This Privacy Policy explains how OpsDuty AS (“OpsDuty”) collects, uses and protects your personal data in accordance with relevant data protection laws. For OpsDuty, the protection and confidentiality of your data is of the utmost importance. If you have any questions regarding privacy please contact us on [email protected].

OpsDuty collects and uses your personal data strictly within the legal limits of the data protection law of the Kingdom of Norway, the EU General Data Protection Regulation no. 2016/679 and UK GDPR (collectively, the "GDPR") as incorporated in Norwegian law. Terms that we use in this document like "personal data", "processing", "data controller" and "data processor" shall have the meaning as defined therein.

We may modify this Privacy Policy at any time. All changes will be effective immediately upon posting to our website. Material changes will be conspicuously posted on our website or otherwise communicated to you. The latest version of the privacy policy is always accessible at https://www.opsduty.io/privacy.

1. Overview of personal data we collect

1.1 Account information and data you provide as a customer or user

In order to use the services offered by OpsDuty, you are required to register. This may include your name, email address, profile picture, company name, postal address and phone number. This data is required to create and administer a user account for you and to enable you to use the service.

This may also include billing information such as billing address and payment details if you decide to use OpsDuty services that are subject to a charge. Billing information is also processed by our payment processor. Payment details are never available to OpsDuty, but are only transmitted to and stored with our payment processor.

You may choose to sign up for our newsletter and service status updates provided via email. We will store your name and email address, and use this information to send you marketing communications. You may choose to unsubscribe from these email communications at any time by contacting us at [email protected]. We will also very occasionally send important service updates to all registered users via email.

OpsDuty is the data controller for the personal data of our service users according to relevant data protection law.

1.2 Data collected through the use of APIs

Customers can integrate with OpsDuty’s system through an Application Programming Interface (API) to use various features. OpsDuty by design does not determine what systems it may be configured to interoperate with but typical examples of such systems are code monitoring and error tracking, infrastructure services, communication platforms and documentation tools. This would be a user-based decision and what personal data enters OpsDuty through the integrations is therefore out of our control.

This data may occasionally contain data that may be qualified as personal data. In this context, OpsDuty is only a processor of data on behalf of the user and not the data controller. OpsDuty will only process and store this data within the framework of the provision of the service and our Agreement with you or the entity with which you are connected to.

1.3 Contact and support

We collect information you provide to us when you send us a support request or otherwise communicate with us by email or through third-party social-media sites. This may include your name, email address, title, company, and any other information you provide in your request.

1.4 Information gathered through automatic data collection

When you access the services provided by OpsDuty via a browser, our apps, the Command Line Interface (CLI), or other means, certain data is automatically transmitted for technical reasons. This may include your IP address, data and time of access, browser type and version, operating system, URL of the website visited prior to ours, the pages you visited on our website, amount of data transmitted, and performance numbers such as latencies and caching. This data is collected for purposes of security, troubleshooting, and aggregate statistics, and is never associated with any particular individual.

Logged-in users will also transmit authentication information through cookies or headers to allow our systems to authenticate and authorize the request and make decisions based on the logged-in user. We store cookies to provide you with a wide range of functionalities. The cookies we use are described in the Cookie Policy on our website.

2. Legal basis and purpose of our processing

We process your data based on your consent, to uphold our legitimate interests in providing our services to you, or to comply with legal obligations. We only process your personal data to the extent that it is necessary for the performance, quality and development of our service or any other contractual obligations, subject to the aforementioned purposes.

Specifically, this includes, but is not limited to, providing our service to customers, handle requests from our customers, manage customer accounts, provide information about the service to customers, provide technical support, improve our website and apps, improve and develop our service, process transactions, ensure proper security of the our service, general business purposes, to understand the use of our service, and to enforce our Terms of Service.

3. Third Parties/Service Providers We Share Personal Data With

We may share all categories of personal data listed above with the following categories of third parties and/or service providers:

Employees and Affiliates. We may share personal data with our employees and affiliates who have a need to know the information for our business purposes.

Third-party services. We may share personal data with third-party service providers that are needed for us to provide services to our customers. See Section 4 for more details.

Government Officials / Law Enforcement. We will cooperate with law enforcement and other governmental agencies, and may disclose personal data: (i) if we believe in good faith we are legally required to disclose that personal data, (ii) if we are advised to disclose personal data by our legal counsel, or (iii) when necessary to identify, contact or bring a legal action against someone who may cause or be causing harm to, or interfering with the legal rights of, OpsDuty or any other party.

Professional Advisors. We may share personal data with our professional advisors, such as our attorneys, accountants, financial advisors and business advisors, in their capacity as advisors to OpsDuty.

Other. We may share personal data with third parties and/or service providers when explicitly requested by or consented to by you, or for the purposes for which you disclosed the personal data to us as indicated at the time and point of the disclosure (or as was obvious at the time and point of disclosure).

4. Third party access to your data

OpsDuty uses third-party service providers as part of providing our services to you, who may process your personal data in cases where we are the data controller. In these cases, we only share the necessary information to enable them to carry out their tasks. Such external service providers are carefully selected in order to ensure your privacy and to fulfill our obligations under the GDPR and other applicable data protection laws. Service providers may only use the data for the purposes under the agreement entered into between OpsDuty and the service provider.

