Privacy Policy

1. Introduction

OpsFox, Inc. ("OpsFox," "we," "us," or "our") operates the OpsFox platform, including the Sentinel application security scanner and the Farsight observability platform (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our Services, or otherwise interact with us.

We are committed to protecting the privacy and security of our users. As a security company, we hold ourselves to the highest standard when it comes to handling your data. We encourage you to read this policy carefully to understand our practices.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use our Services.

2. Information We Collect

2.1 Account Data

When you create an account or contact us, we may collect:

• Name and email address
• Organization name and role
• Phone number (if provided)
• Authentication credentials (hashed and salted; we never store plaintext passwords)
• Single sign-on (SSO) identifiers from third-party identity providers

2.2 Usage Data

We automatically collect certain information when you interact with our Services, including:

• IP address, browser type, and operating system
• Pages visited, features used, and actions taken within the platform
• Timestamps and session duration
• Referring URLs and search terms used to find our site
• Device identifiers and general geolocation data (country/region level)

2.3 Code Analysis Data

This section is critical to understanding how OpsFox handles your most sensitive assets.

When you use Sentinel to scan your codebase, our system performs analysis in a secure, ephemeral environment. OpsFox does not retain, store, or persist your source code after the analysis is complete. Your code is processed in memory within an isolated execution environment and is purged immediately upon scan completion. No copy of your source code is written to disk, logged, cached, or transmitted to any third party at any point during or after the analysis.

The only output retained from a scan is structured findings metadata, which includes:

• Vulnerability type, severity classification, and confidence score
• File path and line number references (not the code itself)
• Remediation guidance and CWE/CVE identifiers
• Dependency names and version numbers flagged by SCA scans
• Container image layer metadata (not image contents)

This zero-retention architecture is a foundational design principle of OpsFox, not an afterthought. We built Sentinel this way because we believe a security vendor should never become a liability to the organizations it protects.

2.4 Farsight Platform Data

When you use the Farsight observability platform, we process:

• Log and event data ingested from your connected infrastructure
• Alert configurations, escalation policies, and incident metadata
• Dashboard configurations and saved queries
• Integration tokens and webhook endpoints (encrypted at rest)

Farsight processes telemetry and event data according to retention policies you configure. You maintain full control over what data is ingested and how long it is retained within the platform.

2.5 Payment Data

We use third-party payment processors (such as Stripe) to handle billing. We do not directly collect or store full credit card numbers, bank account details, or other sensitive financial information. Our payment processors are PCI DSS Level 1 compliant. We may receive and store:

• Billing name and address
• Last four digits of a payment card
• Payment transaction identifiers and invoice history
• Subscription plan and billing cycle information

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and operate our Services — to run Sentinel scans, deliver Farsight dashboards, manage your account, and fulfill our contractual obligations
• Improve and develop our products — to analyze usage patterns (in aggregate and anonymized form), identify bugs, and build features that better serve our users
• Communicate with you — to send service notifications, security alerts, product updates, and respond to your support requests
• Process payments — to manage subscriptions, generate invoices, and handle billing inquiries
• Ensure security and prevent abuse — to detect and prevent fraudulent activity, unauthorized access, and violations of our Terms of Service
• Comply with legal obligations — to meet regulatory requirements, respond to lawful requests from public authorities, and enforce our legal rights
• Marketing and outreach — to send promotional communications, only where you have opted in or where permitted by applicable law, with an easy opt-out mechanism in every message

We do not use your code analysis findings to train machine learning models, build aggregate vulnerability databases, or for any purpose beyond delivering results to you. Your security posture is your business, not ours.

4. Legal Basis for Processing

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Contract performance — processing necessary to provide the Services you have subscribed to, including account management, code analysis, and platform access
• Legitimate interests — processing necessary for our legitimate business interests, such as improving our products, ensuring platform security, and preventing fraud, provided these interests are not overridden by your rights
• Consent — where you have given explicit consent for specific processing activities, such as receiving marketing communications; you may withdraw consent at any time
• Legal obligation — processing necessary to comply with applicable laws, regulations, or court orders

5. Data Sharing and Third Parties

We do not sell your personal data. We share information only in the following limited circumstances:

Service Providers

We engage trusted third-party service providers who process data on our behalf to support our operations. These include cloud infrastructure providers, payment processors, email delivery services, and analytics platforms. All service providers are contractually bound to process data only as instructed by us and to maintain appropriate security measures.

