Privacy
This page describes what Secbuildon actually does, in plain language, based on its source code — not generic legal boilerplate. It has not yet been reviewed by a lawyer.
What the agent never reads
The agent running on your server is structurally prevented from opening:
/etc/shadow,/etc/gshadow, and other password-hash files- SSH private keys
.envfiles and~/.aws/credentials- process environment variables (
/proc/*/environ)
This is enforced in code (every file the agent opens goes through a single guarded function that refuses
these paths outright) and, when installed as a service, additionally enforced by the operating system itself
via a systemd sandbox setting (InaccessiblePaths=) — so even a compromised agent process cannot
read them.
What we do collect
When you install the agent and connect it to this website's backend, it periodically sends:
- Your server's hostname, OS, and the agent's version
- A heartbeat (uptime, last scan time, and a count of open findings by severity)
- A summary of each open security finding: which check found it, its severity, a title, and remediation advice
Findings summaries never include file contents, configuration values, or any of the raw evidence the agent collects locally to produce them — the data format used to send findings to this backend has no field capable of carrying that information in the first place.
If you run the agent with --local-only, none of the above is ever sent anywhere; the agent
scans, alerts, and keeps its findings entirely on your server.
Billing data
Payment processing is handled by Stripe. We store your email address, subscription plan, and Stripe's customer/subscription identifiers so we can correlate billing events back to your license — we do not store payment card details ourselves.
Questions
Contact support@secbuildon.example.