Last updated: 27 March 2026 · CanaryCue is a company registered in Ireland.
By accessing or using CanaryCue ("the Service"), you agree to be bound by these Terms. If you do not agree, do not use the Service.
CanaryCue provides access monitoring and insider risk alerting tools. By using the Service, you represent and warrant that:
You are solely responsible for ensuring that your use of the Service complies with all applicable laws and regulations in your jurisdiction, including data protection, employment, and computer misuse laws. CanaryCue provides the tooling; compliance with the legal framework for its deployment is entirely your responsibility. We strongly recommend obtaining independent legal advice before deploying monitoring assets in any employment context.
When a deployed canary asset is accessed, CanaryCue may collect and store some or all of the following telemetry depending on the canary type:
This data is stored securely and is accessible only to the account holder who deployed the asset. You, as the deploying customer, are the Data Controller for all personal data collected through your deployed canaries. See Section 6 (Data Processor Agreement) for the full controller/processor relationship.
You may not use the Service to:
This section constitutes a Data Processing Agreement ("DPA") between CanaryCue ("Processor") and the customer ("Controller") for the purposes of EU GDPR Article 28.
6.1 Roles. The customer is the Data Controller in respect of all personal data collected through canary assets they deploy. CanaryCue acts solely as a Data Processor, processing that data only on the documented instructions of the Controller (i.e. to store alert telemetry and route notifications as configured by the customer).
6.2 Controller obligations. The Controller is solely responsible for: (a) ensuring a lawful basis exists for deploying canaries and collecting the resulting data; (b) informing data subjects as required by applicable law; (c) responding to data subject rights requests; and (d) notifying the relevant supervisory authority of any personal data breach relating to canary-collected data.
6.3 Processor obligations. CanaryCue will: (a) process personal data only for the purposes of delivering the Service; (b) implement appropriate technical and organisational security measures; (c) not disclose canary-collected personal data to third parties except as required by law; (d) assist the Controller in meeting its obligations under applicable data protection law, to the extent reasonably practicable; and (e) delete or return personal data upon termination of the customer's account, subject to any legal retention obligations.
6.4 Sub-processors. CanaryCue uses the following sub-processors in the delivery of the Service: Amazon Web Services (cloud infrastructure, EU region), Supabase (database hosting), Postmark (email notifications), and Twilio (SMS notifications). By using the Service, the Controller consents to the engagement of these sub-processors on the basis that CanaryCue imposes equivalent data protection obligations on them.
6.5 Data transfers. CanaryCue stores canary alert data within the EU (AWS eu-west-1). Where any sub-processor operates outside the UK or EEA, appropriate transfer mechanisms (such as Standard Contractual Clauses) are in place.
CanaryCue may collect and retain anonymised, aggregated metadata derived from canary activity across the platform (for example: alert frequency distributions, canary type usage rates, and alert response times). This data:
Anonymisation is performed before any such data is retained for these purposes. This processing does not constitute processing of personal data under EU GDPR.
To the maximum extent permitted by law, CanaryCue and its operators shall not be liable for any direct, indirect, incidental, consequential, or punitive damages arising from your use of the Service or from any data collected through monitored assets. The Service is provided "as is" without warranties of any kind. CanaryCue is a tooling provider; it does not make any representations regarding the legal permissibility of monitoring activities conducted by its users.
No guarantee of detection. CanaryCue operates on a trigger-based model: alerts are generated only when a deployed canary asset is accessed. The Service does not monitor networks, endpoints, or systems continuously, and does not guarantee detection of any specific threat, attack, or unauthorised access event. An absence of alerts does not indicate an absence of compromise. CanaryCue makes no representation that use of the Service will prevent, limit, or reduce the impact of any security incident.
We reserve the right to suspend or terminate accounts where we have reasonable grounds to believe the Service is being used in violation of these Terms or applicable law.
We may update these Terms from time to time. Continued use of the Service after changes are posted constitutes acceptance of the revised Terms.
These Terms are governed by the laws of Ireland. Any disputes shall be subject to the exclusive jurisdiction of the courts of Ireland.
For questions about these Terms, contact us at info@canarycue.com.