Skip to content
Spectops

Privacy Policy

Effective date: February 7, 2026

Plain-English Summary

  • We collect the minimum data needed to run the Service securely and reliably.
  • We do not sell personal information and do not run advertising trackers.
  • You can request access, deletion, or export of your data (subject to applicable laws).
  • We use third parties only where needed to deliver the Service (e.g., email delivery).

1. Introduction

Spectops ("we," "us," or "our") operates the Spectops platform for managed threat nullification and FlowSpec enforcement (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Service.

We are committed to protecting your privacy and handling your data with transparency. This policy applies to all users of the Service, including account holders, API consumers, and visitors to our website.

2. Information We Collect

2.1 Account Information

  • Email address (used for authentication, notifications, and account recovery)
  • Hashed password (bcrypt, never stored in plaintext)
  • Two-factor authentication enrollment status and encrypted TOTP secrets
  • Account role and permission settings

2.2 Network Configuration Data

  • Autonomous System Numbers (ASNs) and PeeringDB organization data
  • BGP session configurations (neighbor IPs, prefix limits, community policies)
  • System source selections, threat feed URLs, and webhook endpoints
  • IP prefix blocklists, whitelists, and FlowSpec rule definitions
  • Export list configurations and compilation settings

2.3 Automatically Collected Data

  • IP address and approximate geographic location (for security and rate limiting)
  • Browser user-agent string (for session management and anomaly detection)
  • API request metadata (endpoints accessed, timestamps, response codes)
  • Authentication events (login attempts, session creation, 2FA verification)

2.4 Cookies and Session Data

  • Session cookie: A secure, HTTP-only cookie containing an opaque session token. Required for authentication. Expires based on your configured session duration.
  • CSRF cookie: A signed token for cross-site request forgery protection. Expires after 24 hours.
  • We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

3. How We Use Your Information

We process your personal information for the following purposes:

  • Service delivery: To authenticate your identity, manage BGP sessions, apply source policies, compile export lists, and deliver blackhole routes to your peers
  • Security: To detect and prevent unauthorized access, brute-force attacks, and abuse of the Service through rate limiting, audit logging, and anomaly detection
  • Notifications: To send service-related emails including session state alerts, source errors, security notifications, and account recovery messages
  • Collective Intelligence: If you opt in, your FlowSpec observations are anonymized and correlated with other users' data to identify widespread threats. Your identity is never shared with other participants.
  • Analytics: To generate usage statistics, prefix trends, and session health metrics visible in your dashboard
  • Service improvement: To identify bugs, optimize performance, and develop new features based on aggregate usage patterns

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your data under the following legal bases:

  • Contract performance: Processing necessary to provide the Service you requested (Article 6(1)(b))
  • Legitimate interest: Security monitoring, fraud prevention, and service improvement (Article 6(1)(f))
  • Consent: For optional features like Collective Intelligence and marketing communications (Article 6(1)(a))
  • Legal obligation: When required to comply with applicable laws (Article 6(1)(c))

5. Data Security

We implement technical and organizational measures to protect your data:

  • All data in transit is encrypted via TLS 1.2+ (HTTPS enforced)
  • Passwords are hashed with bcrypt (cost factor 12)
  • Sensitive credentials (MD5 passwords, auth tokens) are encrypted at rest with AES-256-GCM
  • API keys are stored as bcrypt hashes; the plaintext is shown once at creation
  • Database connections use SSL with certificate verification
  • All administrative actions are recorded in an immutable audit log
  • Containers run with dropped capabilities, read-only filesystems, and resource limits
  • Rate limiting, CSRF protection, and Turnstile bot prevention are enforced on all endpoints

6. Data Retention

We retain your data for the following periods:

  • Account data: Retained while your account is active. Deleted 30 days after account deletion request.
  • Audit logs: Retained for 90 days
  • BGP event logs: Retained for 90 days
  • Login attempts: Retained for 30 days
  • Analytics snapshots: Hourly data for 7 days, daily data for 365 days
  • Session tokens: Expired tokens are deleted within 24 hours
  • FlowSpec observations: Retained for 30 days after withdrawal

Retention periods are configurable by the platform administrator. Data may be retained longer if required by law or to resolve disputes.

7. Data Sharing and Third Parties

We do not sell your personal information. We may share data with:

  • PeeringDB: During OAuth authentication, we receive your organization and ASN data from PeeringDB. We do not send your data to PeeringDB.
  • Email provider (SendGrid): Email addresses are shared with our transactional email provider for the purpose of delivering notifications and account recovery emails.
  • Cloudflare: Requests may be proxied through Cloudflare for DDoS protection and CDN. Cloudflare processes IP addresses and request metadata per their privacy policy.
  • Law enforcement: When required by a valid legal process (subpoena, court order, or equivalent legal mechanism).

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request that we limit the processing of your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: For processing based on consent (e.g., Collective Intelligence)

To exercise any of these rights, contact us at privacy@localhost. We will respond within 30 days.

9. International Data Transfers

The Service may process data in jurisdictions outside your country of residence. Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Children's Privacy

The Service is designed for professional network operators and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or concerns, contact our privacy team:

Back to Home