Security Assurance

Version 1.1.73  |  June 2026  |  Customer-Facing

Download PDF

Executive Summary

Cerebion Rivet is a desktop application that runs entirely on your infrastructure. Your source code, binaries, certificates, and scan results never leave your machine. Cerebion LLC does not operate a cloud scanning service and does not receive, process, or store any of your intellectual property.

The only exception: if you choose to configure the optional AI features (fix recommendations and report generation), you supply your own API key and data is sent directly from your machine to your chosen AI provider (Anthropic, Google, or a self-hosted endpoint) - never to Cerebion. These features are off by default and require explicit configuration to enable.

1. Architecture Overview

Your Machine (air-gappable)
┌──────────────────────────────────────────────┐
│  Cerebion Rivet UI  (Electron + React)        │
│  Cerebion Rivet Engine  (FastAPI + Python)    │
│  Scan history  (local SQLite only)            │
│  Your codebase / binaries / certificates      │
└──────────────────────────────────────────────┘
         │  HTTPS - license validation only
         ▼
  Cerebion License Server
  (account data only - no scan data)
  • Runs as a standard desktop application - no kernel drivers, no system services
  • Does not require administrator/root privileges to install or run
  • Does not intercept or monitor network traffic
  • Does not modify your source code unless you explicitly apply an AI-generated fix
  • AI features are optional and user-initiated - disabled by default until you provide your own API key
  • 7-day offline license cache - air-gap deployments supported

2. Data Handling

What Stays on Your Machine (Always)

DataLocationTransmitted to Cerebion?
Source code filesYour filesystemNever
Binaries scannedYour filesystemNever
TLS certificates analyzedYour machineNever
Scan findings and reportsLocal SQLite DBNever
Network scan resultsLocal SQLite DBNever

What Is Transmitted (License Validation Only)

DataDestinationPurposeFrequency
License keyCerebion License ServerValidate active licenseOn startup, then cached 7 days
Device fingerprintCerebion License ServerEnforce seat countOn startup
Account emailCerebion License ServerAccount identityOn login only

Offline operation: Cerebion Rivet caches a valid license for 7 days. You can operate fully offline within that window with no connectivity to Cerebion servers.

AI Features (Optional - User Controlled)

All AI-powered features are entirely optional and off by default. No AI provider is contacted unless you configure an API key and explicitly trigger an AI action.

There are two AI data flows:

1. AI Fix Generation - When you request a code fix for a finding, the relevant code snippet is sent to your chosen AI provider.

2. AI Report Generation - When you select scan findings and request an AI-generated report, those findings (algorithm names, severity levels, file paths) are sent to your chosen AI provider.

In both cases:

  • Your API key is stored locally in Electron's encrypted credential store - never transmitted to Cerebion
  • Data is sent directly from your machine to your chosen provider; Cerebion never sees it
  • Only the content you explicitly select is included - no full file contents or project-wide data
ProviderTypeData Leaves Machine?
Google GeminiCloud (your API key)Yes - to Google only
Anthropic ClaudeCloud (your API key)Yes - to Anthropic only
OpenAI GPTCloud (your API key)Yes - to OpenAI only
Ollama / LM StudioLocal / on-premiseNo - stays on your machine
Any OpenAI-compatible endpointSelf-hosted / private cloudDepends on your endpoint

To use Cerebion Rivet with zero external AI calls: use a local provider or simply do not configure the AI feature. All rule-based scanning works fully without it.

3. Security Controls

3.1 Code Signing and Integrity

PlatformMethodCertificate Authority
WindowsEV (Extended Validation) code signingDigiCert
macOSApple notarization + GatekeeperApple
LinuxSHA-256 checksums published-

3.2 Software Bill of Materials (SBOM)

A Software Bill of Materials in CycloneDX format is available for every release, listing all bundled dependencies with version numbers and licenses. Available on request: support@cerebion.com

Current version: 1.1.73 | Windows SBOM available now; Linux and macOS on request.

