Privacy Policy

1. Who this policy applies to

This policy describes our handling of information for three audiences: customers (organizations that license the DataStun platform), customer end-users (people whose endpoints run a DataStun agent), and visitors to the marketing website at datastun.com. Where the rules differ between these audiences, we say so.

2. The core principle — customer metadata stays in your tenant

Customer metadata stays inside the customer’s tenant. The only data that crosses tenant boundaries is the verdict on a public object — an IP address, DNS name, or executable hash. Those identifiers describe infrastructure used by many organizations, and a verdict that helps one customer helps every customer asking the same question. The fact that you asked is not part of the verdict and is not shared.

This principle is the same one the Terms of Service § 10 describes from the ownership-and-licensing angle. Here we describe it from the privacy angle: what crosses, what does not, and why. The two documents say the same thing in different language; any apparent conflict is a drafting mistake — tell us at [email protected] and we will fix it.

Every other section of this policy refines that principle.

3. What we collect

Every category of data the platform observes, stores, or shares is enumerated on the What we collect page, with one entry per category that names the database table and the in-product surface where you can see it. That page is the receipt that backs every claim in this policy. At a high level:

a. From the agent on your endpoints

For each endpoint where you install the DataStun agent, the agent reports network connection metadata (IPs, ports, protocols, process names, file hashes, code-signing publishers, byte and timing counters), host inventory (OS, hardware, installed software, patch state, firewall and AV configuration, USB devices), and lifecycle / diagnostic events. We never read the contents of any communication; only its metadata. The agent has no inbound listening socket; it never accepts inbound connections.

b. From your users on the tenant platform (ten)

Email addresses, password hashes (Argon2id, never plaintext), OAuth identity references (for LinkedIn sign-in, when used), role assignments, session metadata (login times, IP, browser fingerprint hash), billing state, and support-ticket conversations. Support conversations are passed through a multi-pattern scrubber that strips PEM key blocks, vendor-specific API tokens (GitHub, Slack, AWS, Stripe, Anthropic and similar), key-value secret fields, database connection strings, HTTP authorization headers, credit cards (Luhn-validated), social security numbers, email addresses, and high-entropy unstructured strings before any text is written to disk; pre-scrub text is never persisted.

c. About public objects (rep)

For each unique IP address, file hash, and DNS name observed across all customers, the reputation system (rep) records a verdict that is keyed by the public object itself, not by the customer who first asked. See section 7.

d. From visitors to this marketing site

Standard server-log information (IP, browser, referring URL, requested path, timestamp) and a marketing-funnel A/B cookie when one is active. No third-party advertising or behavioral-tracking pixels.

4. How we use what we collect

We use the data we collect only to provide and improve the DataStun service. Specifically:

• To render the network-visibility, exposure-policy, blocklist, file-reputation, and SBOM features that are the product’s core function.
• To produce reputation verdicts on public objects (IPs, hashes, DNS names) that benefit every customer who asks about the same object.
• To authenticate users, agents, and API clients.
• To diagnose problems with the agent or platform when you contact support.
• To detect platform abuse (rate limits, broken installs, misconfigured tenants).
• To send transactional email (signup, password reset, verification, support replies).
• To fulfill legal obligations (subpoenas, court orders, applicable regulatory requirements).

We do not use customer data for advertising. We do not profile end-users for marketing. We do not share fleet data with other customers; we share only the verdicts on public objects under the conditions in section 7.

5. Lawful basis for processing

Where the General Data Protection Regulation (EU GDPR) or UK GDPR applies, our lawful bases for processing are:

• Contract. We process customer and end-user data because doing so is necessary to deliver the DataStun service the customer has subscribed to.
• Legitimate interest. We process security telemetry to detect threats to the customer and to the broader ecosystem, balanced against the data minimization built into the platform (hash-only file lookups, tenant-anonymous reputation cache, scrubbed support content, no payload capture).
• Legal obligation. We retain certain data where law requires us to.

