Privacy Policy and GDPR.

suriq.io ("Suriq", "we", "us", or "our") operates the Suriq platform - an autonomous infrastructure-defense and monitoring service delivered through our web console and connected workers. This policy explains how we act as a data controller for the personal data we collect about visitors, account holders, and the people who use our service.

We are incorporated in Israel and process personal data in accordance with Israeli privacy law. Where we handle the data of individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we also align our practices with the EU and UK General Data Protection Regulation (GDPR). For much of the technical data our customers route through Suriq, we act as a data processor on their behalf, under the terms of our customer agreement.

If you have any question about this policy or the way we handle your information, contact us at [email protected].

We keep data collection to what the service genuinely needs. Depending on how you interact with us, that may include:

Account and identity data

When you register, sign in, or are invited to a team, we process your name, email address, profile picture, language and timezone preferences, team and role assignments, and - if you enable it - multi-factor authentication details. Sign-in is handled through our identity provider, and we store the identifiers it returns to us.

Authentication and session data

To keep your session secure we record session identifiers, anti-forgery (CSRF) tokens, device verification records for two-factor sign-in, and the IP address associated with your activity.

Activity and audit records

We log meaningful actions taken inside the console - sign-ins and sign-outs, configuration changes, and the creation, update, or removal of monitors, alerts, integrations, and team members - together with the time and the IP address of the person who performed them. These records exist to keep your account safe and to give your administrators an accurate trail.

Operational telemetry you route through Suriq

The platform processes the infrastructure data you ask it to watch: uptime, SSL/TLS, DNS, BGP, and reachability check results; domain and certificate history; cloud snapshot metadata and schedules (CloudSnap); and security events and findings from connected agents. This data is largely technical, but it can include personal data where you choose to monitor it.

Credentials for connected services

When you connect a cloud provider, notification channel, or other integration, we store the credentials needed to operate it. These are encrypted before storage or held in a dedicated secrets vault, and are used only to perform the actions you have configured.

Assistant interactions

If you use the in-product assistant, we process your prompts, the responses generated, and limited usage information so the feature can function and improve. We do not use this content to train models for other customers.

Support and communications

When you contact us, subscribe to updates, or fill in a form, we keep the information you provide and our correspondence with you.

Cookies and similar technologies

Our website and console set a small number of cookies. See the cookies section below for detail.

We collect personal data in three ways: directly from you, when you create an account, configure the service, contact us, or subscribe to communications; automatically, as you use the console and as the platform records sessions, audit events, and telemetry; and from services you connect, when you authorise an integration such as a cloud provider or notification channel and we receive data through it.

We use personal data to run the service and meet our obligations. Under the GDPR, each use rests on a lawful basis:

• To provide and operate the platform - authenticating you, running monitors, sending alerts, managing snapshots, and executing the automations you configure. Lawful basis: performance of a contract.
• To secure accounts and maintain audit trails - detecting suspicious activity, preventing abuse, and keeping accurate records. Lawful basis: our legitimate interests and, where applicable, legal obligation.
• To support and communicate with you - responding to requests and sending service or product updates. Lawful basis: performance of a contract, legitimate interests, or your consent for marketing messages.
• To improve and maintain the service - diagnosing issues and understanding how features are used. Lawful basis: our legitimate interests.
• To comply with the law - meeting accounting, tax, and other legal requirements. Lawful basis: legal obligation.

We do not sell your personal data, and we do not use customer data to train machine-learning models for other customers. Our detection models are built on synthesised and openly available telemetry.

Cookies are small files placed on your device. We use them sparingly:

• Essential cookies keep you signed in and protect the console against cross-site request forgery. The service will not work correctly without them.
• Preference cookies remember choices such as display settings.
• Analytics cookies, where used, help us understand aggregate traffic and improve the site.

You can control or delete cookies through your browser settings, and you can configure your browser to refuse cookies or alert you when one is set. Some parts of the service may not function if essential cookies are disabled. Where your browser sends a "Do Not Track" signal, we limit non-essential tracking accordingly.

We never sell personal data. We share it only where it is necessary to run the service or where the law requires it:

• Sub-processors that help us deliver the platform, such as our identity provider, hosting and database infrastructure, and the cloud and notification providers you choose to connect. Each is bound by contract to protect the data they handle and to use it only on our instructions.
• Legal and safety disclosures, where we are required to comply with a law, regulation, court order, or lawful request, or to protect the rights, property, or safety of Suriq, our customers, or others.
• Business transfers, where data may be transferred as part of a merger, acquisition, or sale of assets, subject to the protections in this policy.

An up-to-date list of the sub-processors that may handle customer data is available on request at [email protected].

Suriq operates internationally, so personal data may be transferred to, and processed in, countries other than the one in which you live, including outside the EEA, the UK, and Switzerland. Where we transfer personal data across borders, we rely on appropriate safeguards - such as the European Commission's Standard Contractual Clauses and equivalent mechanisms - to ensure your data remains protected to the standard required by applicable law.

We retain personal data only for as long as we need it for the purposes described in this policy, or for as long as the law requires:

• Monitoring results and audit records are retained for up to seven years to support long-term reporting and accountability, after which they are removed or moved to cold storage.
• Session data is short-lived and typically expires within about 24 hours of inactivity.
• Account data is kept for the life of your account and deleted, or anonymised, after closure - except where we must retain certain records to meet legal obligations.

You can ask us to delete your personal data at any time, as described below.

Security is built into the platform. Among other measures, we encrypt data in transit with TLS, store integration credentials using strong encryption (AES-256-GCM) or a dedicated secrets vault, set session cookies as HttpOnly with a strict same-site policy, maintain an audit trail of security-relevant actions, and restrict internal access to personal data on a need-to-know basis. We also run vulnerability scanning and engage independent security researchers. No method of transmission or storage is ever completely secure, but we work continuously to safeguard your information.

If you are located in the EEA, the UK, or Switzerland, you have the following rights over your personal data:

• Access - obtain confirmation of whether we process your data and a copy of it.
• Rectification - correct data that is inaccurate or incomplete.
• Erasure - ask us to delete your data where there is no overriding reason to keep it.
• Restriction - ask us to limit how we use your data in certain circumstances.
• Portability - receive your data in a structured, machine-readable format.
• Objection - object to processing based on our legitimate interests, including direct marketing.
• Withdraw consent - where we rely on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email [email protected]. We will respond within the timeframes set by applicable law. You also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your data properly.

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the right to know what personal information we collect and how we use it, to request access to or deletion of that information, to correct inaccurate information, and to not be discriminated against for exercising these rights. We do not sell or share your personal information as those terms are defined under California law. To make a request, contact us at [email protected]; we will verify your request before acting on it.

Suriq is a tool for businesses and is not directed to, or intended for use by, anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will remove it.

We may update this policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will revise the "Last updated" date at the top of this page and, where the changes are significant, provide a more prominent notice. We encourage you to review this page periodically.

For any privacy question, or to exercise any of the rights described above, reach our team:

suriq.io
Email: [email protected]