Security Center
Aspazy policies for data processing, security, data protection, retention, encryption, and acceptable use.
Note: These documents describe Aspazy's current public service practices. They are adapted for Aspazy's GitHub-to-Intercom help center automation product and should be reviewed with counsel before use as negotiated legal terms.
Data Processing Agreement
Policy owner: Aspazy Security. Review cadence: annual and after material service changes.
1. Key Terms
This Data Processing Agreement ("DPA") applies when Aspazy processes Customer Personal Data on behalf of a customer while providing the Aspazy service. Aspazy connects customer-authorized GitHub repositories to customer-authorized Intercom Help Centers and uses AI to generate help center draft content, update existing drafts, create bootstrap collections, and propose article deletions for customer approval.
For DPA requests, security questions, or subprocessor notices, contact [email protected] or [email protected].
2. Parties and Roles
- Customer: the organization using Aspazy. Customer is the controller of Customer Personal Data, or a processor where Customer processes data on behalf of its own controller.
- Aspazy: the service provider. Aspazy acts as a processor or subprocessor only for the processing needed to provide the service.
- Data subjects: customer workspace users, invited members, customer employees, customer end users whose data appears in connected content, and support-team contacts represented in connected systems.
3. Processing Details
- Categories of personal data: names, email addresses, account identifiers, workspace membership data, GitHub and Intercom metadata, repository and help center content provided by Customer, usage events, IP address, device or browser metadata, and service logs.
- Special category data: Aspazy does not require or intentionally request special category data. Customer must not submit special category data unless separately agreed in writing.
- Nature of processing: collecting, receiving, accessing, storing, organizing, analyzing, generating draft content, updating draft content, creating bootstrap collections, proposing and processing customer-approved article deletions, transmitting customer-directed content to integrations, logging, monitoring, and deleting data.
- Purpose of processing: providing and securing Aspazy, operating connected GitHub and Intercom workflows, generating AI-assisted help center drafts, sending service notifications, troubleshooting, abuse prevention, and meeting legal obligations.
- Duration: for the term of Customer's use of Aspazy, plus any retention period required by law, backup, dispute, audit, security, or operational obligations.
4. Customer Instructions
Customer instructs Aspazy to process Customer Personal Data to provide, maintain, secure, improve, and support the service; as configured through Customer's use of the product; as documented in the agreement between the parties; and as otherwise instructed in writing. Aspazy will inform Customer if it cannot follow an instruction unless prohibited by law.
5. Approved Subprocessors
| Subprocessor | Location | Processing task |
|---|---|---|
| Google Cloud Platform | Primarily European Union, with Google-managed global infrastructure where required by the managed service | Cloud hosting, Cloud Run, Cloud SQL for PostgreSQL, Secret Manager, Cloud Scheduler, Artifact Registry, infrastructure logging, and storage services. |
| Cloudflare | Global | Public website hosting, CDN, DNS, TLS termination, and edge delivery for aspazy.com. |
| Google Identity Services | European Union and United States | Google Sign-In authentication and identity verification. |
| GitHub | United States and global infrastructure | GitHub App installation, OAuth authorization, repository metadata, repository content access, and source-code change retrieval as authorized by Customer. |
| Intercom | United States, European Union, and global infrastructure | Customer-directed Help Center integration, OAuth authorization, reading help center state, selecting Help Centers, creating collections, creating or updating draft articles, and deleting articles after customer approval. |
| OpenAI | United States and global infrastructure | AI model processing and optional tracing for the active OpenAI Agents sync-run workflow. |
| PostHog | European Union and global infrastructure | Frontend error tracking, operational log shipping, and observability when configured. |
| Resend | United States and global infrastructure | Transactional email delivery for invitations, deletion verification codes, setup notices, and run summaries. |
Aspazy will give reasonable notice before adding or replacing a material subprocessor. Customer may object in writing on reasonable data protection grounds.
6. Security Measures
Aspazy maintains technical and organizational measures designed to protect Customer Personal Data, including Google Sign-In, HTTP-only Secure session cookies in production, CSRF protection for unsafe browser requests, workspace authorization checks, HTTPS/TLS transport, encryption at rest through managed cloud services, Secret Manager storage for sensitive integration tokens and provider keys, logging, monitoring, least-privilege production access, vulnerability remediation, and deletion controls.
