Legal

Privacy Policy

Last updated: May 27, 2026

Sikurd LLC (“Sikurd”, “we”, “our”) provides a SaaS monitoring and management platform for 3CX phone systems. This policy explains what personal data we collect, how we use it, the legal bases for processing under the EU and UK General Data Protection Regulation (“GDPR”), and the choices you have.

Data controller. The controller responsible for your personal data when you use the Sikurd portal directly (e.g. you are a member of an MSP that uses Sikurd, or you signed up for a trial) is Sikurd LLC, a Florida limited liability company with its principal place of business in Englewood, Florida, United States. Privacy enquiries: privacy@sikurd.com.

When personal data is processed because an MSP that uses Sikurd polls a 3CX phone system that contains your data (you are not a Sikurd customer, you just happen to be a caller or extension on an MSP’s PBX), the MSP is the controller and Sikurd is their processor. Contact your service provider directly to exercise rights against the MSP. Sikurd will support the MSP in responding to your request as required by Article 28 GDPR; see our Data Processing Agreement.

Data Protection Officer.Sikurd’s processing does not meet the Article 37 GDPR thresholds (we do not engage in large-scale systematic monitoring of data subjects, and we do not process special categories of personal data on a large scale), so we are not required to designate a DPO. Privacy enquiries are handled by our privacy team at the address above.

What we collect

We collect three categories of data:

  • Account data — your name, work email, tenant / organization name, role, and (optionally) phone number when you sign up or are invited.
  • Instance configuration — the FQDNs of the 3CX systems you monitor, their administrator usernames, encrypted administrator passwords (AES-256-GCM at rest), and the integration tokens needed to talk to them.
  • Operational telemetry — what Sikurd polls from each 3CX instance on your behalf: uptime, call counts, trunk and extension state, license usage, backup metadata, network latency / jitter / loss readings, and version information.

What we don’t collect

  • We do not record or store call audio.
  • We do not store call recordings, voicemails, or chat content.
  • We do not collect end-user (caller) personally identifiable information beyond what 3CX reports for call logs and queue stats you choose to view.
  • We do not sell, rent, or share your data with third parties for their own marketing purposes.

How we use it

  • Operate the service — poll your instances, generate alerts, compute health scores, render dashboards.
  • Send notifications — alert emails, mobile push, Slack / Teams / PSA integrations you configure.
  • Improve the product — anonymized, aggregated usage metrics may inform feature decisions; we never look at customer-identifiable data for product development without your explicit involvement.
  • Support you— when you contact us, we access only what’s necessary to resolve your request.

Where data lives

Application data is hosted on infrastructure provided by Neon (PostgreSQL), Vercel (web application), Railway (worker processes), and Upstash (queue / cache). All hosts operate in US-East regions; data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Encrypted backup snapshots are retained for 30 days.

Legal basis for processing

Under Article 6 GDPR we rely on the following legal bases:

  • Contractual necessity (Art 6(1)(b)) for account data, instance configuration, operational telemetry, alert delivery, billing — without these we cannot provide the Service you signed up for.
  • Legitimate interest (Art 6(1)(f)) for security logging, fraud and abuse prevention, debugging and improving the Service, and aggregated/anonymised usage analytics that do not identify individuals. Our legitimate interest is balanced against your rights and freedoms; you can object to processing on this basis (see Your rights below).
  • Consent (Art 6(1)(a)) for marketing emails (product announcements, MSP-tips newsletter), browser push notifications, and any future analytics cookies. Consent is opt-in and can be withdrawn at any time from Settings → Privacy & data or by clicking Unsubscribe in any marketing email.
  • Legal obligation (Art 6(1)(c)) for tax, accounting, and statutory record-keeping (invoices retained for the period required by applicable law).

Automated decision-making

Sikurd generates AI-assisted summaries of monitored events (e.g. weekly digests, incident write-ups, version-release intelligence) using third-party language models (currently Anthropic; see our sub-processor list). These summaries are informational and do not produce legal or similarly significant effects on data subjects within the meaning of Article 22 GDPR — they are read by an MSP operator who decides what action, if any, to take. We do not use customer data to train any AI models.

Sub-processors

We use a small number of third-party services to deliver the Sikurd platform. The current list, including each sub-processor’s location, the data they handle, and the transfer mechanism we rely on (Standard Contractual Clauses and/or EU-US Data Privacy Framework), is published at sikurd.com/legal/sub-processors. We give customers at least 30 days’ advance notice before adding a new sub-processor, per our Data Processing Agreement.

International data transfers

Sikurd’s primary infrastructure is located in the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data is transferred outside the EEA/UK to those systems. We rely on the European Commission’s Standard Contractual Clauses (Module Two, controller-to-processor) — and, for UK transfers, the UK Information Commissioner’s International Data Transfer Addendum — as the legal mechanism for these transfers. Several of our US-located sub-processors (notably Stripe, SendGrid, and Vercel) also participate in the EU-US Data Privacy Framework. We have completed a Transfer Impact Assessment (TIA) and concluded that, in conjunction with the security measures described in the Security section and at sikurd.com/trust, the transfers provide an essentially equivalent level of protection to that guaranteed within the EEA. The TIA is available on request to privacy@sikurd.com.

