Privacy
Contents
Privacy
This privacy notice explains how Silverfish Software Ltd handles personal data in connection with the Silverfish Internal Developer Portal and its Dashboard.
1. Scope
This notice applies to personal data processed through:
- the Silverfish IDP scanner and the Dashboard,
- authentication and sign-in flows,
- support and operational monitoring,
- and the organisation, repository, component, and dependency metadata needed for the service to function.
2. Data controller
Unless stated otherwise for a specific deployment, Silverfish Software Ltd is the controller for personal data processed for operation of the hosted service.
If the product is deployed or operated for a customer in a way that changes those roles, the relevant customer documentation or contractual terms will describe that arrangement.
3. Personal data we process
Depending on how the service is used, the Silverfish IDP may process:
- GitHub account identifiers,
- GitHub username and profile image,
- email address,
- organisation and repository metadata,
- component and dependency metadata derived from repositories,
- operational and audit logs,
- and records of legal actions such as acceptance of the Terms of Service.
The Silverfish IDP is designed to minimise the amount of personal data processed and to avoid collecting data that is not needed for operation of the service.
4. Why we process personal data
The Silverfish IDP processes personal data in order to:
- authenticate users,
- create and manage user accounts and default workspaces,
- connect organisations and repositories,
- provide repository, component, and hierarchy views,
- communicate important service messages,
- maintain service security,
- and keep records of legal and operational events such as acceptance of terms.
5. Lawful bases
Where UK GDPR or GDPR applies, Silverfish Software Ltd processes personal data on one or more of the following bases, depending on the context:
- performance of a contract,
- compliance with a legal obligation,
- legitimate interests in operating, securing, and improving the service,
- or consent where consent is specifically requested.
6. Retention
Personal data is retained only for as long as reasonably necessary for:
- operation of the service,
- security and fraud prevention,
- legal compliance,
- dispute handling,
- and legitimate business record-keeping.
Retention periods may vary depending on the type of data and the deployment model.
7. Security
Silverfish Software Ltd aims to protect personal data using appropriate technical and organisational measures, including:
- authenticated access controls,
- encrypted transport where supported,
- audit and operational logging,
- least-privilege access where practical,
- and secure hosting and secret-management practices.
No internet-based system can guarantee absolute security.
8. GDPR and UK GDPR
The Silverfish IDP is intended to be designed and operated in a manner consistent with the principles of GDPR and UK GDPR, including:
- lawfulness, fairness, and transparency,
- purpose limitation,
- data minimisation,
- accuracy,
- storage limitation,
- integrity and confidentiality,
- and accountability.
Compliance also depends on how the product is configured, deployed, and used by the organisation operating it.
9. International transfers
Where personal data is transferred outside the UK or EEA, Silverfish Software Ltd intends to use appropriate safeguards where required by applicable law.
10. Your rights
Where GDPR or UK GDPR applies, data subjects may have rights including:
- access,
- rectification,
- erasure,
- restriction,
- objection,
- data portability,
- and the right to complain to a supervisory authority.
Those rights are subject to applicable legal limits and exemptions.
11. Contact
Questions about privacy or data protection should be directed through the Support page.
12. Updates to this notice
This privacy notice may be updated from time to time to reflect product, legal, or operational changes.