SYEN® Audit

1. Who We Are and Scope of This Policy

SYEN Systems LLC ("SYEN," "we," "us," "our") is a New York limited liability company that operates the SYEN Audit cryptographic audit trail platform ("Service"). Our registered address is in Brooklyn, New York.

This Privacy Policy describes how SYEN collects, uses, stores, discloses, and protects information in connection with: (a) the SYEN Audit Service accessed through the API at api.syensystems.com; (b) the SYEN Audit website at syensystems.com; and (c) any sales, support, or marketing interactions with SYEN.

This Privacy Policy applies to business customers, Authorized Users, and visitors. It does not apply to the content of customer audit logs or Customer Data submitted to the Service. Customer Data is governed by the Terms of Service and any applicable Data Processing Agreement entered into between SYEN and the Customer.

SYEN operates the Service as a business-to-business platform. We do not knowingly collect personal information from consumers or individuals for consumer purposes. Our Service is not directed to or intended for use by individuals acting in their personal capacity.

2. Information We Collect

2.1 Account and Registration Information. When a Customer registers for the Service or executes an Order Form, SYEN collects the following: company name and legal entity type; contact name, title, and work email address; billing address and payment information (processed by our payment processor, Stripe); AWS Marketplace or Azure Marketplace account identifiers; and subscription tier and contract details.

2.2 Audit and Event Data (Customer Data). Customers submit AI event logs, decision records, cryptographic attestation data, and related metadata to the Service through the API. This data is Customer Data. SYEN processes it solely to provide the Service and does not access, analyze, or use it for any other purpose without Customer's explicit written consent.

2.3 Usage and Technical Data. SYEN automatically collects technical information about how the Service is accessed and used, including: API request logs with timestamps, endpoint paths, and HTTP response codes; IP addresses and geolocation data derived from IP addresses; device type, operating system, and browser information for web interface access; error logs and diagnostic data; and feature usage patterns on an aggregated basis.

2.4 Communications Data. If you contact SYEN by email, through the contact form at syensystems.com/contact, or through support channels, SYEN retains records of those communications including the content of messages and any attachments.

2.5 Cookies and Tracking. The SYEN website uses cookies and similar tracking technologies to maintain session state, analyze traffic, and improve the user experience. You may disable cookies through your browser settings; however, certain features of the website may not function properly without them. SYEN does not use third-party advertising cookies or behavioral tracking across other websites.

3. How We Use Information

SYEN uses the information it collects for the following purposes:

3.1 Providing the Service. To provision, operate, maintain, and support the SYEN Audit platform; to authenticate Authorized Users; to process API requests; to generate and store cryptographic audit records; to perform RFC 3161 timestamping; and to deliver outputs and reporting to Customers.

3.2 Billing and Account Management. To process subscription payments through Stripe; to issue invoices; to manage subscription renewals and terminations; and to communicate billing-related notices required under the Terms of Service.

3.3 Security and Fraud Prevention. To monitor for unauthorized access, abuse, or security threats; to enforce our Terms of Service and Acceptable Use Policy; to protect the integrity of the cryptographic audit chain; and to comply with our security obligations under applicable law.

3.4 Service Improvement. To analyze aggregated, anonymized usage patterns to improve the Service; to identify and fix bugs; and to develop new features. SYEN does not use Customer Data for this purpose.

3.5 Legal Compliance. To comply with applicable laws, regulations, and legal process, including data breach notification obligations under applicable federal and state law.

3.6 Communications. To send service-related notices such as uptime alerts, security updates, and subscription renewal reminders; and to respond to support inquiries. SYEN does not send unsolicited marketing email without prior consent.

SYEN does not sell, rent, or trade personal information to third parties for their marketing purposes. SYEN does not use Customer Data for any purpose other than providing the Service.

4. Legal Basis for Processing

SYEN processes personal information on the following legal bases:

4.1 Contract Performance. Processing is necessary to perform our obligations under the Terms of Service, including provisioning accounts, processing payments, and providing technical support.

4.2 Legitimate Interests. Processing is necessary for SYEN's legitimate business interests, including security monitoring, fraud prevention, and service improvement, where those interests are not overridden by the rights and interests of the individuals whose data is processed.