EU data residency is on our roadmap and will be made available as a region-pinned hosting option once we have customer demand to justify the engineering work.

How long we keep your data

  • Account data — for as long as your account is active. When you request deletion (Settings → Privacy → Delete my account), identifying fields are scrubbed immediately and the account is hard-deleted 30 days later.
  • Instance configuration + encrypted credentials — for as long as the instance is connected. Soft-deleted instances are retained for 90 days then hard-deleted.
  • Active call records — transient. Refreshed every poll cycle (≤ 60 seconds); no historical retention.
  • Operational telemetry — call logs 90 days, uptime records 30 days, alert history 12 months, network/MOS probe history 30 days. Adjustable per tenant on request.
  • Audit logs — privileged-action audit log (SecurityAuditLog) retained 24 months; per-instance event log (AuditLog) retained 12 months.
  • Consent records — retained 36 months, as evidence of consent under Article 7 GDPR.
  • Billing records — retained for the period required by applicable tax and accounting law (typically 7 years in the United States).
  • Backups — encrypted snapshots retained ≤ 30 days; deleted personal data is purged from backups within the next rotation cycle.

Your rights

Under GDPR and UK GDPR you have the following rights in respect of personal data we hold about you. We respond to verified requests within 30 days (extendable by a further two months for complex requests, with notice). There is no charge for the first request in a 12-month period.

  • Access (Art 15) — download a copy of the personal data we hold about you from Settings → Privacy & data → Export my data, or email privacy@sikurd.com.
  • Rectification (Art 16) — correct inaccurate or incomplete data via Settings → Profile, or by emailing the same address.
  • Erasure / right to be forgotten (Art 17) — delete your account from Settings → Privacy & data → Delete my account. Your account is scheduled for permanent deletion 30 days after the request; sign back in within that window to cancel.
  • Restriction of processing (Art 18) — ask us to temporarily stop processing your data while a dispute or rectification request is open. Email privacy@sikurd.com.
  • Data portability (Art 20) — the export described above is in machine-readable JSON, suitable for porting to another service.
  • Objection (Art 21) — object to processing based on legitimate interests, including direct marketing. To stop marketing, toggle Settings → Privacy & data → Product news email or click Unsubscribe in any marketing email — your opt-out is honoured immediately.
  • Withdraw consent (Art 7(3)) — for any processing based on your consent, you can withdraw at any time without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint (Art 77) — if you believe our processing infringes data-protection law, you have the right to complain to your local supervisory authority. For EU residents, the lead authority for Sikurd is the Irish Data Protection Commission (dataprotection.ie). UK residents can contact the Information Commissioner’s Office (ico.org.uk). We’d prefer to address your concerns directly first — please email privacy@sikurd.com.

If you are a California resident, the rights described in the California Consumer Privacy Act and California Privacy Rights Act apply. We treat California rights as substantively equivalent to the GDPR rights above and respond through the same channels. We do not sell or share personal information for cross-context behavioural advertising.

Security

  • All traffic is HTTPS-only.
  • Admin passwords and API tokens stored on Sikurd are encrypted at rest with AES-256-GCM. The encryption key is held outside the database in a separate secret store.
  • Database access is scoped to least-privilege service roles; no shared admin credentials.
  • Session cookies are HttpOnly + Secure + SameSite=lax, scoped to the apex domain and rotated on sign-in.

Cookies

Sikurd uses strictly-necessary cookies only — session, CSRF protection, and your theme preference. These are essential to the operation of the Service and, under Article 5(3) of the EU ePrivacy Directive, do not require your consent. We do not use third-party advertising cookies, tracking pixels, or analytics that build cross-site profiles. A cookie notice is shown on first visit so that this disclosure is unambiguous; clicking “Got it” records your acknowledgement so we do not show it again. The notice is logged in our consent records, which you can access via your data export.

Children

Sikurd is not directed at children under 16 and we do not knowingly collect their data.

Changes to this policy

We’ll post material changes at the URL where this policy lives and update the “Last updated” date above. If a change materially expands how we use your data, we’ll notify you by email before it takes effect.

Business customers

If you are a business using Sikurd to monitor 3CX systems on behalf of your own customers, our Data Processing Agreement (which includes Annex II Standard Contractual Clauses) governs our processing of personal data on your behalf as your processor under Article 28 GDPR. The DPA is incorporated by reference into our Terms of Service; no separate signature is required, but a counter-signed copy is available on request.

Contact

Privacy enquiries, data-subject requests, and DPA matters: privacy@sikurd.com. General product or support questions: help@sikurd.com or by phone at (941) 280-4090.