Privacy notice

Privacy Policy

This notice explains what data SBOM Total collects, why, how long we keep it, and the rights you have over it. It is written to be read, not to pad: clear, honest, no legalese.

Who we are

SBOM Total is operated by AC6. AC6 is the data controller for the personal data described here. If you have any question about this notice or want to exercise your rights, contact us at contact@ac6.fr.

What we collect

  • Account data. The username and email address you provide when you create an account.
  • SBOM files and scan results. The SBOM documents you upload and the analysis results produced from them.
  • API token metadata. For each token you create we store its name, prefix, creation date and last-used date. We never store the token secret itself: it is shown once at creation and cannot be recovered.
  • Basic security logs. Minimal operational data needed to protect the service, such as rate-limiting by IP address.

Why we use it

  • To provide the scanning service: parsing your SBOMs, running the analyses and returning results.
  • To send account email such as address verification and password reset, and the optional new-CVE watch notifications you choose to opt into.
  • To protect the service against abuse and keep it available, for example through rate limiting.

How long we keep it

  • Anonymous scans (run without an account) are deleted after about 30 days.
  • Scans saved to an account are kept until you delete them, or until you delete your account.
  • Login sessions and one-time tokens (such as verification and reset links) expire automatically.

Your rights

Under the GDPR you have rights over your personal data, and we have built them into the product:

  • Access and export. Use "Download my data" on your account page to get a copy of your data.
  • Deletion. Use "Delete account" to remove your account and the scans tied to it.
  • Correction. Update your email address from your account page.
  • You can also revoke API tokens and unwatch saved scans at any time.

Sharing

We do not sell personal data. To produce results, the contents of your SBOM (component names and versions) are checked against public vulnerability sources, namely OSV.dev, the CISA Known Exploited Vulnerabilities (KEV) catalog, and NVD-derived data. These checks are how the service identifies known vulnerabilities.

Cookies and storage

We use only essential browser storage. Your login session is kept in your browser's local storage so you stay signed in. There is no advertising and no third-party tracking.

Security

Passwords are stored hashed, never in plain text. You can enable optional two-factor authentication on your account. In production, traffic is protected with transport security (HTTPS).

Note

This page is informational and makes no certification or compliance guarantees. For the contractual terms of use, see the Terms (PDF). Ready to scan an SBOM?