Security Assurance
Version 1.1.73 | June 2026 | Customer-Facing
Executive Summary
Cerebion Rivet is a desktop application that runs entirely on your infrastructure. Your source code, binaries, certificates, and scan results never leave your machine. Cerebion LLC does not operate a cloud scanning service and does not receive, process, or store any of your intellectual property.
1. Architecture Overview
Your Machine (air-gappable)
┌──────────────────────────────────────────────┐
│ Cerebion Rivet UI (Electron + React) │
│ Cerebion Rivet Engine (FastAPI + Python) │
│ Scan history (local SQLite only) │
│ Your codebase / binaries / certificates │
└──────────────────────────────────────────────┘
│ HTTPS - license validation only
▼
Cerebion License Server
(account data only - no scan data) - Runs as a standard desktop application - no kernel drivers, no system services
- Does not require administrator/root privileges to install or run
- Does not intercept or monitor network traffic
- Does not modify your source code unless you explicitly apply an AI-generated fix
- AI features are optional and user-initiated - disabled by default until you provide your own API key
- 7-day offline license cache - air-gap deployments supported
2. Data Handling
What Stays on Your Machine (Always)
| Data | Location | Transmitted to Cerebion? |
|---|---|---|
| Source code files | Your filesystem | Never |
| Binaries scanned | Your filesystem | Never |
| TLS certificates analyzed | Your machine | Never |
| Scan findings and reports | Local SQLite DB | Never |
| Network scan results | Local SQLite DB | Never |
What Is Transmitted (License Validation Only)
| Data | Destination | Purpose | Frequency |
|---|---|---|---|
| License key | Cerebion License Server | Validate active license | On startup, then cached 7 days |
| Device fingerprint | Cerebion License Server | Enforce seat count | On startup |
| Account email | Cerebion License Server | Account identity | On login only |
Offline operation: Cerebion Rivet caches a valid license for 7 days. You can operate fully offline within that window with no connectivity to Cerebion servers.
AI Features (Optional - User Controlled)
All AI-powered features are entirely optional and off by default. No AI provider is contacted unless you configure an API key and explicitly trigger an AI action.
There are two AI data flows:
1. AI Fix Generation - When you request a code fix for a finding, the relevant code snippet is sent to your chosen AI provider.
2. AI Report Generation - When you select scan findings and request an AI-generated report, those findings (algorithm names, severity levels, file paths) are sent to your chosen AI provider.
In both cases:
- Your API key is stored locally in Electron's encrypted credential store - never transmitted to Cerebion
- Data is sent directly from your machine to your chosen provider; Cerebion never sees it
- Only the content you explicitly select is included - no full file contents or project-wide data
| Provider | Type | Data Leaves Machine? |
|---|---|---|
| Google Gemini | Cloud (your API key) | Yes - to Google only |
| Anthropic Claude | Cloud (your API key) | Yes - to Anthropic only |
| OpenAI GPT | Cloud (your API key) | Yes - to OpenAI only |
| Ollama / LM Studio | Local / on-premise | No - stays on your machine |
| Any OpenAI-compatible endpoint | Self-hosted / private cloud | Depends on your endpoint |
To use Cerebion Rivet with zero external AI calls: use a local provider or simply do not configure the AI feature. All rule-based scanning works fully without it.
3. Security Controls
3.1 Code Signing and Integrity
| Platform | Method | Certificate Authority |
|---|---|---|
| Windows | EV (Extended Validation) code signing | DigiCert |
| macOS | Apple notarization + Gatekeeper | Apple |
| Linux | SHA-256 checksums published | - |
3.2 Software Bill of Materials (SBOM)
A Software Bill of Materials in CycloneDX format is available for every release, listing all bundled dependencies with version numbers and licenses. Available on request: support@cerebion.com
Current version: 1.1.73 | Windows SBOM available now; Linux and macOS on request.
3.3 Dependency Vulnerability Management
All dependencies are audited before every release using pip-audit (Python) and npm audit (Node.js).
v1.1.73 audit results: Python: 0 known vulnerabilities in shipped code. Node.js: 0 vulnerabilities.