We use the following third-party services or processors:

• Amazon Simple Email Service (SES): We leverage the capabilities of Amazon SES to efficiently manage the processing of emails both to and from our platform. For more info about security in Amazon SES, see https://docs.aws.amazon.com/ses/latest/dg/security.html.
• Firebase: We integrate Firebase for the effective delivery of push messages to our mobile application. For more information, see Firebase’s privacy and security info at https://firebase.google.com/support/privacy.
• Google Accounts: OpsDuty allows signup and login through Google Accounts, provided by Google. For more information, see Google’s Privacy Statement at https://www.google.com/intl/en/policies/privacy/.
• Heroku: We use Heroku to host our services and store your data. Currently we use Heroku data centers located in the European Union. For more information regarding data processing at Heroku, please visit: https://www.salesforce.com/company/privacy/.
• Slack: We have integrated with Slack to offer a bot that simplifies interactions with OpsDuty. In addition, we use Slack for internal communication to resolve support requests and develop our services. For information about privacy at Slack, see https://slack.com/trust/privacy/privacy-policy.
• Stripe: We use Stripe for payments, analytics, and other business services. Stripe collects identifying information about the devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection. You can learn more about Stripe and read its privacy policy at https://stripe.com/privacy.
• Twilio: We utilize Twilio for handling incoming calls and delivering voice and SMS notifications. For information about privacy at Twilio, see https://www.twilio.com/en-us/privacy.

Our accounts with third party services incorporate two-factor authentication (2FA) for enhanced security. Additionally, we uphold a least privilege scheme, ensuring that only users with a legitimate need to access the service possess the necessary credentials.

5. Data deletion

Your personal data will be deleted from our systems and third-party processors once it is no longer required for the purposes mentioned in this Privacy Policy, and in accordance with legal and regulatory requirements.

We will initiate the process of deleting or anonymizing your data within 30 days after all agreements between you and OpsDuty are terminated or if you send us a written request to delete your account. Your personal data will be removed from our systems without unreasonable delay, and at the latest within 90 days in production and within 180 days in backups, unless applicable legislation or legal process prevents us from doing so. To the extent that OpsDuty is legally obliged to archive data, such data will be blocked and will not be available for productive use.

6. Data location

OpsDuty is based in Norway and will primarily access your data from our regular place of business in Norway. Your personal data will primarily be stored on servers within the EU/EEA hosted by our subprocessor Heroku and its data centers in EU/EEA. Your data may be stored transiently or cached in any country in which Heroku or its agents maintain facilities.

We also employ certain third-party services outside of the EU (primarily in the US) to deliver our services, which may process personal data for which we are a controller. Under such circumstances, adequate safeguards for such transfer to third countries are in place, including data processing agreements compatible with EU standard clauses accepted by the European Commission.

7. Your rights

You are entitled, upon request, to disclosure regarding your personal data that we are storing or are otherwise processing. You are also entitled to have any incorrect personal data corrected and rights to blocking or deletion of your personal data. Under certain conditions, you have the right to object to processing of your personal data, and as far as the EU Regulation 2016/679 (GDPR) has entered into force you may ask to receive your personal data in a structured and commonly used format so that it can easily be transferred to you or another data controller you appoint (this is known as "data portability").

If you have any complaints regarding our processing of your personal data, we encourage you to contact us. Please address any requests in such matters to [email protected]. We also inform you that you are entitled by law to file a complaint with the Norwegian Data Protection Authority (https://www.datatilsynet.no/en).

8. Security

OpsDuty will implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Data from accidental loss and from unauthorized access and use. Customer is responsible for properly configuring the Services in accordance with any documentation provided by OpsDuty. Customer must implement reasonable and appropriate measures designed to help secure its access to and use of the Services, and promptly notify OpsDuty if Customer believes any access credentials have been lost or an unauthorized third party has accessed the Services or Customer Data.

8.1 Access Controls

• OpsDuty follows the principle of least privilege and restricts access to Personal Data to employees with a defined need-to-know or a role requiring such access.
• OpsDuty maintains user access controls that address timely provisioning and de-provisioning of user accounts.

8.2 Change Management

• Automatic generation and timely application of security patches.
• OpsDuty manages a dedicated testing and development environment, distinct from the production environment.

8.3 Business Continuity

• OpsDuty develops and implements backup and disaster recovery plans to mitigate service loss.

8.4 Data Security

• Cloudflare acts as OpsDuty’s initial security layer, offering essential defense against diverse online threats, such as DDoS attacks, and efficiently managing our DNS and web traffic.
• OpsDuty follows industry-standard security practices, employing secure cookies, CSRF (Cross-Site Request Forgery) protection, HSTS (HTTP Strict Transport Security), CORS (Cross-Origin Resource Sharing), and CSP (Content Security Policy) to enhance the safeguarding of sensitive data and reduce the risk of various web-based attacks.
• Within the OpsDuty platform, data is consistently linked to specific organizations, ensuring that each organization exclusively accesses data relevant to its own operations. This approach maintains rigorous data segregation and confidentiality.