For visitors to the marketing site, we rely on legitimate interest (basic server logging) and consent (any optional cookies once we add them).

6. Where your data lives

DataStun is three independent systems:

• Agent. Software running on your endpoints. Reads OS / network state and reports it to ten over an outbound HTTPS connection. The agent has no inbound listening socket and never accepts inbound connections.
• Ten. The tenant platform. Holds your identity, your fleet’s observations, your support tickets, your account state. This is the system your users log into.
• Rep. The reputation provider. Holds verdicts on public objects (IPs, hashes, DNS names) keyed by the object itself, not by who asked.

The default deployment is managed cloud: we operate ten and rep on infrastructure we manage in the United States. You can also self-host any subset of these components on your own cloud or on-premises infrastructure (see section 10).

7. The reputation boundary — what crosses, what does not

This section is the most consequential. Read it carefully. It mirrors the corresponding clause in the Terms of Service § 10; the two say the same thing in different language and any apparent conflict is a drafting mistake.

a. The schema enforces it

Rep’s authoritative caches (reputation.ip_cache, reputation.file_cache) contain no tenant identifier. There is no tenant_id column on those tables. Verdicts are computed for the public object and returned to every customer who asks about the same object.

b. The one exception is bounded

The only place any tenant trace exists on rep is the pending-lookup queue (reputation.pending_lookups, reputation.pending_file_lookups), where the first asker is recorded as an audit-trail field for accountability. That field is intentionally not used in the verdict computation and does not appear on the cached result. Once the verdict is written, the record carries no link back to your tenant.

c. What crosses ten → rep

• Destination IP from each outbound flow
• Source IP from each inbound flow
• SHA-256 hash of each observed executable
• SNI hostname when present in TLS metadata

d. What does NOT cross ten → rep

• Agent identifiers, hostnames, MAC addresses
• Your fleet’s SBOM rollups
• Host inventories
• Support tickets and conversations
• Account, user, or billing information
• Any other tenant-scoped record

e. External hash lookups are hash-only

When an external reputation lookup is needed for a file (because rep’s local mirrors lack coverage), we send only the SHA-256 hash. We never upload binaries to VirusTotal, MalwareBazaar, or any external service. A SHA-256 is a 32-byte fingerprint — sufficient to identify a file you already have, but cannot be reversed to the binary itself. See /glossary#hash-only-privacy.

8. Third parties we use

We use a small number of external services to operate the platform. Where any of them touch customer data, the touch is hash-only or otherwise minimized.

a. Used by rep, for reputation lookups

• VirusTotal. File-hash lookups (SHA-256). No file bytes leave our infrastructure.
• MalwareBazaar (abuse.ch). File-hash lookups and a periodic sample-metadata mirror. Hash-only egress.
• AbuseIPDB. IP-reputation enrichment lookups (IP only).
• ip-api.com. Geo / ASN / hosting / mobile-network classification for IPs (IP only).
• MaxMind GeoLite2. Local .mmdb file for offline geo lookups. No data leaves our infrastructure at query time.
• Anthropic (Claude API). AI assessment of public-IP reputation signals and AI triage of support tickets. The IP-assessment path receives only public metadata about the IP. The support-triage path receives the post-scrub message body after our secret-pattern scrubber has run.
• Spamhaus, IPsum, UT1 / Hagezi. Periodic bulk threat-feed mirrors. We pull lists from them; we do not send them customer data.

b. Used by ten, for operating the tenant platform

• Cloudflare. Edge network and tunnel in front of datastun.com and tenant.datastun.com. Cloudflare sees the same TLS-terminated requests our origin sees.
• SendGrid. Transactional email (signup, password reset, verification, support replies). Recipient email addresses and email body are processed.
• LinkedIn (OAuth). Used only when a user chooses to sign in with LinkedIn. We receive the provider’s opaque user ID and the email address the provider returns at link time; we do not retain access or refresh tokens long-term.

