300 lines
8.1 KiB
Markdown
300 lines
8.1 KiB
Markdown
# Enforcement and Telemetry Policy
|
|
|
|
**Document Version:** 1.0.0
|
|
**Last Updated:** 2026-01-25
|
|
|
|
This document describes how stella-ops.org verifies compliance with the Community
|
|
Plugin Grant and free tier limits, including audit rights, telemetry options, and
|
|
privacy safeguards.
|
|
|
|
---
|
|
|
|
## 1. Compliance Philosophy
|
|
|
|
Stella Ops is committed to:
|
|
|
|
1. **Trust-based compliance** - We assume good faith from our users
|
|
2. **Minimal intrusion** - Verification should not burden legitimate users
|
|
3. **Privacy by design** - No collection of customer content or sensitive data
|
|
4. **Transparency** - Clear documentation of what we collect and why
|
|
|
|
---
|
|
|
|
## 2. Audit Rights
|
|
|
|
### 2.1 When Audits May Occur
|
|
|
|
stella-ops.org reserves the right to request compliance verification:
|
|
|
|
- **Frequency:** No more than once per calendar year per licensee
|
|
- **Notice:** Minimum 30 days written notice
|
|
- **Scope:** Limited to verification of Environment count and Scan volume
|
|
- **Trigger:** Audits may be initiated based on:
|
|
- Routine sampling of licensees
|
|
- Credible reports of non-compliance
|
|
- Self-reported concerns from licensees
|
|
|
|
### 2.2 Audit Process
|
|
|
|
**Step 1: Notice**
|
|
- Written notice via email to registered contact
|
|
- Specifies audit scope and requested documentation
|
|
- Provides minimum 30-day response window
|
|
|
|
**Step 2: Documentation Request**
|
|
- Licensee provides requested information:
|
|
- Number of active Environments
|
|
- Scan volume metrics (e.g., from Stella Ops admin dashboard)
|
|
- Deployment architecture summary
|
|
- No access to scan content, vulnerabilities, or business data required
|
|
|
|
**Step 3: Review**
|
|
- stella-ops.org reviews submitted documentation
|
|
- May request clarification on ambiguous items
|
|
- Typically completed within 15 business days
|
|
|
|
**Step 4: Resolution**
|
|
- Compliant: Written confirmation provided
|
|
- Minor variance: Grace period to remediate
|
|
- Significant non-compliance: Commercial license discussion
|
|
|
|
### 2.3 Audit Safeguards
|
|
|
|
All audits are conducted with:
|
|
|
|
- **Confidentiality:** All submitted information treated as confidential business
|
|
information under mutual NDA
|
|
- **Data protection:** GDPR-compliant handling of any personal data
|
|
- **Limited retention:** Audit documentation retained for maximum 3 years
|
|
- **No content access:** We never request access to scan results, source code,
|
|
or customer business data
|
|
|
|
---
|
|
|
|
## 3. Voluntary Telemetry
|
|
|
|
### 3.1 Telemetry Overview
|
|
|
|
Stella Ops provides an **optional** telemetry endpoint for users who wish to
|
|
automate compliance reporting.
|
|
|
|
**Key principles:**
|
|
- **Strictly opt-in:** Disabled by default
|
|
- **Aggregate metrics only:** No detailed scan data
|
|
- **Privacy-respecting:** No PII or customer content
|
|
- **User-controlled:** Can be disabled at any time
|
|
|
|
### 3.2 What Telemetry Collects (When Enabled)
|
|
|
|
| Metric | Description | Purpose |
|
|
|--------|-------------|---------|
|
|
| `installation_id` | Anonymous installation identifier | Deduplicate reports |
|
|
| `environment_count` | Number of active environments | License compliance |
|
|
| `scan_count_24h` | Scans in rolling 24-hour period | License compliance |
|
|
| `version` | Stella Ops version | Compatibility/support |
|
|
| `timestamp` | Report timestamp | Time-series analysis |
|
|
|
|
### 3.3 What Telemetry Does NOT Collect
|
|
|
|
- Scan results or vulnerability data
|
|
- Customer names or identifiers
|
|
- IP addresses (beyond transport layer)
|
|
- Source code or artifact contents
|
|
- User credentials or tokens
|
|
- Business-sensitive configuration
|
|
|
|
### 3.4 Enabling/Disabling Telemetry
|
|
|
|
**To enable:**
|
|
```yaml
|
|
# In stella-ops.yaml
|
|
telemetry:
|
|
enabled: true
|
|
endpoint: https://telemetry.stella-ops.org/v1/report
|
|
```
|
|
|
|
**To disable (default):**
|
|
```yaml
|
|
telemetry:
|
|
enabled: false
|
|
```
|
|
|
|
**Environment variable override:**
|
|
```bash
|
|
STELLAOPS_TELEMETRY_ENABLED=false
|
|
```
|
|
|
|
### 3.5 Telemetry Data Handling
|
|
|
|
- **Transmission:** TLS 1.3 encrypted
|
|
- **Storage:** Aggregated and anonymized within 24 hours
|
|
- **Retention:** Raw reports retained for maximum 90 days
|
|
- **Access:** Limited to license compliance team
|
|
- **No sale:** Never sold or shared with third parties
|
|
|
|
---
|
|
|
|
## 4. Self-Attestation
|
|
|
|
### 4.1 Overview
|
|
|
|
As an alternative to telemetry, licensees may provide annual self-attestation
|
|
of compliance. This is the recommended approach for organizations with strict
|
|
data governance requirements.
