Privacy Policy

Last updated: May 2026

Introduction

This Privacy Policy describes how viaGraph B.V. ("viaGraph", "we", "our", or "us"), a private limited company registered in the Netherlands, processes personal data in connection with our website at whisper.security, our customer console at console.whisper.security, and our Model Context Protocol server at mcp.whisper.security (the "MCP Server"). "Whisper Security" is the brand under which viaGraph offers these services.

For the purposes of the EU General Data Protection Regulation (GDPR), viaGraph is the data controller for the personal data described in this Policy. Our contact details are at the end of this Policy.

Information We Collect From You Directly

When you create a Whisper Security account, contact us, or use our services, we collect:

  • Account information from your sign-up provider (Clerk): your email address, first name, last name, and, where you authenticate via a third-party identity provider (e.g., Google, GitHub), the identifier returned by that provider.
  • Billing information collected by Stripe when you subscribe to a paid plan: your name, email, and payment method. Card details are submitted directly to Stripe and are not collected or stored by us.
  • Support request information when you contact us through the console or by email: the contents of your message, attachments you choose to share, your browser type and operating system, and your IP address.
  • Marketing-attribution identifiers captured at sign-up (such as Google Analytics client and session IDs), used to understand which marketing channels lead to new sign-ups.
  • Information you choose to provide by other means, such as by replying to a marketing email or filling in a form.

How the MCP Server Works

The MCP Server lets customers — directly or through AI assistants such as Claude Desktop, Claude.ai, Claude Code, Cursor, and VS Code Copilot — query our internet-infrastructure graph database using the Cypher query language.

Authentication is via OAuth 2.0 (using our identity provider, Clerk, with Dynamic Client Registration and PKCE-S256) or via a static API key issued from your Whisper Security account. A limited anonymous tier is also available without authentication, at significantly reduced rate limits, to enable evaluation and lightweight public use.

The MCP Server is read-only with respect to the underlying graph database: customers cannot create, modify, or delete graph data through it. The MCP Server also cannot read your AI assistant's chat history, memory, conversation summaries, system instructions, or any files you have uploaded to that assistant — the Model Context Protocol does not expose that information to MCP servers, and we have no need for it.

What Is in the Graph Database

The graph database aggregates publicly available internet-infrastructure data, including:

  • DNS records (A, AAAA, MX, NS, TXT, CNAME, DNSSEC, SPF), TLD and registrar relationships, and domain hierarchy;
  • BGP routing data, IP allocations, ASN ownership, and routing history;
  • WHOIS registration records, including registrant, administrative, technical, and abuse contact details;
  • TLS certificate metadata;
  • A web-link graph derived from the open Common Crawl dataset;
  • GeoIP location data licensed from MaxMind (GeoLite2);
  • Public threat-intelligence feeds, including (but not limited to) Spamhaus DROP/EDROP, abuse.ch (URLhaus, ThreatFox, MalwareBazaar, Feodo Tracker), FireHOL, AlienVault OTX, and Tor exit-node lists.

Personal data within the graph

The graph contains personal data about third parties — most notably the names, email addresses, postal addresses, and telephone numbers of individuals listed as registrants, administrative contacts, technical contacts, or abuse contacts in public WHOIS records. This data is not collected from you; it is sourced from publicly available registries and feed providers.

For this category of data, our legal basis under GDPR Article 6(1)(f) is legitimate interest — specifically, providing cybersecurity, threat-intelligence, and infrastructure-research capabilities to our customers. We have completed a balancing test that considered the public availability of the source data, the security purpose of the processing, and the absence of automated decision-making affecting the data subject. We provide the disclosures required by GDPR Article 14 in this section, and individuals may exercise their rights (including erasure or restriction) by contacting privacy@whisper.security.

We do not knowingly include payment data, government identifiers, or other special categories of personal data (Article 9) in the graph.

Data We Collect When You Use the MCP Server

For each request to the MCP Server, we record an audit log entry containing:

  • An identifier for the calling account (a Clerk user ID for OAuth requests, or a 24-character prefix of the API key for direct requests);
  • The HTTP method, request path, and timestamp;
  • Response status, execution time, and result size;
  • The Cypher query text and parameters submitted;
  • The client IP address and user-agent string;
  • The plan tier under which the request ran.

We log query content because:

  • it is shown back to you in your usage dashboard inside the console;
  • it is required to investigate incidents, debug failed queries, and detect abuse; and
  • it allows us to enforce per-plan rate limits and quotas accurately.

We do not use your queries, conversation history, or any other customer-supplied data to train Whisper-owned machine-learning models, and we do not sell this data.

Subprocessors

We engage the following third-party subprocessors. We will publish updates to this list at least 30 days before they take effect for existing customers.