4.3 Legal Obligation. Processing is necessary to comply with applicable law, including data breach notification requirements, tax obligations, and responses to valid legal process.

4.4 Consent. Where required by applicable law, SYEN will obtain consent before processing personal information for specific purposes, such as sending marketing communications.

5. Information Sharing and Disclosure

SYEN shares personal information only in the following circumstances:

5.1 Service Providers. SYEN uses the following sub-processors to operate the Service: Amazon Web Services (AWS), for cloud hosting, storage, compute, and key management in us-east-1; Stripe, for payment processing and billing; and DigiCert, for RFC 3161 timestamping of audit records. Each sub-processor is subject to contractual obligations to protect personal information and to use it only for the purposes for which it was shared.

5.2 Legal Requirements. SYEN may disclose information when required to do so by applicable law, regulation, court order, subpoena, or other valid legal process. SYEN will, to the extent permitted by law, provide prior written notice to affected Customers before complying with such requests, unless prohibited from doing so by law enforcement or court order.

5.3 Business Transfers. If SYEN is involved in a merger, acquisition, asset sale, or corporate reorganization, Customer information may be transferred to the acquiring entity as part of that transaction. SYEN will provide notice to affected Customers before any such transfer and will ensure that the acquiring entity agrees to honor this Privacy Policy or provide equivalent protections.

5.4 Protection of Rights. SYEN may disclose information when it reasonably believes such disclosure is necessary to enforce the Terms of Service, prevent fraud, protect the safety or security of any person, or protect SYEN's legal rights.

5.5 No Sale of Data. SYEN does not sell, license, or transfer personal information to third parties for their own marketing, advertising, or commercial purposes under any circumstances.

6. Data Security

6.1 Technical Safeguards. SYEN implements the following technical security measures to protect information stored in and transmitted through the Service: TLS 1.3 encryption for all data in transit; AES-256-GCM encryption for all Customer Data at rest; Ed25519 cryptographic signatures on all audit records; AWS KMS envelope encryption for all cryptographic key material; access controls enforcing least-privilege access for all SYEN personnel; and multi-factor authentication for all SYEN administrative accounts.

6.2 Organizational Safeguards. SYEN maintains internal policies restricting access to personal information and Customer Data to personnel who require it to perform their job functions. SYEN conducts periodic reviews of access controls and security configurations.

6.3 Limitations. No security system is impenetrable. While SYEN uses commercially reasonable measures to protect information, SYEN cannot guarantee that unauthorized parties will never be able to defeat those measures. Customers are responsible for maintaining the security of their own API credentials and access tokens.

6.4 Security Incidents. SYEN maintains an incident response program designed to detect, contain, and remediate security incidents. In the event of a confirmed security incident affecting Customer Data or personal information, SYEN will follow the notification procedures described in Section 8 of this Policy.

7. Data Retention

7.1 Customer Data. By default, Customer Data submitted to the Service is retained for seven (7) years from the date of submission to support regulatory audit requirements. Customers may configure a shorter retention period through the Service settings or by written request to privacy@syensystems.com. SYEN will not retain Customer Data beyond the configured retention period except as required by applicable law.

7.2 Account Information. SYEN retains account and billing information for the duration of the Customer's subscription and for a period of seven (7) years following termination, as required for tax, financial reporting, and legal compliance purposes.

7.3 Usage and Technical Data. API request logs and technical usage data are retained for ninety (90) days for security monitoring and debugging purposes, after which they are deleted or anonymized.

7.4 Communications. Records of support and sales communications are retained for three (3) years following the last interaction, or for the duration of the Customer's subscription if longer.

7.5 Post-Termination. Following termination of a Customer's subscription, SYEN will make Customer Data available for export for thirty (30) days. After that period, SYEN will delete or anonymize Customer Data in accordance with its data deletion procedures, except where retention is required by applicable law.

8. Data Breach Notification

8.1 Notification Commitment. In the event of a confirmed security breach that results in, or is reasonably likely to result in, unauthorized access to, disclosure of, or destruction of Customer Data or personal information, SYEN will notify affected Customers promptly and in no event later than seventy-two (72) hours after SYEN becomes aware of the breach.

