1. Data Controller
SREonCall ("we", "us", "our") is the data controller for personal data processed through the SREonCall platform. For questions regarding your data, contact our Data Protection Officer at dpo@sreoncall.com.
2. Personal Data We Collect
- Account data: name, email address, phone number, avatar, timezone
- Authentication data: hashed passwords, MFA secrets (encrypted at rest), session tokens
- Usage data: audit logs, IP addresses (anonymized), user agent strings
- Operational data: incidents, tickets, on-call schedules, runbook executions you create or are assigned to
- Communication data: messages sent through integrated channels (Slack, email)
- Telemetry data: metrics, logs, and traces sent to the observability stack (associated with your organization, not individual users)
3. Purposes & Legal Basis
| Purpose | Legal Basis |
|---|
| Provide the SREonCall platform | Contract performance |
| Authentication & security | Legitimate interest |
| Audit logging | Legitimate interest / Legal obligation |
| Email notifications | Contract performance / Consent |
| Status page subscriptions | Consent |
| Marketing communications | Consent |
| AI-assisted analysis | Contract performance |
4. Sub-Processors
- AWS SES (Amazon Web Services) — transactional email delivery
- Slack (Salesforce) — notification delivery via Slack integration
- Anthropic Claude — AI agent processing (data processed per query, not stored by Anthropic)
- Meilisearch — self-hosted search engine (no external data transfer)
- MinIO — self-hosted object storage (no external data transfer)
5. Data Retention
- Account data: retained while account is active; anonymized upon erasure request
- Audit logs: retained per tenant plan (default 90 days), automatically purged via TTL
- Webhook deliveries: 30 days
- Synthetic check results: 30 days
- AI agent executions: 90 days
- Observability data (metrics, logs, traces): 7 days (free tier)
6. Your Rights
Under GDPR (EU) and DPDP Act 2023 (India), you have the right to:
- Access your personal data (data export)
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Data portability (export in machine-readable format)
- Withdraw consent at any time
- Nominate a representative (DPDP Section 12)
Exercise these rights from Settings > Privacy & Data in the app, or email dpo@sreoncall.com.
7. Cross-Border Transfers
The SREonCall platform is self-hosted on infrastructure located in India. Email delivery via AWS SES may involve transfer to AWS regions outside India. Such transfers are governed by AWS's data processing addendum and standard contractual clauses.
8. Security Measures
- Passwords hashed with bcrypt (12 rounds)
- MFA secrets encrypted at rest (AES-256-GCM)
- Multi-tenant isolation at database query level
- Role-based access control (RBAC)
- Session management with automatic expiry
- IP addresses anonymized in audit logs
9. Cookies
SREonCall uses only essential cookies required for authentication and session management. We do not use analytics, tracking, or advertising cookies.
10. Contact & Grievance Officer
Data Protection Officer / Grievance Officer (DPDP Act):
Email: dpo@sreoncall.com
Address: SREonCall, India