stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

fix tests. new product advisories enhancements

Browse Source
This commit is contained in:
master
2026-01-25 19:11:36 +02:00
parent c70e83719e
commit 6e687b523a
504 changed files with 40610 additions and 3785 deletions
Download Patch File Download Diff File Expand all files Collapse all files

299
docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md Normal file
View File

@@ -0,0 +1,299 @@
# Enforcement and Telemetry Policy
**Document Version:** 1.0.0
**Last Updated:** 2026-01-25
This document describes how stella-ops.org verifies compliance with the Community
Plugin Grant and free tier limits, including audit rights, telemetry options, and
privacy safeguards.
---
## 1. Compliance Philosophy
Stella Ops is committed to:
1. **Trust-based compliance** - We assume good faith from our users
2. **Minimal intrusion** - Verification should not burden legitimate users
3. **Privacy by design** - No collection of customer content or sensitive data
4. **Transparency** - Clear documentation of what we collect and why
---
## 2. Audit Rights
### 2.1 When Audits May Occur
stella-ops.org reserves the right to request compliance verification:
- **Frequency:** No more than once per calendar year per licensee
- **Notice:** Minimum 30 days written notice
- **Scope:** Limited to verification of Environment count and Scan volume
- **Trigger:** Audits may be initiated based on:
- Routine sampling of licensees
- Credible reports of non-compliance
- Self-reported concerns from licensees
### 2.2 Audit Process
**Step 1: Notice**
- Written notice via email to registered contact
- Specifies audit scope and requested documentation
- Provides minimum 30-day response window
**Step 2: Documentation Request**
- Licensee provides requested information:
- Number of active Environments
- Scan volume metrics (e.g., from Stella Ops admin dashboard)
- Deployment architecture summary
- No access to scan content, vulnerabilities, or business data required
**Step 3: Review**
- stella-ops.org reviews submitted documentation
- May request clarification on ambiguous items
- Typically completed within 15 business days
**Step 4: Resolution**
- Compliant: Written confirmation provided
- Minor variance: Grace period to remediate
- Significant non-compliance: Commercial license discussion
### 2.3 Audit Safeguards
All audits are conducted with:
- **Confidentiality:** All submitted information treated as confidential business
information under mutual NDA
- **Data protection:** GDPR-compliant handling of any personal data
- **Limited retention:** Audit documentation retained for maximum 3 years
- **No content access:** We never request access to scan results, source code,
or customer business data
---
## 3. Voluntary Telemetry
### 3.1 Telemetry Overview
Stella Ops provides an **optional** telemetry endpoint for users who wish to
automate compliance reporting.
**Key principles:**
- **Strictly opt-in:** Disabled by default
- **Aggregate metrics only:** No detailed scan data
- **Privacy-respecting:** No PII or customer content
- **User-controlled:** Can be disabled at any time
### 3.2 What Telemetry Collects (When Enabled)
| Metric | Description | Purpose |
|--------|-------------|---------|
| `installation_id` | Anonymous installation identifier | Deduplicate reports |
| `environment_count` | Number of active environments | License compliance |
| `scan_count_24h` | Scans in rolling 24-hour period | License compliance |
| `version` | Stella Ops version | Compatibility/support |
| `timestamp` | Report timestamp | Time-series analysis |
### 3.3 What Telemetry Does NOT Collect
- Scan results or vulnerability data
- Customer names or identifiers
- IP addresses (beyond transport layer)
- Source code or artifact contents
- User credentials or tokens
- Business-sensitive configuration
### 3.4 Enabling/Disabling Telemetry
**To enable:**
```yaml
# In stella-ops.yaml
telemetry:
enabled: true
endpoint: https://telemetry.stella-ops.org/v1/report
```
**To disable (default):**
```yaml
telemetry:
enabled: false
```
**Environment variable override:**
```bash
STELLAOPS_TELEMETRY_ENABLED=false
```
### 3.5 Telemetry Data Handling
- **Transmission:** TLS 1.3 encrypted
- **Storage:** Aggregated and anonymized within 24 hours