8.2 Notification Content. Breach notifications will include, to the extent then known: a description of the nature of the breach; the categories and approximate volume of records affected; the likely consequences of the breach; the measures SYEN has taken or proposes to take to address the breach and mitigate its effects; and a contact at SYEN for further information.

8.3 Regulatory Notification. Where required by applicable law, SYEN will notify the appropriate regulatory authorities of security breaches in accordance with the applicable legal requirements. SYEN will cooperate with Customers in any regulatory notifications they are required to make as a result of a breach.

8.4 No Admission. A breach notification by SYEN does not constitute an admission of fault, negligence, or liability by SYEN.

9. Your Rights and Choices

9.1 Access and Correction. Customers and Authorized Users may request access to or correction of personal information held by SYEN by contacting privacy@syensystems.com. SYEN will respond to such requests within thirty (30) days.

9.2 Deletion. Customers may request deletion of their account information and Customer Data by contacting privacy@syensystems.com. Deletion requests will be processed within thirty (30) days, subject to SYEN's right to retain information as required by applicable law or the Terms of Service.

9.3 Portability. Customers may export Customer Data at any time through the Service's export functionality or by contacting support. Customer Data is available in standard JSON or CSV formats.

9.4 Objection to Processing. Where SYEN processes personal information based on legitimate interests, individuals may object to such processing by contacting privacy@syensystems.com. SYEN will consider and respond to such objections within thirty (30) days.

9.5 Marketing Communications. Customers may opt out of non-essential communications from SYEN by following the unsubscribe instructions in any marketing email or by contacting privacy@syensystems.com.

10. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), subject to certain exemptions. These rights include: the right to know what personal information SYEN collects, uses, and discloses; the right to request deletion of personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (SYEN does not sell or share personal information); and the right not to be discriminated against for exercising these rights.

Because SYEN operates as a business-to-business service and collects personal information primarily in the context of commercial transactions with other businesses, certain CCPA rights may be subject to exemptions applicable to business contact information and employee data. To exercise your California privacy rights, contact privacy@syensystems.com.

11. International Data Transfers

The SYEN Audit Service is hosted on AWS infrastructure located in the us-east-1 (Northern Virginia) region of the United States. If you are located outside the United States, your personal information will be transferred to and processed in the United States. The United States may have data protection laws that differ from those in your country of residence.

Where required by applicable law, SYEN will implement appropriate safeguards for international transfers of personal information, including Standard Contractual Clauses approved by the European Commission or other appropriate transfer mechanisms. If your organization requires a Data Processing Agreement for GDPR compliance or EU AI Act compliance, please contact legal@syensystems.com.

12. Children's Privacy

The SYEN Audit Service is designed for and directed to business entities and their employees. SYEN does not knowingly collect personal information from individuals under the age of 18. If SYEN becomes aware that it has inadvertently collected personal information from a minor, SYEN will take prompt steps to delete that information.

13. Third-Party Links

The SYEN website may contain links to third-party websites or services, including the AWS Marketplace and Azure Marketplace listings. SYEN is not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you access through our website.

14. Limitation of Liability for Privacy Claims

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SYEN'S LIABILITY FOR ANY CLAIM ARISING OUT OF OR RELATED TO THIS PRIVACY POLICY OR THE PROCESSING OF PERSONAL INFORMATION IS LIMITED TO THE AMOUNTS SET FORTH IN THE LIMITATION OF LIABILITY PROVISION OF THE SYEN AUDIT TERMS OF SERVICE. SYEN IS NOT LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF ANY PRIVACY INCIDENT EXCEPT WHERE CAUSED BY SYEN'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT.

15. Updates to This Policy

SYEN may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the effective date at the top of this Policy and notify Customers by email or through the Service at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date of any update constitutes acceptance of the updated Policy.

16. Contact

For questions, requests, or concerns about this Privacy Policy or SYEN's data practices, contact:

SYEN Systems LLC
Brooklyn, New York
privacy@syensystems.com
legal@syensystems.com

For security-related matters or to report a suspected security incident: security@syensystems.com