookie (CSRF tokens)

Validity period: until end of session or 30 days

Analytics Cookies (require consent):

If enabled: basic website usage analytics (not Sithub platform)
We use our own solution (not Google Analytics)
Data is anonymized

9.3 No Tracking

We DO NOT use:

Social media trackers
Advertising trackers
Third-party trackers for profiling
Cross-site tracking systems

10. DATA RETENTION

10.1 Retention Periods

Data Type	Retention Period	Legal Basis
Subscription information	Duration + 1 year	Possible disputes, refunds
Payment records	7 years after transaction	Tax legislation of Kazakhstan, EU
License key hashes	Duration + 1 year	Abuse prevention
Update request logs	90 days	Technical support, security
Technical telemetry	1 year	Service improvement
Error reports	2 years	Bug fixing

10.2 Deletion After Expiration

Upon expiration of the retention period:

Data is automatically marked for deletion
Permanent deletion occurs within 30 days
Backup copies are overwritten within 90 days
Deletion logs are retained for audit

11. CHILDREN'S PRIVACY

11.1 Age Restrictions

Sithub is not intended for use by persons under 18 years of age. This is a professional development tool and corporate software. We do not knowingly collect data from persons under 18.

11.2 Exception: Use with Parental Consent

Persons aged 16-18 may use Sithub with written parental or legal guardian consent.

12. YOUR DATA PROTECTION RESPONSIBILITIES

12.1 User Responsibilities

The Provider ensures confidentiality at the architecture level. You are responsible for:

Infrastructure Security:

Proper firewall configuration
Access control to servers where Sithub is deployed
Regular operating system updates
Physical equipment security

Prevention of Manual Data Transmission:

Do not manually upload code to external cloud services
Do not copy repositories to publicly accessible services (GitHub, GitLab, etc.)
Train developers in secure work principles

User Management:

Control who has access to Sithub
Use strong passwords and multi-factor authentication
Promptly revoke access for terminated employees
Apply principle of least privilege

13. TRANSPARENCY REPORT

13.1 Commitment to Transparency

The Provider is committed to transparency regarding law enforcement requests, security incidents, and changes in data processing practices.

13.2 Security Incident Notification

In case of a data security breach:

User Notification: within 72 hours of discovery
Notification Content: Nature of incident, Affected data categories, Recommendations for Users
Notification Method: email + notification in Sithub interface

13.3 Disclosure of Law Enforcement Requests

The Provider will notify Users about law enforcement requests except when notification is prohibited by court order, with indication of request nature, and with provision of request copy (if permitted).

14. DATA PROCESSING AGREEMENT (DPA) FOR CORPORATE CLIENTS FROM THE EU

14.1 DPA Applicability

For corporate clients from the European Union who use Sithub to process personal data of their employees, the Provider provides a Data Processing Agreement (DPA).

14.2 DPA Content

The DPA includes:

EU Standard Contractual Clauses (SCC)
Description of subject matter and duration of processing
Nature and purposes of processing
Types of personal data
Categories of data subjects
Obligations and rights of controller and processor

14.3 DPA Request

To request a DPA: Send a request to info@silence.codes, specify your organization name and contact information. DPA will be provided within 5 business days.

15. CHANGES TO THE PRIVACY POLICY

15.1 Right to Change

The Provider reserves the right to change this Policy for changes in applicable legislation, development of Sithub functionality, improvement of User rights protection, or changes in data processing practices.

15.2 Change Notification

Material changes (affecting rights or changing processing practices) are notified via email 30 days before effective date, notification in Sithub interface, and publication on website with highlighted changes.

15.3 Consent to Changes

By continuing to use Sithub after changes take effect, you confirm agreement with the updated Policy. If you do not agree with the changes, you have the right to cease using Sithub with proportional refund upon cancellation within 14 days after notification of material changes.

16. CONTACT INFORMATION

Questions about privacy? Questions about this policy? Questions about what data we store?

Email: info@silence.codes

This Privacy Policy is designed to ensure transparency of our data processing practices and protection of your rights. Sithub is built on the principle of data collection minimization: we collect only information necessary to provide services and never access your source code.

Effective Date: January 13, 2026