- **Retention:** Raw reports retained for maximum 90 days
- **Access:** Limited to license compliance team
- **No sale:** Never sold or shared with third parties
---
## 4. Self-Attestation
### 4.1 Overview
As an alternative to telemetry, licensees may provide annual self-attestation
of compliance. This is the recommended approach for organizations with strict
data governance requirements.
### 4.2 Attestation Process
1. **Download form:** `docs/legal/templates/self-attestation-form.md`
2. **Complete attestation:** Fill in required fields
3. **Submit:** Email to compliance@stella-ops.org
4. **Confirmation:** Receive acknowledgment within 10 business days
### 4.3 Attestation Frequency
- **Annual:** Submit once per calendar year
- **Upon request:** May be requested as part of audit
- **Voluntary updates:** Submit anytime if circumstances change
### 4.4 False Attestation
Knowingly providing false attestation information may result in:
- Immediate termination of license rights
- Requirement to obtain commercial license
- Potential legal action for license violation
---
## 5. Compliance Verification Methods
### 5.1 Recommended: Built-in Dashboard
Stella Ops includes a compliance dashboard at `/admin/compliance`:
```
Compliance Status
─────────────────
License Type: Community (Free Tier)
Environments: 2 of 3 (within limit)
Scans (24h): 456 of 999 (within limit)
Status: COMPLIANT
```
This dashboard can be used to:
- Monitor current usage against limits
- Generate compliance reports for audit
- Export metrics for self-attestation
### 5.2 API-Based Verification
Compliance metrics are available via API:
```bash
curl -H "Authorization: Bearer $ADMIN_TOKEN" \
https://your-instance/api/v1/admin/compliance/metrics
```
Response:
```json
{
"environment_count": 2,
"environment_limit": 3,
"scan_count_24h": 456,
"scan_limit_24h": 999,
"compliant": true,
"timestamp": "2026-01-25T14:30:00Z"
}
```
### 5.3 Log-Based Verification
For organizations that prefer log analysis:
```bash
# Extract compliance metrics from logs
grep "compliance_check" /var/log/stellaops/audit.log | tail -1
```
---
## 6. Remediation
### 6.1 Exceeding Limits
If you discover you've exceeded free tier limits:
1. **Immediate:** Usage may be throttled (see `30_QUOTA_ENFORCEMENT_FLOW1.md`)
2. **Short-term:** Reduce environments or scan volume to return to compliance
3. **Long-term:** Obtain commercial license for ongoing needs
### 6.2 Grace Period
For good-faith limit exceedances:
- **First occurrence:** 30-day grace period to remediate
- **Repeated occurrence:** 15-day grace period
- **Intentional abuse:** No grace period; commercial license required immediately
### 6.3 Commercial License Transition
If you need to exceed free tier limits:
- Contact sales@stella-ops.org
- Licenses can be backdated to cover grace period
- No penalty for good-faith users who remediate promptly
---
## 7. Privacy Commitments
stella-ops.org commits to the following privacy principles:
### 7.1 Data Minimization
We collect only the minimum data necessary for license compliance verification.
### 7.2 Purpose Limitation
Compliance data is used only for license verification, never for marketing or
sold to third parties.
### 7.3 User Control
- Telemetry is opt-in only
- Self-attestation is always available as alternative
- Users can request deletion of any collected data
### 7.4 GDPR Compliance
For EU users:
- Data Processing Agreement (DPA) available upon request
- Right to access, rectify, and delete data
- Data stored in EU-based infrastructure when EU endpoint selected
### 7.5 Contact
For privacy-related inquiries:
- Email: privacy@stella-ops.org
- DPO: dpo@stella-ops.org (EU users)
---
## 8. Questions and Support
**Compliance questions:**
- Email: compliance@stella-ops.org
**Technical questions about telemetry:**
- Documentation: `docs/admin/telemetry.md`
- Support: support@stella-ops.org
**Commercial licensing:**
- Email: sales@stella-ops.org
---
## See Also
- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Full legal terms
- `docs/legal/30_QUOTA_ENFORCEMENT_FLOW1.md` - Quota enforcement behavior
- `docs/legal/templates/self-attestation-form.md` - Attestation form
- `docs/admin/telemetry.md` - Technical telemetry configuration
---
*Document maintained by: Legal + Privacy Office*
*Last review: 2026-01-25*