# Enforcement and Telemetry Policy **Document Version:** 1.0.0 **Last Updated:** 2026-01-25 This document describes how stella-ops.org verifies compliance with the Community Plugin Grant and free tier limits, including audit rights, telemetry options, and privacy safeguards. --- ## 1. Compliance Philosophy Stella Ops is committed to: 1. **Trust-based compliance** - We assume good faith from our users 2. **Minimal intrusion** - Verification should not burden legitimate users 3. **Privacy by design** - No collection of customer content or sensitive data 4. **Transparency** - Clear documentation of what we collect and why --- ## 2. Audit Rights ### 2.1 When Audits May Occur stella-ops.org reserves the right to request compliance verification: - **Frequency:** No more than once per calendar year per licensee - **Notice:** Minimum 30 days written notice - **Scope:** Limited to verification of Environment count and Scan volume - **Trigger:** Audits may be initiated based on: - Routine sampling of licensees - Credible reports of non-compliance - Self-reported concerns from licensees ### 2.2 Audit Process **Step 1: Notice** - Written notice via email to registered contact - Specifies audit scope and requested documentation - Provides minimum 30-day response window **Step 2: Documentation Request** - Licensee provides requested information: - Number of active Environments - Scan volume metrics (e.g., from Stella Ops admin dashboard) - Deployment architecture summary - No access to scan content, vulnerabilities, or business data required **Step 3: Review** - stella-ops.org reviews submitted documentation - May request clarification on ambiguous items - Typically completed within 15 business days **Step 4: Resolution** - Compliant: Written confirmation provided - Minor variance: Grace period to remediate - Significant non-compliance: Commercial license discussion ### 2.3 Audit Safeguards All audits are conducted with: - **Confidentiality:** All submitted information treated as confidential business information under mutual NDA - **Data protection:** GDPR-compliant handling of any personal data - **Limited retention:** Audit documentation retained for maximum 3 years - **No content access:** We never request access to scan results, source code, or customer business data --- ## 3. Voluntary Telemetry ### 3.1 Telemetry Overview Stella Ops provides an **optional** telemetry endpoint for users who wish to automate compliance reporting. **Key principles:** - **Strictly opt-in:** Disabled by default - **Aggregate metrics only:** No detailed scan data - **Privacy-respecting:** No PII or customer content - **User-controlled:** Can be disabled at any time ### 3.2 What Telemetry Collects (When Enabled) | Metric | Description | Purpose | |--------|-------------|---------| | `installation_id` | Anonymous installation identifier | Deduplicate reports | | `environment_count` | Number of active environments | License compliance | | `scan_count_24h` | Scans in rolling 24-hour period | License compliance | | `version` | Stella Ops version | Compatibility/support | | `timestamp` | Report timestamp | Time-series analysis | ### 3.3 What Telemetry Does NOT Collect - Scan results or vulnerability data - Customer names or identifiers - IP addresses (beyond transport layer) - Source code or artifact contents - User credentials or tokens - Business-sensitive configuration ### 3.4 Enabling/Disabling Telemetry **To enable:** ```yaml # In stella-ops.yaml telemetry: enabled: true endpoint: https://telemetry.stella-ops.org/v1/report ``` **To disable (default):** ```yaml telemetry: enabled: false ``` **Environment variable override:** ```bash STELLAOPS_TELEMETRY_ENABLED=false ``` ### 3.5 Telemetry Data Handling - **Transmission:** TLS 1.3 encrypted - **Storage:** Aggregated and anonymized within 24 hours - **Retention:** Raw reports retained for maximum 90 days - **Access:** Limited to license compliance team - **No sale:** Never sold or shared with third parties --- ## 4. Self-Attestation ### 4.1 Overview As an alternative to telemetry, licensees may provide annual self-attestation of compliance. This is the recommended approach for organizations with strict data governance requirements. ### 4.2 Attestation Process 1. **Download form:** `docs/legal/templates/self-attestation-form.md` 2. **Complete attestation:** Fill in required fields 3. **Submit:** Email to compliance@stella-ops.org 4. **Confirmation:** Receive acknowledgment within 10 business days ### 4.3 Attestation Frequency - **Annual:** Submit once per calendar year - **Upon request:** May be requested as part of audit - **Voluntary updates:** Submit anytime if circumstances change ### 4.4 False Attestation Knowingly providing false attestation information may result in: - Immediate termination of license rights - Requirement to obtain commercial license - Potential legal action for license violation --- ## 5. Compliance Verification Methods ### 5.1 Recommended: Built-in Dashboard Stella Ops includes a compliance dashboard at `/admin/compliance`: ``` Compliance Status ───────────────── License Type: Community (Free Tier) Environments: 2 of 3 (within limit) Scans (24h): 456 of 999 (within limit) Status: COMPLIANT ``` This dashboard can be used to: - Monitor current usage against limits - Generate compliance reports for audit - Export metrics for self-attestation ### 5.2 API-Based Verification Compliance metrics are available via API: ```bash curl -H "Authorization: Bearer $ADMIN_TOKEN" \ https://your-instance/api/v1/admin/compliance/metrics ``` Response: ```json { "environment_count": 2, "environment_limit": 3, "scan_count_24h": 456, "scan_limit_24h": 999, "compliant": true, "timestamp": "2026-01-25T14:30:00Z" } ``` ### 5.3 Log-Based Verification For organizations that prefer log analysis: ```bash # Extract compliance metrics from logs grep "compliance_check" /var/log/stellaops/audit.log | tail -1 ``` --- ## 6. Remediation ### 6.1 Exceeding Limits If you discover you've exceeded free tier limits: 1. **Immediate:** Usage may be throttled (see `30_QUOTA_ENFORCEMENT_FLOW1.md`) 2. **Short-term:** Reduce environments or scan volume to return to compliance 3. **Long-term:** Obtain commercial license for ongoing needs ### 6.2 Grace Period For good-faith limit exceedances: - **First occurrence:** 30-day grace period to remediate - **Repeated occurrence:** 15-day grace period - **Intentional abuse:** No grace period; commercial license required immediately ### 6.3 Commercial License Transition If you need to exceed free tier limits: - Contact sales@stella-ops.org - Licenses can be backdated to cover grace period - No penalty for good-faith users who remediate promptly --- ## 7. Privacy Commitments stella-ops.org commits to the following privacy principles: ### 7.1 Data Minimization We collect only the minimum data necessary for license compliance verification. ### 7.2 Purpose Limitation Compliance data is used only for license verification, never for marketing or sold to third parties. ### 7.3 User Control - Telemetry is opt-in only - Self-attestation is always available as alternative - Users can request deletion of any collected data ### 7.4 GDPR Compliance For EU users: - Data Processing Agreement (DPA) available upon request - Right to access, rectify, and delete data - Data stored in EU-based infrastructure when EU endpoint selected ### 7.5 Contact For privacy-related inquiries: - Email: privacy@stella-ops.org - DPO: dpo@stella-ops.org (EU users) --- ## 8. Questions and Support **Compliance questions:** - Email: compliance@stella-ops.org **Technical questions about telemetry:** - Documentation: `docs/admin/telemetry.md` - Support: support@stella-ops.org **Commercial licensing:** - Email: sales@stella-ops.org --- ## See Also - `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Full legal terms - `docs/legal/30_QUOTA_ENFORCEMENT_FLOW1.md` - Quota enforcement behavior - `docs/legal/templates/self-attestation-form.md` - Attestation form - `docs/admin/telemetry.md` - Technical telemetry configuration --- *Document maintained by: Legal + Privacy Office* *Last review: 2026-01-25*