SOCHQBack to Home

Privacy Policy

Effective Date: May 15, 2026

1. Who We Are

SOCHQ ("we," "our," or "us") operates the HQSec Security Operations Center platform at hq.sochq.io. We provide AI-powered security monitoring, threat detection, and incident response tools to businesses and individuals.

2. What We Collect

Account Data

  • Email address, username, and hashed password
  • Name, department, and job title (if provided)
  • MFA configuration (TOTP secret stored encrypted)
  • Login timestamps and IP addresses

Security Telemetry You Send Us

  • Security alerts, logs, and events forwarded from your CrowdStrike, Graylog, or other connected security integrations
  • Network device inventory and vulnerability scan results
  • IOC (Indicator of Compromise) data your agents submit
  • User and Entity Behavior Analytics (UEBA) events from your monitored systems

Usage Data

  • API request logs (endpoint, timestamp, response code — no request bodies)
  • Browser type and IP address for session management
  • Error and performance telemetry via Sentry (anonymized where possible)

3. How We Use Your Data

  • Authenticate you and enforce tenant isolation (your data is never shared with other tenants)
  • Power threat detection, correlation, and AI-assisted incident response within your account
  • Generate aggregate statistics to improve detection accuracy (never individual PII)
  • Send transactional emails (password resets, alerts you configure)
  • Fulfill billing and subscription obligations via Stripe
  • Comply with legal obligations including mandatory reporting requirements applicable to our platform

4. Data Storage and Security

All data is stored on infrastructure we control (PostgreSQL, Redis) hosted on Azure. Data is encrypted in transit (TLS 1.2+) and at rest. Tenant data is isolated at the database layer via Row Level Security — our application cannot accidentally return your data to another tenant.

Passwords are hashed with bcrypt and never stored in plaintext. Auth tokens are short-lived JWTs signed with a server-side secret you never see.

5. Data Sharing

We do not sell your data. We share data only with:

  • OpenAI — AI-powered analysis features send sanitized security context to the OpenAI API under their data processing addendum
  • Stripe — billing processor; receives only billing-required fields
  • Resend — transactional email delivery
  • Sentry — error monitoring; configured to minimize PII in payloads
  • Law enforcement — when legally required, or under mandatory reporting obligations (e.g., 18 U.S.C. § 2258A for child safety content)

6. Your Rights

Depending on your jurisdiction you may have rights to access, correct, export, or delete your personal data. To exercise these rights, email privacy@sochq.io. We will respond within 30 days.

Security telemetry you've forwarded to us (alerts, logs) is deleted when you cancel your subscription or explicitly request deletion. Account data is retained for 90 days after cancellation for billing dispute purposes, then purged.

7. Cookies and Sessions

We use HTTP-only, Secure, SameSite=Strict cookies to maintain your login session. We do not use tracking cookies or third-party advertising cookies. No cookie consent banner is needed for strictly-necessary session cookies under GDPR.

8. Retention

  • Security alerts and events: retained per your plan limits (default 90 days)
  • Audit logs: 1 year (required for SOC 2 and compliance use cases)
  • Agent performance metrics: 30 days (configurable)
  • Account data: duration of subscription + 90 days

9. Changes to This Policy

We will notify you by email or in-app notification at least 14 days before any material changes take effect. Continued use after that date constitutes acceptance.

10. Contact

Questions or concerns: privacy@sochq.io

Terms of ServiceHome