This Privacy Policy describes how the DevSecOps Platform ("we", "us") collects, uses, discloses, and protects your personal information. By using the Service, you consent to the practices described in this policy.
Quick Summary
We collect account info (name, email, org), scan data you submit, and basic usage metrics.
We do not sell your data. We use it to operate the Service and improve security detection.
Data is stored on servers located in Europe (OVH, France) with encryption at rest and in transit.
You may request access, correction, or deletion of your data at any time.
1. Information We Collect
1.1 Account Information
Name, email address
Organization name and slug
Hashed password (via bcrypt)
Role and team membership
1.2 Scan Data
Repository URLs, branch names, commit hashes
Server hostnames, IP addresses, and agent telemetry (process list, ports, metrics)
Kubernetes cluster configurations (via agent)
Cloud account credentials (encrypted at rest with Fernet AES-128)
Scan results, findings, vulnerabilities, and remediation steps
1.3 Usage Information
Login timestamps and IP addresses
Features used, pages viewed, actions taken
Browser type, device type, and screen size
API request logs for debugging and abuse detection
1.4 Payment Information
Payments are processed by Razorpay and Stripe. We do not store credit card numbers. We store billing metadata (invoice IDs, subscription status, seat count) for accounting.
2. How We Use Your Information
To provide, maintain, and improve the Service
To process payments and manage subscriptions
To send transactional emails (verification, password reset, alerts, billing)
To detect, investigate, and prevent abuse or security incidents
To comply with legal obligations and enforce our Terms and AUP
To communicate product updates (you may opt out of non-essential emails)
We do NOT use your scan data to train machine-learning models for other customers.
3. How We Share Your Information
We share your information only with:
Service providers: Razorpay, Stripe (payments); Resend (email); Anthropic (AI remediation — findings only, not code).
Law enforcement: in response to valid legal requests (subpoenas, court orders), with notification to you where legally permitted.
Successors: in connection with a merger, acquisition, or sale of assets, subject to equivalent privacy protections.
We do not sell your personal data to advertisers or data brokers.
4. Data Retention
Active account data: retained while your account is active.
Scan findings: retained per your plan (Free: 30 days, Pro/Enterprise: configurable).
Deleted accounts: soft-deleted for 30 days for recovery, then permanently purged.
Backups: retained for up to 90 days for disaster recovery.
Audit logs: retained for 12 months for compliance.
5. Data Security
We implement technical and organizational safeguards including:
TLS 1.3 encryption for data in transit
Fernet AES-128 encryption for sensitive data at rest (cloud credentials, webhook secrets)
Bcrypt password hashing
HttpOnly, Secure session cookies with CSRF protection
Docker container isolation, non-root services
Rate limiting, SSRF protection, and input validation
No system is perfectly secure. In the event of a breach affecting your personal data, we will notify you and authorities within 72 hours as required by applicable law.
6. Your Rights
Depending on your jurisdiction, you have the right to:
Access: request a copy of your personal data
Rectification: correct inaccurate or incomplete data
Erasure: request deletion of your data (subject to legal retention obligations)
Portability: export your data in a machine-readable format
Objection: object to certain processing activities
We use first-party session cookies for authentication and CSRF protection. We do not use third-party tracking cookies or advertising cookies. Analytics are performed on aggregated server logs, not cross-site tracking.
8. International Data Transfers
Our primary servers are located in France (OVH, EU-West). If you access the Service from outside the EU, your data will be transferred to and processed in the EU. Transfers are protected by Standard Contractual Clauses where applicable.
9. Children's Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will delete it.
10. Changes to this Policy
We may update this Privacy Policy periodically. Material changes will be notified via email or in-app notice at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the latest revision.