If you self-host any of these components on your own infrastructure, the corresponding third-party touch goes away. A self-hosted rep with external lookups disabled never contacts VirusTotal, MalwareBazaar, or AbuseIPDB. A self-hosted ten with self-served email never contacts SendGrid.

c. Sub-processors versus independent controllers

Cloudflare, SendGrid, and Anthropic act as our sub-processors where their processing is on our behalf. VirusTotal, MalwareBazaar, AbuseIPDB, ip-api.com, MaxMind, and the threat-feed sources are independent controllers we query — their use of the queries we send them is governed by their own terms; we send them only the minimum data the lookup requires (a hash, an IP, or nothing more than a request for a published list).

d. Payment processor

We have not integrated a payment processor yet. Billing today is simulated — entitlements are driven by customer-stated tier elections, not by real charges. When we integrate a payment processor (likely Stripe), we will update this policy in the same release and notify existing tenants in advance.

9. We do not sell or share your personal information

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. These statements use “sell” and “share” as those terms are defined under the California Consumer Privacy Act (CCPA / CPRA). We do not run advertising on this site, we do not exchange customer data for value, and we do not enable third parties to use our customer data for their own purposes.

Reputation verdicts on public objects (IPs, hashes, DNS names) are made available to all DataStun customers, but those verdicts are not your personal information and do not carry your identity — see section 7.

10. Data residency and self-hosting

Managed-cloud deployments today operate in the United States. International tenants are served from the US until we add other regions.

If your organization requires data to remain inside a specific jurisdiction or on infrastructure you control, you have two options:

• Self-host ten. Run the tenant platform on your own cloud or on-premises. Your fleet’s observations, account state, and support tickets stay on your infrastructure. You can still federate with our managed rep for reputation lookups, or run isolated.
• Self-host both ten and rep. Full data sovereignty. Nothing leaves your boundary unless you explicitly enable an external lookup path.

Open a self-hosting conversation through the in-product /privacy-settings page or by emailing [email protected].

11. Retention

Retention windows for managed-cloud customers are governed by your tier. The active values for your tenant are visible at the in-product /privacy-settings page. Defaults today:

• Network flow records: 30 days (Individual), 90 days (Tribe), 365 days (Business), configurable up to 7 years (Enterprise).
• Heartbeats, host inventory, connectivity probes: same as flow retention.
• Support tickets: 365 days after last activity, then archived for any applicable legal-hold period before deletion.
• Reputation cache (rep): 7-day TTL by default; refreshed on first access after expiry.
• Account records: retained for the life of the subscription; deleted within 30 days of tenant closure, except where retention is legally required.
• Security and access audit logs: 365 days.
• Marketing-site server logs: 30 days.
• Backups: rolling 30-day retention; deleted records age out of backups automatically over the retention window.

12. Your rights

Subject to applicable law, you have the rights described below. Many can be exercised directly from inside the product (see section 13); for the rest, email [email protected].

a. California (CCPA / CPRA)

• Right to know what personal information we collect, how, and why.
• Right to access a copy of the personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to delete your personal information, subject to statutory exceptions.
• Right to opt out of sale or sharing — we do not sell or share, as stated in section 9.
• Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the service.
• Right to non-discrimination for exercising any of the above.

b. Texas (TDPSA, effective July 2024)

• Right to confirm whether we are processing your personal data.
• Right to access, correct, delete, and obtain a portable copy.
• Right to opt out of targeted advertising, sale, or profiling — we do not target advertising, sell data, or profile users for advertising.
• Right to appeal a denied request — reply to our denial and we will reconsider; if the appeal is denied, you may contact the Texas Attorney General.
• We respond within 45 days, with a single 45-day extension where reasonably necessary.

c. Virginia, Colorado, Connecticut, Utah, and other US states

Residents of states with comprehensive consumer-privacy laws have rights substantially similar to those listed above: confirmation, access, correction, deletion, portability, and opt-out of sale / targeted advertising / certain profiling. We honor these rights regardless of which state law applies.

d. European Union and United Kingdom (GDPR / UK GDPR)

• Right of access to your personal data and information about how we process it.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure (the “right to be forgotten”) in the circumstances Article 17 provides.
• Right to restriction of processing.
• Right to data portability.
• Right to object to processing based on legitimate interest, including profiling.
• Right to withdraw consent where consent is the basis for processing.
• Right to lodge a complaint with your local supervisory authority.

