cerberops
Your data, guarded.
We collect the minimum we need to run a reliable monitoring service. No tracking pixels, no shady ad networks, no selling your data — ever.
On this page
1. What we collect
To operate Cerberops we collect three categories of data:
Account data
- Name, email address, hashed password
- Organization name and team membership
- Time zone & locale (inferred from your browser)
Monitoring data you provide
- URLs you monitor, expected status codes, assertions, request headers/body
- Notification channel destinations (email addresses, Slack webhook URLs, generic webhook URLs)
- Maintenance window schedules
Operational data we generate
- Check results — timestamps, response codes, latency, error categories
- Incident timelines — when monitors went down, root cause, recovery time
- Audit log entries — who created, updated, or deleted resources
We do not collect response bodies returned by your monitored services beyond a short excerpt (capped at 4 KB) used for assertion debugging. Sensitive headers are redacted in logs.
2. How we use it
We use the data only for what you'd expect:
- To run your monitors — schedule checks, evaluate assertions, fire alerts
- To bill you — payments are processed by Stripe; we never see your card number
- To improve reliability — aggregate, anonymized error rates help us tune the platform
- To contact you — transactional emails only (alerts, invoices, account events)
We do not run third-party analytics or advertising scripts on the app. We do not profile you for ad targeting.
3. Sharing & sub-processors
We share data only with infrastructure providers strictly necessary to operate Cerberops:
- AWS (eu-central-1) — application hosting & encrypted backups
- Stripe — payment processing (PCI-DSS Level 1)
- Postmark / SendGrid — transactional email delivery
- Sentry — application error tracking (PII filtered)
All sub-processors are bound by Data Processing Agreements (DPAs). A full, current list is available on request.
4. Retention
We retain:
- Account data — for as long as your account is active, plus 30 days after deletion
- Monitor checks — last 90 days on Personal, last 12 months on Enterprise
- Incident history — last 12 months on both plans
- Audit logs — 12 months
- Billing records — 7 years (legal requirement for invoicing)
You can request earlier deletion at any time — see "Your rights" below.
5. Your rights (GDPR & UK GDPR)
You have the right to:
- Access — download all your data via the dashboard or by email request
- Rectify — edit incorrect data from your account settings
- Erase — delete your account; we remove personal data within 30 days
- Restrict — temporarily limit processing
- Portability — receive a machine-readable export of your data (JSON)
- Object — opt out of any non-essential processing
- Complain — lodge a complaint with your local data protection authority
See the dedicated GDPR page for a deeper dive.
6. Security
We protect your data with:
- TLS 1.2+ for all data in transit
- AES-256 encryption at rest (RDS & S3)
- Hashed passwords (bcrypt, cost factor 12)
- SHA-256 hashed API tokens — we never store the raw token
- Role-based access controls and audit logging
- Quarterly access reviews and dependency audits
See our full security page for details.
7. Contact us
Privacy questions, data requests, or to designate a representative under GDPR Article 27:
Email: duty@cerberops.io
Postal: Cerberops Sentinel Services, EU
Response time: within 30 days, usually less than 7