// Legal
Plain-language policies. No dark patterns.
Zyphor collects only the data necessary to deliver our services: contact details you submit, engagement scope and findings. We never sell, rent or share data with third parties for marketing. Engagement data is encrypted at rest (AES-256) and deleted 12 months after engagement closure unless retention is required by contract.
All engagements are governed by a mutually-signed Statement of Work. Findings, reports and proof-of-concept code remain the property of the client. Zyphor retains the right to publish anonymized methodology in research, with explicit prior consent for any client-identifying detail.
We sign mutual NDAs before any technical conversation. Standard clauses are non-disclosure (5 years), non-circumvent and IP assignment of deliverables. Custom NDAs accepted with reasonable redline.
External researchers can report vulnerabilities in Zyphor properties to security@zyphor.sec (PGP key on file). We commit to acknowledge within 48h, triage within 5 days, and remediate critical issues within 30 days. Safe-harbor applies to good-faith research within scope.
This site uses only strictly-necessary cookies for theme preference and session continuity. No analytics, no advertising, no third-party trackers.