For international transfers of EU or UK personal data to the United States, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) as the transfer mechanism, supplemented by the technical and organizational measures described in section 16.

13. How to exercise your rights

Most rights are exercisable from inside the product:

• Open /privacy-settings on your tenant. The page shows live counts of what we hold and provides one-click paths for export and deletion.
• For visitors who do not have a tenant, email [email protected] with the request and we will respond within 30 days (or sooner where law requires it).

We may need to verify your identity before responding to a rights request — particularly for deletion requests, where a mistaken deletion is irreversible. We will not use the verification information for any other purpose.

If we deny your request, you may appeal by replying to our denial. We will respond to appeals within 45 days. For California and Texas residents, you may then contact the California Privacy Protection Agency or the Texas Attorney General, respectively.

14. Children

DataStun is a professional and business product. It is not directed to children, and we do not knowingly collect personal information from anyone under 18 years old. If you are under 18, do not create an account or use the service. If you believe a person under 18 has provided us personal information, email [email protected] and we will delete it.

15. International users and data transfers

DataStun is operated from the United States. By using the service from outside the US, you consent to the transfer and processing of your data in the United States, subject to the safeguards described in this policy.

For personal data transferred from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as applicable, as the transfer mechanism. We supplement those clauses with the technical and organizational measures in section 16.

16. Security

We use commercially reasonable technical and organizational measures to protect data in transit and at rest. No method of transmission or storage is fully secure; we cannot promise absolute security.

• TLS for all network communication between agents, ten, rep, and external services.
• Argon2id hashing for user passwords; never plaintext.
• Hashed bearer credentials for API and agent enrollment tokens; the plaintext is shown to the user once at creation and never persisted.
• Database access restricted to authenticated service principals; staff access is logged and limited to operational necessity.
• Defense-in-depth scrubbing of secrets in support tickets, agent error reports, and any other user-typed content.
• Tenant isolation enforced at the application layer; cross-tenant access requires explicit staff override and is audit-logged.

17. Cookies and Global Privacy Control

The marketing site (datastun.com) may set a session cookie for the marketing-funnel A/B framework when one is active. We do not use third-party advertising or behavioral-tracking cookies. We do not run cross-session analytics that link visitor identities.

The authenticated tenant platform (tenant.datastun.com) sets a session cookie strictly for authentication and a tenant-selection cookie for users with access to multiple tenants. Both are first-party, secure, and required for the product to function.

Global Privacy Control (GPC). We honor the GPC signal as an opt-out of sale and sharing. As noted in section 9, we do not sell or share personal information, so the practical effect of a GPC signal on this site is informational; we record receipt of the signal for transparency.

Do Not Track (DNT) headers do not have a settled meaning in current law, so we do not take a specific action on them; the GPC signal is the supported mechanism.

18. Data-breach notification

We will notify affected customers of any security incident that materially affects their data within 72 hours of confirmation, by email to the registered tenant owners and admins and by in-product notice. The notification will describe what happened, what data was affected, what we are doing about it, and what (if anything) you should do.

19. Changes to this policy

We will announce material changes to this policy in-product before they take effect. The version number above will increment and the effective date will be updated. For post-launch material changes, we will provide at least 30 days’ notice to production-tier customers, and any change that broadens what we collect or how we use it will be opt-in for existing tenants. The updated policy will be posted at this URL.

20. Contact

DataStun LLC
Attention: Privacy
Mailing address — to be added once registered-agent address is confirmed.
Email: [email protected]

For rights requests, we aim to respond within 30 days; for jurisdictions whose laws set a different timeline (e.g., Texas TDPSA at 45 days), we meet the statutory deadline.