Exodos Labs Privacy Policy

Last Updated: Dec 04, 2025
 Effective Date: Dec 04, 2025

This Privacy Policy explains how Exodos Labs, Inc., a Delaware corporation (“Exodos Labs”, “we”, “our”, “us”), collects, uses, discloses, and protects personal information when you:

  • Visit www.exodoslabs.com (the “Website”)

  • Use app.exodos.io (the “Platform”)

  • Access our APIs, integrations, CI/CD connectors, or developer tools

  • Interact with us through forms, emails, demos, analytics, support, or marketing activities.

We designed this policy to be clear and readable, while maintaining the depth required for GDPR, CCPA/CPRA, UK GDPR, and global privacy compliance.

If you do not agree with this Policy, please discontinue use of our Website and Platform.

1. Who We Are

Exodos Labs, Inc.
 2261 Market Street, STE 22565
San Francisco, CA 94114
United States

We do not operate a German legal entity.

EU Representative (GDPR Article 27)

For individuals located in the European Union, Exodos Labs, Inc. has appointed the following EU Representative in accordance with Article 27 GDPR:

esb Rechtsanwälte GmbH
Schockenriedstraße 8A
70565 Stuttgart
Germany
Phone: 0711 4690580
https://www.kanzlei.de

EU data subjects and supervisory authorities may contact our EU Representative for matters related to GDPR compliance, data subject rights, and regulatory communication.

Data Protection Officer (DPO)

We do not currently have a DPO.
For privacy-related inquiries, contact:
dataprivacy@exodoslabs.com

2. What We Do

Exodos Labs provides a platform enabling organizations to:

  • Manage, store, share, and analyze Software Bill of Materials (SBOMs)

  • Automate compliance workflows (NTIA, EU CRA, FDA, DORA, etc.)

  • Integrate with CI/CD pipelines and APIs

  • Access AI-driven SBOM enhancement, vulnerability intelligence, and supplier scoring

  • Communicate securely with partners through a centralized hub

Some SBOMs may contain personal information (e.g., component authors).

3. What Personal Data We Collect

We collect personal information in three main categories:

3.1 Website Visitors (www.exodoslabs.com)

Information we collect automatically:

  • IP address and approximate location

  • Device, browser, OS, screen resolution

  • Page views, clicks, time on page

  • Cookie identifiers

  • Tracking identifiers (HubSpot, Hotjar, Google Analytics, Swan AI)

Information you provide to us:

  • Contact form data

  • Demo requests

  • Newsletter subscription

  • Gated content downloads

  • Marketing preferences

3.2 Platform Users (app.exodos.io)

Account & Authentication Data

  • Name

  • Email

  • Password (hashed)

  • Login timestamps

  • Social login identifiers (Google, Microsoft, GitHub)

  • Enterprise SSO metadata (OICD, Entra ID, Okta)

Profile & Organization Data

  • Company name

  • Role

  • Organization members

  • API keys / tokens

SBOM, Inventory & Compliance Data

Includes structured and unstructured data such as:

  • Component metadata

  • Dependencies

  • Vulnerabilities

  • License data

  • Supplier information

  • Author names (if present in SBOMs)

  • Internal notes, comments, communication hub messages

Logs & Behavioral Events

We maintain immutable audit logs of:

  • Logins, API calls

  • SBOM uploads/updates

  • Data sharing events

  • Access control changes

  • CI/CD connections

  • User workflows

Retention: logs are kept indefinitely.

3.3 AI-Processing Data

We use AI models for:

  • SBOM enhancement

  • Vulnerability & license recommendations

  • Supplier scoring

  • Data quality checks

Third-party AI systems used:

  • LangSmith ecosystem

  • Google Gemini models

When processed, SBOM and related metadata may be shared with these services.

We do not use your data to train publicly available models.

4. How We Use Personal Data

We use your information to:

Provide and improve the Platform

  • Authenticate users

  • Process SBOMs

  • Deliver notifications

  • Enable CI/CD automation

  • Provide analytics, dashboards, and insights

Comply with regulations

  • EU CRA, NTIA, FDA, DORA, etc.

