Data And Privacy¶
This is a private-beta policy summary, not a final legal privacy policy.
What SecureObs Stores¶
| Category | Examples | Purpose |
|---|---|---|
| Tenant metadata | Tenant name, owner identity, subscription status | Account management |
| Membership | User identity and role | Authorization |
| Projects | Project name, build-gate policy, scanner settings | Product organization |
| Findings | Rule ID, severity, file path, line, scanner message, small snippets | Triage |
| Raw scanner payloads | Scanner-emitted finding JSON | Re-deriving fields and debugging |
| API key metadata | Hash, prefix, scope, expiry, last used | CI authentication |
| Audit logs | Suppression and access events | Accountability |
| Application logs | Route, status, latency, request metadata | Operations |
What SecureObs Does Not Store¶
- Raw API keys.
- User passwords.
- Stripe payment instruments.
- Full repository contents from normal CI scans.
- Raw Terraform plan files from plan-mode graph analysis.
- Cloud credentials used by customer Terraform runs.
Retention¶
Findings retention is tied to the tenant's subscription tier. Audit logs follow the same retention window. Application logs are retained separately for operations.
Deletion¶
Deletion is manual during private beta. Contact privacy@secureobs.com from the
tenant owner email and include the tenant ID. Full deletion removes the tenant,
projects, findings, audit logs, API key rows, and suppression history.
Subprocessors¶
- Microsoft Azure for hosting, database, secret storage, and telemetry.
- Microsoft Entra ID for authentication.
- Stripe for payment processing.
Encryption¶
Traffic uses HTTPS. Azure PostgreSQL and Azure Key Vault provide encryption at rest for stored service data and secrets.