7. International Transfers
Where Customer Personal Data is transferred internationally and applicable data protection law requires a transfer mechanism, the parties agree to use the applicable Standard Contractual Clauses, UK Addendum, or other lawful transfer mechanism. The DPA details on this page provide the Annex I and Annex II information for those transfer terms.
8. Security Incidents
After becoming aware of a confirmed personal data breach involving Customer Personal Data, Aspazy will notify affected Customer contacts without undue delay and, where feasible, within 72 hours. Aspazy will investigate, contain, and remediate the incident and provide reasonable information needed for Customer's legal obligations.
9. Customer Assistance, Audits, and Deletion
Aspazy will provide reasonable assistance for data subject requests, security diligence, audit questions, and privacy impact assessments where required by applicable law and where the request relates to Aspazy's processing. Customer may delete or disconnect workspace data through the product where available, or request deletion through support. Deletion follows the Data Retention Policy below.
10. Standard Terms
Aspazy will not sell Customer Personal Data. Aspazy will not retain, use, disclose, or combine Customer Personal Data except as needed to provide the service, comply with Customer instructions, meet legal obligations, prevent abuse, or protect the service. Aspazy remains responsible for subprocessors it appoints to process Customer Personal Data on its behalf.
Information Security Policy
Policy owner: Aspazy Security. Review cadence: annual.
Purpose and Scope
This policy establishes Aspazy's approach to protecting information from misuse, compromise, unauthorized disclosure, alteration, destruction, or loss. It applies to Aspazy employees, contractors, vendors, systems, networks, facilities, cloud services, source code, customer data, company data, and any third party that accesses Aspazy systems.
Security Objectives
- Confidentiality: protect customer, company, and personnel data from unauthorized access.
- Integrity: keep data accurate, complete, traceable, and protected from unauthorized modification.
- Availability: keep production systems available and recoverable for customers.
Governance
Aspazy Security owns policy maintenance, security review, exception review, employee communication, and enforcement. Security policies are reviewed at least annually and after material changes to the service, infrastructure, threat model, or legal obligations.
Personnel Security and Training
- Personnel must acknowledge applicable security policies during onboarding and after material updates.
- Access is granted based on job responsibilities and removed or adjusted during role changes and offboarding.
- Personnel with production or sensitive-data access must follow confidentiality obligations and security procedures.
- Security awareness, privacy expectations, phishing risk, password hygiene, incident reporting, and acceptable use are covered during onboarding and refreshed periodically.
Access Control
Aspazy applies least privilege to production systems and customer data. Access to production data is limited to approved personnel with a business need, and administrative access is disabled or restricted by default. Workspace authorization checks are enforced before accessing or modifying customer data.
Secure Development and Change Management
Security requirements are considered during product design, implementation, review, testing, and deployment. Changes to production systems follow controlled deployment paths, code review, automated tests where applicable, and rollback-aware release practices.
Monitoring and Enforcement
Aspazy monitors production systems, logs security-relevant events, reviews suspicious activity, and investigates suspected violations. Violations may result in access removal, disciplinary action, contract remedies, or legal action depending on severity.
Acceptable Use Policy
Policy owner: Aspazy Security. Review cadence: annual.
Purpose
This policy defines acceptable use of Aspazy systems, end-user computing devices, accounts, integrations, networks, and customer-facing services. It applies to Aspazy personnel, contractors, third-party users, and customers using the public service.
Customer Acceptable Use
Customers must use Aspazy lawfully and must not use the service to:
- violate laws, regulations, third-party rights, or contractual obligations;
- upload malware, exploit code, intentionally deceptive content, or content designed to attack AI systems or connected platforms;
- attempt unauthorized access to Aspazy, other customers, GitHub, Intercom, cloud infrastructure, or model providers;
- interfere with service availability, rate limits, monitoring, authentication, or authorization controls;
- submit secrets, regulated data, or special category data unless the service configuration and written agreement support that use;
- resell, sublicense, reverse-engineer, scrape, or benchmark the service except as allowed by written agreement.
Personnel Device and Workspace Use
- Aspazy-managed workstations must use disk encryption, operating-system security updates, firewall controls, and approved endpoint protections.