  • Maintain audit trails

  • Demonstrate supply chain transparency

Enhance SBOM quality and security

  • AI-powered augmentation

  • Threat intelligence mapping

  • Risk scoring

Communicate with you

  • Product updates

  • Incident notifications

  • Support responses

  • Contractual or billing information

Marketing & analytics

  • Lead scoring (HubSpot, Swan AI)

  • Visitor profiling

  • Campaign attribution

5. Legal Bases (for GDPR/UK GDPR)

We process personal data under:

  • Art. 6(1)(b) – Contract performance (Platform usage)

  • Art. 6(1)(f) – Legitimate interests (security, analytics, AI enhancement)

  • Art. 6(1)(a) – Consent (cookies, marketing)

  • Art. 6(1)(c) – Legal obligations (audit logs, compliance reporting)

6. Cookies, Tracking & Profiling

We use cookies and tracking technologies for:

  • Website analytics

  • Lead identification

  • Personalization

  • Security

  • Performance monitoring

Tools used:

  • Google Analytics (US)

  • HubSpot Analytics (US)

  • Hotjar (EU)

  • Swan AI

  • Cloudflare Cookies

  • Termly Cookie Banner

  • HubSpot Buyer Intent Profiling

Users may withdraw consent through the cookie banner.

7. How We Share Personal Data

We do not sell personal information.

We share data only with:

7.1 Service Providers (Processors)

Provider

Purpose

Region

Hetzner

Hosting, compute, storage

Germany (Frankfurt)

Resend

Email delivery

US

Hotjar

UX analytics

EU

Google Analytics

Web analytics

US

HubSpot

CRM, support, analytics

US

Stripe

Payments

US

Coralogix

Error monitoring

EU datacenter

Swan AI

Lead scoring & profiling

US

LangSmith + Google Gemini

AI processing of SBOM-related data

US

7.2 Platform Data Sharing

You may choose to share SBOMs or inventory items with:

  • Partners

  • Customers

  • Auditors

  • Regulators

  • Suppliers

This sharing is fully under your control via ABAC permissions.

We never share your SBOMs with third parties unless you instruct us.

8. International Data Transfers

We store all Platform data in Hetzner, Frankfurt, including EU-only residency if requested.

Some processors (e.g., Google, HubSpot, Resend, Stripe, AI providers) may transfer data to the United States.

We rely on:

  • Standard Contractual Clauses (SCCs)

  • Adequacy decisions (where available)

  • Supplementary protections

9. Security

We apply industry-standard measures consistent with SaaS best practices:

  • TLS 1.2 encryption in transit

  • Kubernetes-integrated key management

  • Attribute-Based Access Control (ABAC)

  • Immutable audit trails

  • Logging and event monitoring

  • CI/CD security controls

  • Annual penetration testing

  • Incident response plan

Note: At this moment we do not provide encryption at rest.
This will be added as part of future SOC2/ISO27001 controls.

10. Data Retention

Data Category

Retention

SBOMs & Inventory Data

As long as your account remains active or legally required

Audit & activity logs

Retained indefinitely

Communication Hub messages

Retained indefinitely

API logs

Retained indefinitely

Account information

Until deletion request

Backups

30 days

Marketing & lead data

Until withdrawn or no longer needed

You may request erasure of personal data unless laws or audit requirements prevent deletion.

11. User Rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA), you may request:

  • Access to your data

  • Correction

  • Deletion

  • Restriction of processing

  • Objection to processing

  • Data portability

  • Opt-out of marketing

  • Right to know / right to request copies

  • Right to limit sensitive personal data

You cannot opt out of AI-based features, as they are core to the Platform’s functionality.
You also cannot download all platform data in bulk, except SBOMs and exports available via the interface.

12. Data of Children

Our services are not intended for children under 16, and we do not knowingly collect their data.

13. Breach Notification

If a data breach affects your personal information, we will notify you:

  • Proactively via email, and

  • By posting updates on our Website.

14. Third-Party Links

The Website may contain links to third-party sites or services. We are not responsible for their privacy practices.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect product updates, legal requirements, or operational changes.

If material changes occur, we will notify you via:

  • Email

  • Platform notifications

  • Website updates

16. Contact Us

For privacy inquiries, data requests, or GDPR/CCPA rights:

Exodos Labs, Inc.
 dataprivacy@exodoslabs.com
2261 Market Street, STE 22565,
San Francisco, CA 94114, USA



Start Your 14-Day Free Trial Today

Join security and engineering teams who are transforming their SBOM management from a compliance burden into a strategic advantage.

Start Free Trial