Privacy Policy

This Privacy Policy describes how OpsDevAI, Inc. ("OpsDevAI", "we", "us") processes personal data when you use our website, control plane, dashboards, command-line tools, APIs, and the autonomous edge platform (collectively, the "Service").

For workloads you deploy on the Service, OpsDevAI acts as a data processor. For account, billing, and security-operations data we collect directly, OpsDevAI acts as a data controller. The Data Processing Addendum (DPA) — incorporating the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum — governs all customer personal data we process on your behalf.

Account data: name, work email, organisation, role, hashed credentials, MFA factors, SSO/SAML claims, and audit identifiers.

Operational telemetry: cluster topology, pod placement, request rates, latency histograms, autoscaling decisions, container image digests, deploy events, and machine-generated audit trails. Telemetry is per-workload and never tied to end-user PII unless you explicitly tag it.

Security signals: source IP, ASN, WAF rule matches, mTLS identity, TPM attestation, anomaly scores, and threat-intel correlation events — retained for incident response and forensics.

Billing data: usage units (vCPU-hours, GB-egress, requests), Stripe customer ID and last-4 of the payment instrument. We never store full PAN, CVV, or bank credentials.

Support data: tickets, transcripts, and any artefacts you voluntarily attach. Sensitive payloads should be redacted before upload.

Operate, secure, and improve the Service — including incident response, fraud prevention, capacity forecasting, and feature reliability.

Train internal optimisation models (placement, autoscaling, retry budgets) strictly on aggregated, de-identified operational telemetry. We do not train foundation models on customer workload contents.

Send transactional notices (security alerts, billing, breach notification, scheduled maintenance). Marketing communications require opt-in and can be revoked from the dashboard.

Meet legal, tax, and audit obligations under GDPR, UK GDPR, CCPA/CPRA, and applicable export-control law.

Data in transit: TLS 1.3 with X25519/MLKEM hybrid key exchange across all external endpoints; mTLS via SPIFFE identities for every internal hop.

Data at rest: AES-256-GCM, envelope-encrypted with per-tenant keys held in an FIPS 140-3 Level 3 HSM. Enterprise plans support BYOK and Hold-Your-Own-Key (HYOK) with external KMS.

Access control: zero standing privilege. Just-in-time elevation requires hardware-bound WebAuthn + a peer-approved JIT request. Every privileged action is signed, logged, and replayed into an append-only ledger.

Customer workloads run in the regions you select. Control-plane metadata is replicated across five regions (us-east-1, us-west-2, eu-west-1, eu-central-1, ap-southeast-1) for sub-second failover.

Cross-border transfers rely on EU SCCs (Module 2 & 3), the UK IDTA, and Swiss FDPIC-recognised safeguards. Enterprise residency contracts pin all metadata to a single jurisdiction (EU-only, US-only, or single-region) on request.

Telemetry & metrics: 30 days hot, 13 months cold; configurable down to 24 hours on enterprise.

Audit logs: 7 years, write-once, hash-chained — designed for stringent audit requirements.

Account data: kept for the life of the account plus 90 days, then purged from primary stores and 30 days later from encrypted backups.

Deleted clusters: cryptographically shredded within 24 hours by destroying the per-tenant DEK.

Subject to GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA and equivalent regimes you may request access, correction, deletion, portability, restriction, or objection. Authenticated requests are fulfilled within 30 days at no charge.

Account owners can export and delete data self-serve from Console → Settings → Data. End users of your workloads should contact you (the data controller) first; we will assist within the limits of our processor role.

You may lodge a complaint with your supervisory authority. Our EU representative is Instant EU GDPR Representative Ltd (Dublin, IE); UK representative is GDPR Local Ltd (London, UK).

Email: contact@opsdevai.com

Postal: OpsDevAI · Chapainawabganj, Bangladesh