- Sensitive information must not be left unattended in public or shared work areas, printed unnecessarily, or stored on unapproved removable media.
- Passwords, API keys, OAuth tokens, private keys, and recovery codes must not be written in exposed locations or shared through unapproved channels.
- Company systems may not be used for unlawful, harassing, discriminatory, abusive, or personal-gain activities.
- Only approved software, services, and accounts may be used to process company or customer data.
Remote Work and Teleworking
Remote access must use strong authentication, encrypted connections, protected devices, and approved collaboration tools. Personnel must protect login credentials, report lost or stolen devices promptly, and avoid connecting company devices to untrusted networks without appropriate safeguards.
Malware and Data Loss Prevention
Users must not disable security controls, endpoint protection, logging, data loss prevention, or browser protections without approval. Suspicious messages, files, devices, or account behavior must be reported to security.
Data Classification Policy
Policy owner: Aspazy Security. Review cadence: annual.
Purpose and Scope
This policy helps personnel and service providers identify, label, protect, and handle Aspazy data and customer data according to sensitivity. It applies to electronic, hardcopy, verbal, and cloud-hosted information owned, licensed, managed, or processed by Aspazy.
Classification Levels
| Classification | Examples | Handling |
|---|---|---|
| Restricted | OAuth tokens, API keys, private keys, production credentials, security incident details, sensitive customer content, regulated personal data. | Need-to-know access only, encryption required, access logging required, transmission only through approved encrypted channels. |
| Confidential | Customer repository content, Intercom Help Center content, workspace membership data, non-public product plans, contracts, source code, internal financial records. | Access limited to authorized personnel and systems, encryption required or strongly preferred depending on storage, sharing only under approved business purpose. |
| Internal Use | Internal procedures, non-public project notes, routine operational metrics, non-sensitive internal communications. | Available to personnel with a business need. Do not publish externally without approval. |
| Public | Marketing pages, published documentation, approved blog posts, public pricing, public legal pages. | Approved for public release. Integrity controls still apply. |
Default Classification
Unless clearly public, data should be treated as Internal Use. Customer data is at least Confidential. Credentials, secrets, production keys, and security incident details are Restricted.
De-identified Data
Aspazy may use de-identification, aggregation, masking, or suppression to reduce privacy risk. A data set is not considered de-identified if it still contains direct identifiers or can reasonably identify a person or customer workspace.
Handling Controls
- Restricted and Confidential data must not be sent through unapproved chat, email, or file-sharing tools.
- External transmission of Restricted or Confidential data must use encryption and authorized recipients.
- Storage of Restricted data must use approved systems with access control, logging, and deletion support.
- Mobile and removable storage containing Restricted or Confidential data must be encrypted and physically protected.
- Data must be destroyed or deleted when no longer required under the Data Retention Policy.
Data Protection Policy
Policy owner: Aspazy Security. Review cadence: annual.
Purpose and Scope
This policy defines technical and organizational controls used to protect customer data in production systems that create, receive, store, process, or transmit Aspazy customer data.
Production Data Protection
- Aspazy production services run on managed cloud infrastructure, including Google Cloud Platform services such as Cloud Run, Cloud SQL for PostgreSQL, Secret Manager, Cloud Scheduler, and Artifact Registry.
- Customer workspaces are logically separated through workspace identifiers, membership checks, configurable role-based permissions, and API authorization controls.
- Intercom OAuth tokens, workspace AI provider keys, project LLM keys, database credentials, and other secrets are stored in Google Cloud Secret Manager or equivalent approved secret storage.
- Customer repository and help center data is processed only to provide configured workflows, generate draft content, support troubleshooting, secure the service, or meet legal obligations.
Access and Monitoring
Personnel production access is restricted, approved based on business need, and reviewed as roles change. Production access and service activity are logged where technically practical. Aspazy uses observability tooling to monitor reliability, errors, abuse, and suspicious events.
Data Leakage and Deletion Prevention
- Authentication and authorization checks are required before accessing or modifying workspace data.
- Deletion workflows use scoped delete operations, verification codes, role checks, and scheduled deletion windows where applicable.
- Customer-directed writebacks to Intercom are scoped to the connected Intercom workspace and selected Help Center.
- Customer-controlled integrations can be disconnected to stop future sync access.
