SaviourOps

Trust & Security

Security is not
a checkbox.

You send us some of the most sensitive operational data in your organization — system internals, service topology, error details. We treat that responsibility seriously at every layer of the stack.

Responsible disclosure

Found a vulnerability?

We welcome security research and responsible disclosure. If you discover a security issue in SaviourOps — in our cloud platform, agent, or website — please report it to us privately before publishing.

We commit to:

  • Acknowledge your report within 2 business days.
  • Provide a status update within 7 days of initial triage.
  • Notify you when the issue is resolved.
  • Credit you in our release notes (unless you prefer anonymity).
  • Not pursue legal action against good-faith security researchers.

Report a vulnerability

security@saviourops.com

Disclosure window

We follow a 90-day coordinated disclosure policy. If we cannot resolve a reported issue within 90 days, we will discuss an extension with you in good faith. We ask that you do not publicly disclose details before the window closes.

Scope

In scope: saviourops.com, app.saviourops.com, ingestion APIs, the SaviourOps eBPF agent. Out of scope: third-party services we rely on (payment providers, AWS), social engineering attacks on our team, physical security.

Infrastructure security

How we protect your data.

Encryption at rest

All telemetry data, credentials, and account information stored on SaviourOps infrastructure is encrypted using AES-256. Encryption keys are managed via AWS KMS with automatic annual rotation.

Encryption in transit

All communication between your systems and SaviourOps endpoints is encrypted using TLS 1.3. We reject connections using older protocol versions (TLS 1.1 and below). HSTS is enforced on all domains.

Network isolation

Customer data is isolated at the storage layer. Ingestion, query, and management services run in separate VPCs with strict security group rules. Direct database access from the internet is not possible.

Access logging and audit trail

All authentication events, API calls, and administrative actions are logged with user identity, timestamp, and source IP. Logs are immutable and retained for 1 year. Enterprise customers can forward audit logs to their own SIEM.

Least-privilege access controls

SaviourOps engineers follow least-privilege principles. Production access requires time-bounded credentials issued through a break-glass process with mandatory peer approval and full audit trail.

Dependency and supply chain security

We pin all third-party dependencies and run automated vulnerability scans (Trivy, govulncheck) on every CI build. Critical CVEs in the dependency tree block deployments until patched.

Compliance

Compliance roadmap.

SOC 2 Type II

In progress

Audit in progress. Expected completion: Q3 2025. Contact us for a copy of our current security practices document.

GDPR

Compliant

We meet GDPR obligations for EU personal data. Data Processing Agreements (DPAs) are available on request for paid customers.

CCPA

Compliant

California residents can exercise their rights under CCPA by contacting privacy@saviourops.com.

Enterprise BYOC

Your cloud,
our platform.

Enterprise customers with strict data residency requirements can run the SaviourOps data plane inside their own AWS, GCP, or Azure account. Bring Your Own Cloud (BYOC) gives you:

  • Telemetry data never leaves your cloud account — managed by us, controlled by you.
  • You control encryption keys, storage retention, and network policies.
  • eBPF agents and storage nodes run within your VPC with no third-party egress.
  • We manage upgrades and operations via a secure control plane you authorize.
  • Deployable on EKS, GKE, AKS, or bare-metal Kubernetes clusters.
BYOC guarantees
Data sovereignty100% in your cloud
Egress to SaviourOpsControl plane metadata only
Key managementYour KMS / your keys
Network isolationPrivate link capable
AvailabilityEnterprise tier only — contact sales

Bug bounty

Bug bounty program

A formal bug bounty program is on our near-term roadmap. In the meantime, we recognize and reward all valid security reports that lead to a fix — credits range from public acknowledgement to cash rewards depending on severity.

To discuss a finding or a potential reward, email security@saviourops.com.

Your next incident is coming.
Answer it in seconds.

No dashboards to stitch together. No PagerDuty invoice. Deploy in minutes and stop dreading the pager.

Get early access

Free tier available. No credit card. No sales calls unless you want one.