Last updated: 19 April 2026
CanaryCue is a product of Context Risk Advisory Limited, a company registered in Ireland. References to "the Company", "we", or "us" in these Terms refers to Context Risk Advisory Limited.
By accessing or using CanaryCue ("the Service"), you enter into a binding agreement with Context Risk Advisory Limited. If you do not agree to these Terms, do not use the Service.
If you are using the Service on behalf of a business or other legal entity, you represent that you have the authority to bind that entity to these Terms, and references to "you" shall refer to that entity. You remain personally liable where you lack such authority.
MSP & Partner Use. Where the Service is provided to an end-client by an authorised Managed Service Provider (MSP), these Terms apply to the end-client as the Data Controller. The MSP is responsible for ensuring the end-client has accepted these Terms prior to deployment and remains jointly responsible for compliance with Section 2 (Authorised Use Only) in respect of any assets deployed on the end-client's behalf.
CanaryCue provides access monitoring and insider risk alerting tools. The Service is a specialised security tool intended for professional use. By using the Service, you represent and warrant that:
You are solely responsible for ensuring that your use of the Service complies with all applicable laws and regulations in your jurisdiction, including data protection, employment, and computer misuse laws. The Company provides the tooling; compliance with the legal framework for its deployment is entirely your responsibility. We strongly recommend obtaining independent legal advice before deploying monitoring assets in any employment context.
When a deployed canary asset is accessed, CanaryCue may collect and store some or all of the following telemetry depending on the canary type:
This data is stored securely and is accessible only to the account holder who deployed the asset. You, as the deploying customer, are the Data Controller for all personal data collected through your deployed canaries. See Section 6 for the full controller/processor relationship.
You may not use the Service to:
This section constitutes a Data Processing Agreement ("DPA") between Context Risk Advisory Limited ("Processor") and the customer ("Controller") for the purposes of EU GDPR Article 28.
6.1 Roles. The customer is the Data Controller in respect of all personal data collected through canary assets they deploy. The Company acts solely as a Data Processor, processing that data only on the documented instructions of the Controller.
6.2 Controller obligations. The Controller is solely responsible for: (a) ensuring a lawful basis exists for deploying canaries and collecting the resulting data; (b) informing data subjects as required by applicable law; (c) responding to data subject rights requests; and (d) notifying the relevant supervisory authority of any personal data breach relating to canary-collected data.
6.3 Processor obligations. The Company will: (a) process personal data only for the purposes of delivering the Service; (b) implement appropriate technical and organisational security measures; (c) not disclose canary-collected personal data to third parties except as required by law; (d) assist the Controller in meeting its obligations under applicable data protection law, to the extent reasonably practicable; and (e) delete or return personal data upon termination of the customer's account, subject to any legal retention obligations.
6.4 Sub-processors. The Company uses the following sub-processors: Amazon Web Services (cloud infrastructure, EU region — eu-west-1, Dublin), Supabase (database hosting), Postmark (email notifications), and Twilio (SMS notifications). By using the Service, the Controller consents to the engagement of these sub-processors on the basis that equivalent data protection obligations are imposed on them.
6.5 Data transfers. CanaryCue stores canary alert data within the EU (AWS eu-west-1, Dublin, Ireland). Where any sub-processor operates outside the EEA, appropriate transfer mechanisms (such as Standard Contractual Clauses) are in place.
The Company may collect and retain anonymised, aggregated metadata derived from canary activity across the platform (for example: alert frequency distributions, canary type usage rates, and alert response times). This data contains no personal data, cannot be used to identify any individual or customer, and is used solely to improve the Service and publish threat intelligence statistics. Anonymisation is performed before any such data is retained. This processing does not constitute processing of personal data under EU GDPR.
No guarantee of detection. CanaryCue operates on a trigger-based model: alerts are generated only when a deployed canary asset is accessed. The Service does not monitor networks, endpoints, or systems continuously, and does not guarantee detection of any specific threat, attack, or unauthorised access event. An absence of alerts does not indicate an absence of compromise.
Liability cap. To the maximum extent permitted by law, the Company's total aggregate liability to you for any claim — whether in contract, tort (including negligence), or otherwise — arising out of or in connection with the Service is limited to the greater of: (a) the total fees paid by you to the Company in the 12 months immediately preceding the event giving rise to the claim, or (b) €1,000.
Indirect loss. The Company shall not be liable for any indirect, consequential, incidental, or punitive damages, including but not limited to loss of data, loss of profits, business interruption, reputational harm, or costs arising from a security breach or ransom demand, even if the Company has been advised of the possibility of such damages.
Compliance support. While CanaryCue provides telemetry that may assist the Customer in meeting obligations under the EU NIS2 Directive or applicable cyber insurance requirements, the Customer acknowledges that use of the Service does not, of itself, guarantee legal or regulatory compliance. Customers should obtain independent legal or compliance advice regarding their specific obligations.
In accordance with EU Regulation 2024/2847 (Cyber Resilience Act), the Company maintains a documented vulnerability handling process.
We reserve the right to suspend or terminate accounts where we have reasonable grounds to believe the Service is being used in violation of these Terms or applicable law.
We may update these Terms from time to time. Material changes will be communicated by email to account holders. Continued use of the Service after changes are posted constitutes acceptance of the revised Terms.
These Terms are governed by the laws of Ireland. Any disputes shall be subject to the exclusive jurisdiction of the courts of Ireland.
General enquiries: info@contextrisk.ie
Security disclosures: security@contextrisk.ie