  • Clerk, Inc. (US) — identity provider for sign-up, sign-in, OAuth 2.0, and account management. Data shared: email, name, authentication events, OAuth tokens.
  • Stripe Payments Europe Ltd. (IE) / Stripe, Inc. (US) — payment processing and subscription billing. Data shared: name, email, payment method, billing address.
  • Upstash, Inc. (EU) — authentication-state storage, rate-limit counters, OAuth refresh-token storage. Data shared: API-key records, user identifier, request counters, refresh tokens.
  • BetterStack (EU) — application observability, log storage, audit-log warehouse, error tracking. Data shared: operational logs, MCP-Server audit logs, error events (which may include IP and request metadata).
  • HubSpot, Inc. (US) — customer-relationship management. Data shared: email, name, account identifier, plan tier, aggregated usage counts.
  • Intercom Inc. (US/EU) — customer support and ticketing. Data shared: email, name, account identifier, support-ticket contents, browser metadata.
  • Vercel Inc. (US/EU) — hosting of the customer console and storage of support attachments. Data shared: console request metadata; support-ticket attachments you upload.
  • Google LLC (US) — marketing analytics (Google Analytics, Google Tag Manager). Data shared: pseudonymous device and session identifiers, page-view events.
  • Cloudflare, Inc. (US/EU) — edge proxy, TLS termination, DDoS protection. Data shared: request metadata, IP address.
  • MaxMind, Inc. (US) — GeoIP data licensor (no customer data is sent to MaxMind).

Where Your Data Is Processed

Our application servers are located within the European Union. The subprocessors listed above process data in the regions indicated alongside each entry. Where a subprocessor is established outside the European Economic Area, transfers are governed by the European Commission's Standard Contractual Clauses or another lawful transfer mechanism.

Data Security

We apply technical and organizational measures designed to protect personal data, including:

  • TLS encryption in transit on all customer-facing endpoints;
  • Encryption at rest in our managed-service subprocessors;
  • Restricted, audited access to operational systems for personnel with a need to know;
  • Authentication on all MCP Server endpoints other than the limited anonymous tier;
  • A vulnerability-disclosure channel published at /.well-known/security.txt and at security@whisper.security.

We log a 24-character prefix of API keys alongside audit records to identify which credential ran a given query; the remainder of the key is not stored in the audit record. No method of transmission over the Internet is fully secure, and we cannot guarantee absolute security.

Data Retention

We retain different categories of data for different lengths of time:

  • MCP Server audit logs and operational logs (request metadata and Cypher query text): 30 days in hot storage, after which records are permanently deleted from production systems. Aggregate counts derived from these logs may be retained for billing and product purposes.
  • Billing and usage aggregates (counts of queries, requests, and active users — no query content): 13 months, to support year-over-year reporting and tax-audit windows.
  • Account and identity data after account closure: 30 days, after which it is permanently deleted. During those 30 days you may request reactivation.
  • OAuth refresh tokens: 30 days, after which reauthentication is required.
  • Support-ticket records: retained for the lifetime of your account plus 12 months, to enable continuity of support.
  • Other personal information you provide outside the systems above: retained for as long as necessary to fulfill the purposes outlined in this Policy or as required by law, after which it is deleted or anonymized.

How We Use Your Information

We process the personal data described above to:

  • Provide, maintain, and improve our website, console, and MCP Server;
  • Authenticate requests and enforce per-plan rate limits and quotas;
  • Investigate incidents, abuse, and security events;
  • Reconcile billing and produce usage reports;
  • Send technical notices and support communications;
  • Send marketing communications (with your consent or where permitted by law);
  • Comply with legal obligations.

Your Rights

Depending on your location, you may have rights under the GDPR or other applicable laws, including:

  • The right of access to your personal data;
  • The right to rectification of inaccurate data;
  • The right to erasure ("right to be forgotten");
  • The right to restrict processing;
  • The right to data portability;
  • The right to object to processing.

You may exercise these rights, including with respect to personal data of third parties contained in the graph database, by contacting privacy@whisper.security. We will respond within the timelines required by applicable law (one month under the GDPR, extendable by two further months for complex requests).

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

Cookies

We use cookies and similar technologies on our website and console to authenticate you, remember your preferences, secure forms, and analyze usage. A separate Cookie Notice will describe the categories of cookies in use and the choices available to you.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date and, where appropriate, by direct notice. Where required by law, we will obtain your consent before changes take effect.

Contact Us

viaGraph B.V.

Keizersgracht 520 H, 1017 EK, Amsterdam, Netherlands

KVK: 95822429 — VAT: NL867322433B01

Privacy questions: privacy@whisper.security

Security disclosures: security@whisper.security

Cookies in Use

The table below is generated automatically by our consent management provider and lists every cookie set across whisper.security and console.whisper.security, the category each falls under, its purpose, and its expiry. You can change your consent at any time by clicking the cookie icon in the bottom-left of any page.