|
|
|
|
### 4.2 Attestation Process
|
|
|
|
1. **Download form:** `docs/legal/templates/self-attestation-form.md`
|
|
2. **Complete attestation:** Fill in required fields
|
|
3. **Submit:** Email to compliance@stella-ops.org
|
|
4. **Confirmation:** Receive acknowledgment within 10 business days
|
|
|
|
### 4.3 Attestation Frequency
|
|
|
|
- **Annual:** Submit once per calendar year
|
|
- **Upon request:** May be requested as part of audit
|
|
- **Voluntary updates:** Submit anytime if circumstances change
|
|
|
|
### 4.4 False Attestation
|
|
|
|
Knowingly providing false attestation information may result in:
|
|
- Immediate termination of license rights
|
|
- Requirement to obtain commercial license
|
|
- Potential legal action for license violation
|
|
|
|
---
|
|
|
|
## 5. Compliance Verification Methods
|
|
|
|
### 5.1 Recommended: Built-in Dashboard
|
|
|
|
Stella Ops includes a compliance dashboard at `/admin/compliance`:
|
|
|
|
```
|
|
Compliance Status
|
|
─────────────────
|
|
License Type: Community (Free Tier)
|
|
Environments: 2 of 3 (within limit)
|
|
Scans (24h): 456 of 999 (within limit)
|
|
Status: COMPLIANT
|
|
```
|
|
|
|
This dashboard can be used to:
|
|
- Monitor current usage against limits
|
|
- Generate compliance reports for audit
|
|
- Export metrics for self-attestation
|
|
|
|
### 5.2 API-Based Verification
|
|
|
|
Compliance metrics are available via API:
|
|
|
|
```bash
|
|
curl -H "Authorization: Bearer $ADMIN_TOKEN" \
|
|
https://your-instance/api/v1/admin/compliance/metrics
|
|
```
|
|
|
|
Response:
|
|
```json
|
|
{
|
|
"environment_count": 2,
|
|
"environment_limit": 3,
|
|
"scan_count_24h": 456,
|
|
"scan_limit_24h": 999,
|
|
"compliant": true,
|
|
"timestamp": "2026-01-25T14:30:00Z"
|
|
}
|
|
```
|
|
|
|
### 5.3 Log-Based Verification
|
|
|
|
For organizations that prefer log analysis:
|
|
|
|
```bash
|
|
# Extract compliance metrics from logs
|
|
grep "compliance_check" /var/log/stellaops/audit.log | tail -1
|
|
```
|
|
|
|
---
|
|
|
|
## 6. Remediation
|
|
|
|
### 6.1 Exceeding Limits
|
|
|
|
If you discover you've exceeded free tier limits:
|
|
|
|
1. **Immediate:** Usage may be throttled (see `30_QUOTA_ENFORCEMENT_FLOW1.md`)
|
|
2. **Short-term:** Reduce environments or scan volume to return to compliance
|
|
3. **Long-term:** Obtain commercial license for ongoing needs
|
|
|
|
### 6.2 Grace Period
|
|
|
|
For good-faith limit exceedances:
|
|
- **First occurrence:** 30-day grace period to remediate
|
|
- **Repeated occurrence:** 15-day grace period
|
|
- **Intentional abuse:** No grace period; commercial license required immediately
|
|
|
|
### 6.3 Commercial License Transition
|
|
|
|
If you need to exceed free tier limits:
|
|
- Contact sales@stella-ops.org
|
|
- Licenses can be backdated to cover grace period
|
|
- No penalty for good-faith users who remediate promptly
|
|
|
|
---
|
|
|
|
## 7. Privacy Commitments
|
|
|
|
stella-ops.org commits to the following privacy principles:
|
|
|
|
### 7.1 Data Minimization
|
|
We collect only the minimum data necessary for license compliance verification.
|
|
|
|
### 7.2 Purpose Limitation
|
|
Compliance data is used only for license verification, never for marketing or
|
|
sold to third parties.
|
|
|
|
### 7.3 User Control
|
|
- Telemetry is opt-in only
|
|
- Self-attestation is always available as alternative
|
|
- Users can request deletion of any collected data
|
|
|
|
### 7.4 GDPR Compliance
|
|
For EU users:
|
|
- Data Processing Agreement (DPA) available upon request
|
|
- Right to access, rectify, and delete data
|
|
- Data stored in EU-based infrastructure when EU endpoint selected
|
|
|
|
### 7.5 Contact
|
|
|
|
For privacy-related inquiries:
|
|
- Email: privacy@stella-ops.org
|
|
- DPO: dpo@stella-ops.org (EU users)
|
|
|
|
---
|
|
|
|
## 8. Questions and Support
|
|
|
|
**Compliance questions:**
|
|
- Email: compliance@stella-ops.org
|
|
|
|
**Technical questions about telemetry:**
|
|
- Documentation: `docs/admin/telemetry.md`
|
|
- Support: support@stella-ops.org
|
|
|
|
**Commercial licensing:**
|
|
- Email: sales@stella-ops.org
|
|
|
|
---
|
|
|
|
## See Also
|
|
|
|
- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Full legal terms
|
|
- `docs/legal/30_QUOTA_ENFORCEMENT_FLOW1.md` - Quota enforcement behavior
|
|
- `docs/legal/templates/self-attestation-form.md` - Attestation form
|
|
- `docs/admin/telemetry.md` - Technical telemetry configuration
|
|
|
|
---
|
|
|
|
*Document maintained by: Legal + Privacy Office*
|
|
*Last review: 2026-01-25*
|