stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md

8.1 KiB
Raw Permalink Blame History

Enforcement and Telemetry Policy

Document Version: 1.0.0 Last Updated: 2026-01-25

This document describes how stella-ops.org verifies compliance with the Community Plugin Grant and free tier limits, including audit rights, telemetry options, and privacy safeguards.

1. Compliance Philosophy

Stella Ops is committed to:

  1. Trust-based compliance - We assume good faith from our users
  2. Minimal intrusion - Verification should not burden legitimate users
  3. Privacy by design - No collection of customer content or sensitive data
  4. Transparency - Clear documentation of what we collect and why

2. Audit Rights

2.1 When Audits May Occur

stella-ops.org reserves the right to request compliance verification:

  • Frequency: No more than once per calendar year per licensee
  • Notice: Minimum 30 days written notice
  • Scope: Limited to verification of Environment count and Scan volume
  • Trigger: Audits may be initiated based on:
    • Routine sampling of licensees
    • Credible reports of non-compliance
    • Self-reported concerns from licensees

2.2 Audit Process

Step 1: Notice

  • Written notice via email to registered contact
  • Specifies audit scope and requested documentation
  • Provides minimum 30-day response window

Step 2: Documentation Request

  • Licensee provides requested information:
    • Number of active Environments
    • Scan volume metrics (e.g., from Stella Ops admin dashboard)
    • Deployment architecture summary
  • No access to scan content, vulnerabilities, or business data required

Step 3: Review

  • stella-ops.org reviews submitted documentation
  • May request clarification on ambiguous items
  • Typically completed within 15 business days

Step 4: Resolution

  • Compliant: Written confirmation provided
  • Minor variance: Grace period to remediate
  • Significant non-compliance: Commercial license discussion

2.3 Audit Safeguards

All audits are conducted with:

  • Confidentiality: All submitted information treated as confidential business information under mutual NDA
  • Data protection: GDPR-compliant handling of any personal data
  • Limited retention: Audit documentation retained for maximum 3 years
  • No content access: We never request access to scan results, source code, or customer business data

3. Voluntary Telemetry

3.1 Telemetry Overview

Stella Ops provides an optional telemetry endpoint for users who wish to automate compliance reporting.

Key principles:

  • Strictly opt-in: Disabled by default
  • Aggregate metrics only: No detailed scan data
  • Privacy-respecting: No PII or customer content
  • User-controlled: Can be disabled at any time

3.2 What Telemetry Collects (When Enabled)

Metric Description Purpose
installation_id Anonymous installation identifier Deduplicate reports
environment_count Number of active environments License compliance
scan_count_24h Scans in rolling 24-hour period License compliance
version Stella Ops version Compatibility/support
timestamp Report timestamp Time-series analysis

3.3 What Telemetry Does NOT Collect

  • Scan results or vulnerability data
  • Customer names or identifiers
  • IP addresses (beyond transport layer)
  • Source code or artifact contents
  • User credentials or tokens
  • Business-sensitive configuration

3.4 Enabling/Disabling Telemetry

To enable:

# In stella-ops.yaml
telemetry:
  enabled: true
  endpoint: https://telemetry.stella-ops.org/v1/report

To disable (default):

telemetry:
  enabled: false

Environment variable override:

STELLAOPS_TELEMETRY_ENABLED=false

3.5 Telemetry Data Handling

  • Transmission: TLS 1.3 encrypted
  • Storage: Aggregated and anonymized within 24 hours
  • Retention: Raw reports retained for maximum 90 days
  • Access: Limited to license compliance team
  • No sale: Never sold or shared with third parties

4. Self-Attestation

4.1 Overview

As an alternative to telemetry, licensees may provide annual self-attestation of compliance. This is the recommended approach for organizations with strict data governance requirements.

4.2 Attestation Process

  1. Download form: docs/legal/templates/self-attestation-form.md
  2. Complete attestation: Fill in required fields
  3. Submit: Email to compliance@stella-ops.org
  4. Confirmation: Receive acknowledgment within 10 business days

4.3 Attestation Frequency

  • Annual: Submit once per calendar year
  • Upon request: May be requested as part of audit
  • Voluntary updates: Submit anytime if circumstances change

4.4 False Attestation

Knowingly providing false attestation information may result in:

  • Immediate termination of license rights
  • Requirement to obtain commercial license
  • Potential legal action for license violation

5. Compliance Verification Methods

5.1 Recommended: Built-in Dashboard

Stella Ops includes a compliance dashboard at /admin/compliance:

Compliance Status
─────────────────
License Type:     Community (Free Tier)
Environments:     2 of 3 (within limit)
Scans (24h):      456 of 999 (within limit)
Status:           COMPLIANT

This dashboard can be used to:

  • Monitor current usage against limits
  • Generate compliance reports for audit
  • Export metrics for self-attestation

5.2 API-Based Verification

Compliance metrics are available via API:

curl -H "Authorization: Bearer $ADMIN_TOKEN" \
  https://your-instance/api/v1/admin/compliance/metrics

Response:

{
  "environment_count": 2,
  "environment_limit": 3,
  "scan_count_24h": 456,
  "scan_limit_24h": 999,
  "compliant": true,
  "timestamp": "2026-01-25T14:30:00Z"
}

5.3 Log-Based Verification

For organizations that prefer log analysis:

# Extract compliance metrics from logs
grep "compliance_check" /var/log/stellaops/audit.log | tail -1

6. Remediation

6.1 Exceeding Limits

If you discover you've exceeded free tier limits:

  1. Immediate: Usage may be throttled (see 30_QUOTA_ENFORCEMENT_FLOW1.md)
  2. Short-term: Reduce environments or scan volume to return to compliance
  3. Long-term: Obtain commercial license for ongoing needs

6.2 Grace Period

For good-faith limit exceedances:

  • First occurrence: 30-day grace period to remediate
  • Repeated occurrence: 15-day grace period
  • Intentional abuse: No grace period; commercial license required immediately

6.3 Commercial License Transition

If you need to exceed free tier limits:

  • Contact sales@stella-ops.org
  • Licenses can be backdated to cover grace period
  • No penalty for good-faith users who remediate promptly

7. Privacy Commitments

stella-ops.org commits to the following privacy principles:

7.1 Data Minimization

We collect only the minimum data necessary for license compliance verification.

7.2 Purpose Limitation

Compliance data is used only for license verification, never for marketing or sold to third parties.

7.3 User Control

  • Telemetry is opt-in only
  • Self-attestation is always available as alternative
  • Users can request deletion of any collected data

7.4 GDPR Compliance

For EU users:

  • Data Processing Agreement (DPA) available upon request
  • Right to access, rectify, and delete data
  • Data stored in EU-based infrastructure when EU endpoint selected

7.5 Contact

For privacy-related inquiries:

8. Questions and Support

Compliance questions:

Technical questions about telemetry:

Commercial licensing:

See Also

  • LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md - Full legal terms
  • docs/legal/30_QUOTA_ENFORCEMENT_FLOW1.md - Quota enforcement behavior
  • docs/legal/templates/self-attestation-form.md - Attestation form
  • docs/admin/telemetry.md - Technical telemetry configuration

Document maintained by: Legal + Privacy Office Last review: 2026-01-25