Legal · Cryptographic evidence custody

Privacy Policy.

Drafted for review by CISOs, Heads of Risk, audit-firm technologists, and legal/compliance teams at firms operating under SOC 2 Type II, ISO 27001, NYDFS Part 500, DORA, SR 11-7, GDPR, and CCPA. Designed for review by counsel at firms such as KPMG, Deloitte, EY, PwC, BDO, Grant Thornton, and independent firms during procurement.

Effective date: 2026-02-12
Last updated: April 22, 2026
Draft — pending counsel review
This document contains placeholder language written by Déjà's product team, not lawyers. Sections marked [NEEDS LEGAL REVIEW] require attorney input before publication. The GDPR, CCPA, and other regulatory obligations listed here require counsel to confirm accuracy and completeness.
Section 1

Overview

This Privacy Policy describes how Déjà, Inc. ("Déjà," "we") collects, uses, and shares information when you use our incident attribution platform (the "Service").

Déjà is primarily a B2B service. We process data on behalf of customers who have created vaults. For that data, your employer (the customer) is the controller and Déjà is the processor. For data Déjà collects directly — like your email address when you create a vault — Déjà is the controller.

This policy covers both roles. Enterprise customers may have additional terms in a Data Processing Agreement (DPA); the DPA takes precedence where it differs from this policy.

Section 2

What we collect

Account data (you provide directly):

  • Business email address
  • Name (if entered during signup)
  • Hashed password (original password is never stored)
  • Domain of your email, used as your vault identifier
  • OAuth provider information (GitHub username, Google Workspace email) if you sign in with a third-party provider

Service data (you authorize us to process on your behalf):

  • Webhook payloads from third-party tools you connect — including error events, monitoring alerts, and commit metadata
  • API responses from tools you authorize us to query (Sentry, Datadog, GitHub, GitLab, etc.)
  • Signed receipts that Déjà produces from your data
  • Governance log entries documenting admin actions in your vault

Usage data (collected automatically):

  • IP address and approximate geolocation (derived from IP)
  • Browser type, operating system, and device type
  • Pages visited, features used, and actions taken within the Service
  • Session identifiers (cookies) used to keep you signed in
  • Error logs to diagnose issues

We do not collect: government identifiers (SSN, passport number, etc.), payment card data (handled directly by our payment processor, never touches our servers), health data, or precise geolocation (we do not collect GPS coordinates).

Section 3

How we use it

We use the data we collect to:

  • Provide and operate the Service, including attribution derivation, receipt signing, and delivery
  • Authenticate you and secure your vault against unauthorized access
  • Send you service-related emails (verification, password reset, receipt delivery notifications, security alerts)
  • Provide customer support when you contact us
  • Improve the Service through aggregated usage analysis — we do not use customer data to train machine learning models
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations (tax, audit, law enforcement requests with valid process)

We do not sell your data. We do not share it with advertisers, data brokers, or marketing partners. We do not use customer data to train AI or ML models. Service data processed on your behalf is used only to provide the Service you requested.

Section 4

Sharing and subprocessors

Déjà uses a limited set of third-party service providers ("subprocessors") to operate the Service. These providers are bound by contract to use your data only to provide services to Déjà and to maintain security standards consistent with this Policy.

Needs legal review

The exact subprocessor list below is placeholder. The final list must reflect Déjà's actual production infrastructure and must be kept current. Subprocessor change notification procedures (typically 30 days' advance notice for enterprise customers) require counsel input. GDPR-required subprocessor register may need to be published separately.

SubprocessorPurposeLocation
VercelApplication hosting and edge deliveryUnited States, EU
Supabase / PostgreSQL providerDatabase hosting for vault data and governance logsUnited States
Resend confirmTransactional email delivery (verification, notifications)United States
Anthropic confirmLLM inference for non-deterministic features, where applicable (no customer data used for training)United States
StripePayment processing for paid subscriptionsUnited States

We may also share data when required by law (subpoenas, court orders, valid government requests), with your consent (where you explicitly authorize a specific disclosure), or in connection with a merger or acquisition (with notice to you and the opportunity to terminate your subscription).

Section 5

Retention

We retain data for as long as needed to provide the Service and meet our legal obligations. Specific retention periods:

  • Account data: for the duration of your active vault, plus 30 days after deletion
  • Signed receipts: retained indefinitely in your vault during active subscription; after termination, retained for 30 days to allow export, then deleted (but remain cryptographically verifiable externally via DSR/1.0)
  • Governance log: retained for the life of your vault plus 90 days
  • Webhook event logs: retained for 90 days for debugging
  • Usage analytics: retained in aggregated form indefinitely; individually-identifying analytics retained for 12 months
  • Session data: retained for the session duration (typically 30 days of inactivity before session expiry)

Enterprise customers may negotiate different retention periods in their Data Processing Agreement.

Section 6

Security

We implement technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) for all Service traffic
  • Encryption at rest for database storage
  • Separate cryptographic key pairs for production and trial receipt signing
  • Access controls limiting which Déjà employees can access customer data (audited)
  • Regular security reviews and penetration testing confirm cadence
  • SOC 2 Type II attestation in progress — do not claim as completed until actual attestation

No system is perfectly secure. We will notify affected customers of any material data breach as required by applicable law and our contractual commitments.

Section 7

Your rights

Needs legal review — GDPR and CCPA specifics

The rights and corresponding request-handling procedures for GDPR (right of access, rectification, erasure, restriction, portability, objection, automated decision-making), CCPA (right to know, delete, correct, limit use of sensitive information, opt out of sale), and other applicable regulations (LGPD, UK GDPR, etc.) require counsel review. Specific request workflows, response timelines, and verification procedures must be documented.

Depending on where you live, you may have rights regarding your personal data, including the right to access, correct, delete, or export your data, and the right to object to or restrict certain processing. To exercise these rights, contact privacy@deja.dev.

For service data processed on behalf of an enterprise customer, privacy requests should generally be directed to the customer (the data controller). We will cooperate with the customer in handling such requests as described in the Data Processing Agreement.

Section 8

Cookies and similar technologies

We use cookies for:

  • Authentication: session cookies that keep you signed in. Required for the Service to function.
  • Security: CSRF protection and fraud detection. Required for the Service to function.
  • Preferences: remembering settings like theme. Optional.

We do not use advertising cookies, third-party tracking pixels, or analytics that share data with ad networks. confirm no Google Analytics, Meta Pixel, etc.

You can control cookies through your browser settings. Blocking authentication cookies will prevent you from signing in.

Section 9

International transfers

Needs legal review — this entire section

Cross-border data transfer mechanisms — Standard Contractual Clauses (SCCs), adequacy decisions, Data Privacy Framework participation, UK IDTA, Swiss transfers — require counsel review. For EU customers specifically, transfer mechanisms must be documented and may require Transfer Impact Assessments.

Déjà is based in the United States. If you access the Service from outside the United States, your data may be transferred to, processed, and stored in the United States. Where required by applicable law, we implement appropriate safeguards for such transfers.

Section 10

Children

The Service is not intended for individuals under 18 years old. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@deja.dev and we will take steps to delete it.

Section 11

Changes to this policy

We may update this policy from time to time. For material changes, we will notify you by email and/or by posting a notice in your vault at least 30 days before the changes take effect. The effective date at the top of this page indicates the most recent revision.

Section 12

Contact

Privacy-specific questions go to privacy@deja.dev. Data subject requests and GDPR/CCPA rights requests should be sent to the same address with the subject line "Privacy Request."

For general support questions, see our support page.

EU representative: required under GDPR Article 27 if applicable — counsel to appoint

Mailing address: needs legal review