3.4 No Telemetry
Cerebion Rivet does not collect usage analytics, crash reports, feature usage statistics, or keystroke/clipboard data.
3.5 Local Storage Only
All scan data is stored in a local SQLite database:
- Windows:
%APPDATA%\CerebionRivet\ - macOS:
~/Library/Application Support/CerebionRivet/ - Linux:
~/.config/CerebionRivet/
You own this data. Uninstalling the application removes it.
4. Permissions and System Access
| Access | Why | Can Be Restricted? |
|---|---|---|
| Read files in selected project folder | Scan your source code | Yes - you select the folder |
| Read binary files you specify | Binary analysis | Yes - you select the file |
| Network: cerebion.com (443) | License validation | Blockable - 7-day offline cache |
| Network: AI provider (optional) | AI fix generation + AI report generation | Yes - don't enter API key |
| Local disk write (app data folder) | Store scan history | Standard app behavior |
Cerebion Rivet does not access: registry (beyond standard Electron entries), other processes, network traffic or packet capture, credential stores, files outside the folder you open, or camera/microphone/peripherals.
5. Infrastructure Security (License Server)
| Control | Implementation |
|---|---|
| Transport encryption | TLS 1.2+ enforced, no downgrade |
| Authentication | JWT tokens (short-lived) |
| Data at rest | PostgreSQL on EC2, localhost only - not internet-exposed |
| DDoS protection | AWS CloudFront WAF |
| AWS certifications | SOC 1/2/3, ISO 27001, PCI DSS Level 1 |
| Account data held | Email address, hashed password, license key, device fingerprint |
6. Cryptographic Standards
| Use Case | Algorithm | Standard |
|---|---|---|
| License authentication | JWT HS256 | RFC 7519 |
| Offline license signing | Ed25519 | RFC 8032 |
| Transport security | TLS 1.2 / 1.3 | RFC 8446 |
| Local credential storage | Electron safeStorage (AES) | Platform keychain |
| Password hashing (server) | bcrypt (cost 12) | - |
7. Vulnerability Disclosure
- Email: support@cerebion.com
- Response time: We acknowledge within 24 hours and provide a fix timeline within 48 hours
- Recognition: Security researchers are acknowledged in release notes (with permission)
- No legal action: We do not pursue legal action against good-faith security researchers
8. Compliance Posture
| Topic | Position |
|---|---|
| SOC 2 | Not applicable - Cerebion does not process or store customer scan data |
| PCI DSS | Not applicable - no payment data handled by Cerebion Rivet |
| GDPR | License server holds account email only - minimal PII, data deletion available on request |
| HIPAA | Cerebion Rivet does not handle PHI |
| FedRAMP | Not certified - contact us for federal deployment discussion |
| Air-gap deployment | Supported - 7-day offline license cache; enterprise air-gap licensing available on request |
9. Enterprise Deployment Guidance
Network Requirements
| Destination | Port | Purpose | Required? |
|---|---|---|---|
| license.cerebion.com | 443 | License validation | Yes (or 7-day offline) |
| api.anthropic.com | 443 | AI fixes (Claude) | No - optional |
| generativelanguage.googleapis.com | 443 | AI fixes (Gemini) | No - optional |
Recommended Security Controls
- Allowlist outbound connections to
license.cerebion.com:443only (if AI feature not used) - Deploy from official installer downloaded from cerebion.com - verify code signature before rollout
- Verify SBOM against your approved dependency list before enterprise deployment
- Disable AI fix feature in policy-restricted environments by not deploying AI API keys
Cerebion Rivet installs as a standard per-user or per-machine application and can be deployed via SCCM, Intune, Jamf, or Ansible. No special privileges required at runtime.
10. Contact
For security questions, vulnerability reports, SBOM requests, or enterprise deployment support: support@cerebion.com
Cerebion LLC | Sterling Heights, Michigan | cerebion.com
This document is provided for informational purposes only and does not constitute a warranty, guarantee, or contractual commitment. See your Cerebion License Agreement for binding terms.