Privacy Policy — SYEN Systems LLC

SYEN Systems LLC operates SYEN Comply, a cryptographic compliance and audit infrastructure product. This policy describes how we collect, use, store, and protect information in connection with our products and website.

We collect two categories of information.

Account and contact information: company name, name, email address, billing information, and communications you send us.

Event data: when you use the SYEN Comply API, your systems transmit event records containing metadata about AI decisions. This may include policy context, identity context, data lineage metadata, model execution context, guardrail results, human review context, and outcome context. Payload data within event records is encrypted using AES-256-GCM with your own AWS KMS or Azure Key Vault data encryption key before transmission. We do not hold your plaintext payload data at any time.

We also collect standard web analytics on syensystems.com including page visits, referral sources, and device type.

Account and contact information is used to manage your subscription, communicate with you about your account, process billing, and respond to support requests.

Event data is used solely to produce the cryptographic evidence chain your account subscribes to, including Ed25519 signing, SHA-256 chain maintenance, and RFC 3161 timestamp anchoring. We do not use your event data for analytics, advertising, model training, product improvement, or any secondary purpose.

Web analytics are used to understand how visitors use our site.

Event data is stored encrypted in AWS us-east-1 (Northern Virginia, United States) and Azure East US (Virginia, United States). All data remains within the United States unless you have a self-hosted Enterprise deployment, in which case data stays within your own infrastructure.

Your encryption key lives in your AWS KMS or Azure Key Vault. We cannot decrypt your payload data. Account information is stored in our managed database infrastructure in the same regions.

We use a limited number of sub-processors to deliver the service.

DigiCert: receives the Merkle root hash of your cryptographic chain daily for RFC 3161 trusted timestamp anchoring. No payload data is transmitted to DigiCert.

Amazon Web Services: provides cloud infrastructure, managed database, and KMS services.

Microsoft Azure: provides cloud infrastructure, container services, and Key Vault services.

Stripe: processes billing and payment information for direct subscriptions. AWS and Azure Marketplace handle billing for marketplace subscribers.

We do not sell your data to any third party.

We retain account information for the duration of your subscription and for a reasonable period after termination for legal and billing purposes.

Encrypted event data is retained after account termination to allow you to export your complete cryptographic evidence chain for regulatory and compliance purposes. Regulated institutions may be required to produce records from prior vendor relationships during examination cycles. You may request deletion of your data at any time by contacting privacy@syensystems.com. Revoking your KMS key renders all associated payload data permanently unreadable.

Depending on your location and applicable law, you may have the right to access, correct, delete, or restrict processing of your personal data. You may also request a copy of your data in a portable format.

To exercise any of these rights, contact privacy@syensystems.com. We will respond within 30 days.

If you are subject to the General Data Protection Regulation, SYEN Systems LLC acts as a data processor with respect to event data, processing it solely on your instructions as the data controller. We support your obligations under GDPR Articles 17 (right to erasure), 18 (right to restriction), and 20 (right to data portability).

Our lawful basis for processing account information is contract performance. Our lawful basis for processing event data is your instructions as data controller.

SYEN Comply is designed to support your compliance with EU AI Act Article 12 (automatic event logging) and Article 9 (risk management documentation). The architecture ensures that payload data containing personal data is never held in plaintext by SYEN, supporting your data minimization obligations under GDPR Article 5(1)(c) simultaneously with Article 12 logging obligations.

SYEN Comply supports HIPAA-regulated use cases. Payload data that may contain protected health information is encrypted with your own KMS key. We never access PHI. For customers requiring a Business Associate Agreement, contact privacy@syensystems.com.

We implement technical and organizational measures to protect your information including encryption at rest and in transit, customer-controlled KMS keys, network-level access controls via AWS VPC and Azure Virtual Network, and access logging on all system components.

SYEN Comply is an enterprise infrastructure product. We do not knowingly collect information from individuals under 16.

We will notify you of material changes to this policy by email to the address on your account at least 30 days before the change takes effect.

privacy@syensystems.com
SYEN Systems LLC
Brooklyn, New York