3.3 Dependency Vulnerability Management

All dependencies are audited before every release using pip-audit (Python) and npm audit (Node.js).

v1.1.73 audit results: Python: 0 known vulnerabilities in shipped code. Node.js: 0 vulnerabilities.

3.4 No Telemetry

Cerebion Rivet does not collect usage analytics, crash reports, feature usage statistics, or keystroke/clipboard data.

3.5 Local Storage Only

All scan data is stored in a local SQLite database:

  • Windows: %APPDATA%\CerebionRivet\
  • macOS: ~/Library/Application Support/CerebionRivet/
  • Linux: ~/.config/CerebionRivet/

You own this data. Uninstalling the application removes it.

4. Permissions and System Access

AccessWhyCan Be Restricted?
Read files in selected project folderScan your source codeYes - you select the folder
Read binary files you specifyBinary analysisYes - you select the file
Network: cerebion.com (443)License validationBlockable - 7-day offline cache
Network: AI provider (optional)AI fix generation + AI report generationYes - don't enter API key
Local disk write (app data folder)Store scan historyStandard app behavior

Cerebion Rivet does not access: registry (beyond standard Electron entries), other processes, network traffic or packet capture, credential stores, files outside the folder you open, or camera/microphone/peripherals.

5. Infrastructure Security (License Server)

ControlImplementation
Transport encryptionTLS 1.2+ enforced, no downgrade
AuthenticationJWT tokens (short-lived)
Data at restPostgreSQL on EC2, localhost only - not internet-exposed
DDoS protectionAWS CloudFront WAF
AWS certificationsSOC 1/2/3, ISO 27001, PCI DSS Level 1
Account data heldEmail address, hashed password, license key, device fingerprint

6. Cryptographic Standards

Use CaseAlgorithmStandard
License authenticationJWT HS256RFC 7519
Offline license signingEd25519RFC 8032
Transport securityTLS 1.2 / 1.3RFC 8446
Local credential storageElectron safeStorage (AES)Platform keychain
Password hashing (server)bcrypt (cost 12)-

7. Vulnerability Disclosure

  • Email: support@cerebion.com
  • Response time: We acknowledge within 24 hours and provide a fix timeline within 48 hours
  • Recognition: Security researchers are acknowledged in release notes (with permission)
  • No legal action: We do not pursue legal action against good-faith security researchers

8. Compliance Posture

TopicPosition
SOC 2Not applicable - Cerebion does not process or store customer scan data
PCI DSSNot applicable - no payment data handled by Cerebion Rivet
GDPRLicense server holds account email only - minimal PII, data deletion available on request
HIPAACerebion Rivet does not handle PHI
FedRAMPNot certified - contact us for federal deployment discussion
Air-gap deploymentSupported - 7-day offline license cache; enterprise air-gap licensing available on request

9. Enterprise Deployment Guidance

Network Requirements

DestinationPortPurposeRequired?
license.cerebion.com443License validationYes (or 7-day offline)
api.anthropic.com443AI fixes (Claude)No - optional
generativelanguage.googleapis.com443AI fixes (Gemini)No - optional

Recommended Security Controls

  • Allowlist outbound connections to license.cerebion.com:443 only (if AI feature not used)
  • Deploy from official installer downloaded from cerebion.com - verify code signature before rollout
  • Verify SBOM against your approved dependency list before enterprise deployment
  • Disable AI fix feature in policy-restricted environments by not deploying AI API keys

Cerebion Rivet installs as a standard per-user or per-machine application and can be deployed via SCCM, Intune, Jamf, or Ansible. No special privileges required at runtime.

10. Contact

For security questions, vulnerability reports, SBOM requests, or enterprise deployment support: support@cerebion.com


Cerebion LLC  |  Sterling Heights, Michigan  |  cerebion.com
This document is provided for informational purposes only and does not constitute a warranty, guarantee, or contractual commitment. See your Cerebion License Agreement for binding terms.