Data at Rest and in Transit
Production databases, secret stores, and managed storage use encryption at rest. External service connections use HTTPS/TLS or equivalent encrypted transport. Sensitive customer data should not be sent over unapproved messaging channels unless encrypted and authorized.
Disposal
Customer data that is no longer required is deleted according to the Data Retention Policy, customer instructions, legal obligations, and provider deletion capabilities. Physical media disposal, where applicable, must use secure disposal or provider-backed destruction controls.
Data Retention Policy
Policy owner: Aspazy Security. Review cadence: annual.
Purpose
This policy explains how Aspazy retains and deletes customer, corporate, security, and operational records.
Customer Workspace Data
- Active customer data is retained while the customer account or workspace remains active and as needed to provide the service.
- When an authorized workspace admin schedules workspace deletion, Aspazy sends a verification code and schedules permanent deletion after a 48-hour waiting period.
- During the waiting period, the workspace is hidden from normal use. Platform admins can restore a scheduled deletion through the admin terminal before the deadline when there is a valid reason.
- After the deletion due time passes, Aspazy deletes workspace records, integration records, sync runs, article actions, uploaded assets, and workspace secrets through the production deletion process.
- Residual copies may remain for a limited period in backups, logs, provider caches, or records retained for security, legal, tax, dispute, or compliance purposes.
Integration Data
If Customer disconnects GitHub or Intercom, Aspazy stops future access for that integration and deletes or invalidates stored integration secrets where supported. Content already generated or stored in Aspazy remains subject to workspace retention unless deleted separately.
Operational Logs and Analytics
Service logs, security logs, analytics, and diagnostic records are retained for operational security, troubleshooting, abuse prevention, and compliance. Retention periods may vary by system and provider, and records are minimized where practical.
Corporate and Administrative Records
| Record type | Example storage | Typical retention |
|---|---|---|
| Corporate records | Approved business document storage | Up to 5 years or longer if required by law. |
| Contracts and commercial records | Approved business document storage | Term of contract plus legal limitation period. |
| Personnel and contractor records | Approved HR and document systems | Up to 5 years or longer if required by law. |
| Security and audit records | Approved logging and compliance systems | As needed for security, audit, legal, and compliance obligations. |
Secure Disposal
Before disposal or reuse of equipment or cloud resources, Aspazy verifies that sensitive data is deleted, purged, encrypted, or otherwise rendered inaccessible using provider-supported controls.
Encryption Policy
Policy owner: Aspazy Security. Review cadence: annual.
Purpose and Scope
This policy defines Aspazy requirements for cryptographic controls, key management, and protection of information in transit and at rest. It applies to production systems, workstations, cloud services, secrets, credentials, and customer data.
Cryptographic Controls
| Use case | Control |
|---|---|
| Public website and app traffic | HTTPS/TLS using managed certificates. |
| API and integration traffic | HTTPS/TLS or provider-supported encrypted transport. |
| Production database storage | Managed cloud encryption at rest for Cloud SQL and related storage. |
| Secrets and credentials | Google Cloud Secret Manager or approved equivalent secret store with IAM-based access control. |
| Employee workstations | Full-disk encryption and operating-system keychain or approved password manager for local secrets. |
| Short-lived protected state | AES-GCM application-level protection using configured production encryption secrets. |
| Session cookies | ASP.NET Data Protection keys persisted in Cloud SQL; key-ring rows currently rely on Cloud SQL encryption at rest and database access controls. |
Key Management
- Cryptographic keys and secrets must be generated, stored, rotated, revoked, and deleted through approved tooling.
- Access to keys is limited to authorized services and personnel with a business need.
- Production secrets must not be committed to source control, stored in plain text, or shared through unapproved channels.
- Keys must be replaced when they expire, are no longer needed, are suspected of compromise, or personnel with access leave or change roles.
Customer-Managed Provider Keys
When premium customers provide their own AI provider keys, Aspazy stores those keys in approved secret storage, limits use to customer-configured AI provider features that are active in the service, and deletes them when the customer removes the key or deletes the workspace, subject to provider and backup behavior.
Loss, Theft, and Compromise
Suspected loss, theft, exposure, or compromise of any cryptographic key, secret, certificate, token, or credential must be reported immediately to Aspazy Security for containment, rotation, and incident review.