Legal Requirements

We may disclose your information if required to do so by law, in response to a valid subpoena, court order, or government request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website of any change in ownership or uses of your personal data.

With Your Consent

We may share your information with third parties when you have explicitly consented to such sharing, for example when you enable a third-party integration within the Farsight platform.

6. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Account data — retained for the duration of your account and for up to 30 days after account deletion to allow for recovery, after which it is permanently purged
• Source code — never retained; purged immediately upon scan completion as described in Section 2.3
• Scan findings metadata — retained for the duration of your subscription and for 90 days after account termination, unless you request earlier deletion
• Farsight event data — retained according to the retention policies you configure within the platform, with a maximum of 13 months unless a custom retention agreement is in place
• Usage and analytics data — retained in anonymized, aggregated form for up to 24 months for product improvement purposes
• Payment records — retained for as long as required by applicable tax and accounting regulations (typically 7 years)

When data is no longer required, it is securely deleted or anonymized using industry-standard methods.

7. Data Security

As a security company, we implement rigorous technical and organizational measures to protect your data:

• Encryption in transit — all data transmitted between your systems and OpsFox is encrypted using TLS 1.3
• Encryption at rest — all stored data is encrypted using AES-256 with keys managed through a dedicated key management service
• Ephemeral analysis environments — code analysis runs in isolated, short-lived containers that are destroyed after each scan, with no persistent storage
• SOC 2 Type II compliance — our security controls are independently audited on an annual basis
• Access controls — internal access to customer data follows the principle of least privilege, with mandatory multi-factor authentication and audit logging for all access
• Infrastructure security — our platform runs on hardened infrastructure with continuous vulnerability scanning, intrusion detection, and automated patch management
• Incident response — we maintain a documented incident response plan and will notify affected customers within 72 hours of confirming a data breach, in accordance with applicable regulations

While no system can guarantee absolute security, we continuously invest in our security posture and treat the protection of your data as a core business obligation.

8. Your Rights

Rights Under the GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete personal data
• Right to erasure — request deletion of your personal data, subject to legal retention requirements
• Right to restrict processing — request that we limit how we use your data in certain circumstances
• Right to data portability — receive your personal data in a structured, commonly used, machine-readable format
• Right to object — object to processing based on legitimate interests, including direct marketing
• Right to withdraw consent — withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of processing before withdrawal

You also have the right to lodge a complaint with your local data protection supervisory authority.

Rights Under the CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendments under the CPRA grant you the following rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete — request deletion of personal information we have collected from you
• Right to correct — request correction of inaccurate personal information
• Right to opt out of sale or sharing — OpsFox does not sell personal information and does not share personal information for cross-context behavioral advertising
• Right to non-discrimination — we will not discriminate against you for exercising any of your privacy rights

Exercising Your Rights

To exercise any of these rights, contact us at privacy@opsfox.com. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

9. International Data Transfers

OpsFox is headquartered in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU-U.S. Data Privacy Framework, where applicable
• Binding corporate rules or other legally recognized transfer mechanisms

You may request a copy of the safeguards we use for international transfers by contacting us at privacy@opsfox.com.

10. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as quickly as possible. If you believe that we may have collected information from a child, please contact us at privacy@opsfox.com.

11. Cookie Policy

We use cookies and similar tracking technologies to operate and improve our Services. Cookies are small data files stored on your device that help us recognize your browser and capture certain information.

Types of Cookies We Use

• Strictly necessary cookies — required for the operation of our Services, including authentication and session management; these cannot be disabled
• Analytics cookies — help us understand how visitors interact with our website so we can improve the user experience; these are anonymized and do not track individuals across other websites
• Preference cookies — remember your settings and preferences (such as language or dashboard layout) across sessions

We do not use advertising or cross-site tracking cookies. You can control cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our Services.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Services, or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email or through a prominent notice within the platform at least 30 days before the changes take effect
• Where required by law, obtain your consent before applying changes that materially affect how we process your data

We encourage you to review this policy periodically. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@opsfox.com
• Data Protection Officer: dpo@opsfox.com
• Mailing address: OpsFox, Inc., Attn: Privacy Team, San Francisco, CA, United States

Our Data Protection Officer (DPO) oversees compliance with applicable data protection laws and serves as the primary point of contact for data protection authorities. For GDPR-related inquiries, please direct correspondence to dpo@opsfox.com.

We aim to respond to all inquiries within 10 business days.