1-SEC

Privacy Policy

Effective: February 19, 2026

1. Overview

1SEC is designed with privacy as a core principle. As a self-hosted security platform, your data stays on your infrastructure by default. This policy explains what data is collected, when, and how it is handled across both the self-hosted software and our Cloud Services (Pro and Enterprise tiers).

We are committed to transparency. If something isn’t covered here, the default answer is: we don’t collect it.

2. Self-Hosted Deployment

When running 1SEC on your own infrastructure using the Community (free) tier:

  • No data is transmitted to us. Zero. None.
  • All security events, alerts, logs, configurations, and analysis results remain entirely within your environment
  • We have no access to your systems, networks, or data
  • The embedded NATS bus operates locally with no external connections
  • No phone-home, license validation, or heartbeat calls are made

The only exception is if you explicitly enable optional telemetry (Section 7) or AI features (Section 4), both of which are off by default.

3. Cloud Services Data

If you subscribe to Pro or Enterprise Cloud Services, we collect and process data necessary to provide those services:

  • Alert and event data synced to the cloud dashboard (encrypted in transit via TLS 1.3)
  • Module status and health metrics for the dashboard display
  • Team member information (email, role, permissions) for access management
  • Integration configurations (webhook URLs, Slack channels, SIEM endpoints) stored encrypted at rest
  • Usage metrics for billing (event counts, API calls, storage consumed)

Cloud Services data is stored in infrastructure located in the United States. Enterprise customers may request specific data residency arrangements under a separate agreement.

4. AI Analysis Layer

If you enable the AI-powered threat analysis features, security event data is sent to third-party LLM providers (currently Google Gemini) for processing. Specifically:

  • Security event metadata (type, severity, timestamp, module source)
  • Sanitized payload excerpts for threat classification (PII is stripped before transmission)
  • Module correlation data for cross-module analysis

The following data is never sent to AI providers:

  • IP addresses (source or destination)
  • User credentials, passwords, or authentication tokens
  • Personally identifiable information (names, emails, phone numbers)
  • Raw network packet captures
  • Your configuration files or API keys

You can disable AI features entirely via configuration (ai_analysis_engine.enabled: false). When disabled, no data leaves your infrastructure for AI processing.

5. Account & Billing Data

When you create an account or subscribe to a paid tier, we collect:

  • Email address (for account authentication and communication)
  • Name or organization name (for billing and account identification)
  • Payment information (processed and stored by Stripe; we do not store full card numbers)
  • Billing address (required by payment processors for tax and fraud prevention)
  • Subscription tier and billing history

We use this data solely for account management, billing, and service-related communications. We do not sell, rent, or share your personal information with third parties for marketing purposes.

6. Website Analytics

The 1-sec.dev website may use privacy-respecting analytics to understand traffic patterns. We do not use invasive tracking technologies. Specifically:

  • No cross-site tracking cookies
  • No fingerprinting or device identification
  • No personal information is collected through the website
  • Analytics data is aggregated and cannot be used to identify individual visitors

7. Optional Telemetry

1SEC includes an opt-in anonymous telemetry feature that, when explicitly enabled, collects:

  • Which modules are enabled (not their configuration or settings)
  • Aggregate event counts per module (not event content)
  • 1SEC version and Go runtime version
  • Operating system and CPU architecture
  • A random installation ID (not tied to any personal information)

Telemetry is disabled by default and must be explicitly enabled in your configuration. No security event content, IP addresses, hostnames, or identifiable data is ever included in telemetry. Telemetry data is used solely to understand adoption patterns and prioritize development.

8. Cookies & Tracking

The 1-sec.dev website and Cloud Services use only essential cookies required for functionality:

  • Session cookies for authenticated users (Cloud Services dashboard)
  • CSRF protection tokens
  • User preference cookies (theme, timezone)

We do not use advertising cookies, social media tracking pixels, or any third-party cookies for behavioral profiling. No cookie consent banner is required because we do not use non-essential cookies.

9. Third-Party Services

1SEC integrates with third-party services only when explicitly configured by you:

  • Google Gemini API (AI analysis, opt-in) — governed by Google’s API Terms of Service
  • Stripe (payment processing) — governed by Stripe’s Privacy Policy
  • Webhook endpoints (alert delivery, user-configured) — governed by your endpoint provider
  • NATS (embedded by default, external if configured) — open-source, no data shared externally
  • Slack, PagerDuty, Opsgenie, Splunk, Datadog, Elastic (Enterprise integrations) — governed by respective provider policies

We encourage you to review the privacy policies of any third-party services you integrate with 1SEC.

10. Data Retention

For self-hosted deployments, all data retention is controlled entirely by your configuration. We retain nothing.

For Cloud Services:

  • Pro tier: 30-day analytics retention
  • Enterprise tier: 90-day analytics retention (extendable under separate agreement)
  • Account and billing data: retained for the duration of your subscription plus 90 days, or as required by law
  • Upon account deletion, all associated data is purged within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records)

11. Data Security

We implement industry-standard security measures to protect data processed through our Cloud Services:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls for team management
  • Regular security audits and dependency scanning
  • The 1SEC codebase is open source and subject to community review

No system is 100% secure. If you discover a security vulnerability, please report it through our responsible disclosure process on GitHub.

12. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Correction: request correction of inaccurate or incomplete data
  • Deletion: request deletion of your personal data (subject to legal retention requirements)
  • Portability: request your data in a structured, machine-readable format
  • Objection: object to processing of your data for certain purposes
  • Restriction: request restriction of processing in certain circumstances
  • Withdrawal of consent: withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at support@driftrail.com. We will respond within 30 days.

13. International Data Transfers

If you are located outside the United States, your data may be transferred to and processed in the United States where our Cloud Services infrastructure is located. By using Cloud Services, you consent to this transfer. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) for transfers from the EU/EEA
  • Encryption of data in transit and at rest
  • Access controls limiting who can view your data

For self-hosted deployments, no international transfer occurs — your data stays wherever you deploy it.

14. Children’s Privacy

1SEC is enterprise security software not directed at individuals under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@driftrail.com.

15. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect, use, and disclose
  • Right to request deletion of your personal information
  • Right to opt out of the sale of personal information — we do not sell your personal information
  • Right to non-discrimination for exercising your privacy rights

To exercise your CCPA rights, contact us at support@driftrail.com. We will verify your identity before processing your request.

16. GDPR Compliance

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

  • Legal basis for processing: contract performance (Cloud Services), legitimate interest (security and service improvement), and consent (optional telemetry and AI features)
  • Data Protection Officer: for GDPR inquiries, contact support@driftrail.com
  • You have the right to lodge a complaint with your local supervisory authority
  • Data processing agreements are available for Enterprise customers upon request

17. Breach Notification

In the event of a data breach affecting your personal data processed through our Cloud Services, we will:

  • Notify affected users via email within 72 hours of becoming aware of the breach
  • Notify relevant supervisory authorities as required by applicable law (e.g., GDPR Article 33)
  • Provide details about the nature of the breach, data affected, and remediation steps taken
  • Offer guidance on steps you can take to protect yourself

For self-hosted deployments, breach detection and notification are your responsibility.

18. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email (for registered users) or a prominent notice on the website at least 15 days before taking effect. Changes will be posted to this page with an updated effective date. We encourage you to review this policy periodically. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

19. Contact

For privacy-related questions, data requests, or concerns, email us at support@driftrail.com or open an issue on our GitHub repository.