Cloud Sentry (formerly STR Consulting LLC, "Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our public website, use our authenticated Support Portal, engage our services, or otherwise interact with us.
Scope: Marketing Site and Support Portal
This Privacy Policy covers two distinct properties operated by Cloud Sentry, which collect and process information for different purposes:
- Marketing Site (cloudsentry.com): our public website, used to publish information about Cloud Sentry, receive inbound inquiries, and present resources such as blog posts, case studies, and policy documents. The Marketing Site does not require sign-in.
- Support Portal (support.cloudsentry.com): the customer portal where Cloud Sentry customers and their authorized contacts submit support requests, track ticket status, approve access requests, and access policies and standard operating procedures we maintain on their behalf. The Support Portal supports both unauthenticated request submission and optional sign-in; certain workflows require sign-in. It also hosts our public Knowledge Base of self-service support articles, which is open to read without sign-in.
Sections below note where a particular practice applies only to the Marketing Site, only to the Support Portal, or to both.
Information We Collect
From both properties. We may collect personal information that you voluntarily provide to us when you express interest in our services, request a consultation, subscribe to our newsletter, submit a support request, or otherwise contact us. This information may include:
- Name, email address, phone number, and company name
- Job title and professional role
- Billing and payment information when purchasing services
- Information about your IT environment relevant to the services we provide
- Communications you send to us, including support requests, attachments, and feedback
From the Support Portal (authenticated sessions). When you sign in to the Support Portal, we collect and store the limited identity attributes required to authenticate you and to associate your activity with your organization. These attributes vary by sign-in method:
- Single sign-on via Google or Microsoft. We use WorkOS, Inc. as our authentication provider to broker single sign-on. We request only your name, email address, and the identity provider you used. We do not access your mailbox, your files, or the contents of your messages, and we request no standing access to your Google Workspace or Microsoft 365 tenant beyond verifying your sign-in.
- One-time email link (magic link). We collect the email address you entered to request the link and use it solely to deliver a single-use, time-limited sign-in link.
After sign-in we maintain a session cookie on your device that identifies your authenticated session. The cookie is signed with a server-held secret and carries an idle timeout and an absolute lifetime. See the Cookie Policy for details.
From the Marketing Site (visitor analytics). We also automatically collect certain technical information when you visit our public website, including your IP address, browser type, operating system, referring URLs, pages viewed, and the dates and times of your visits. This information is collected through cookies and similar tracking technologies as described in our Cookie Policy.
Operational logs from infrastructure providers. Both properties are hosted on Cloudflare. Cloudflare receives and processes request data (IP address, user agent, request path, response status, timing) as part of serving and protecting our sites. Application logs we generate may also include the email address associated with an authenticated session, a support-request identifier, or similar identifiers; we use these logs for security, observability, and incident response.
Connected Calendars (Free/Busy)
Support Portal only. The Support Portal lets you optionally connect a Google or Microsoft calendar so that we can see when you are busy and schedule around you. Connecting a calendar is always optional, and you can remove the connection at any time.
What we access.We access only your free/busy information: the start and end times when you are marked busy. We do not access, read, or store event titles, descriptions, participants, attachments, or locations. When you connect a Google account, we also read that account's email address, solely to label the calendar you linked in the portal.
Why we use it.To display availability in the portal's scheduling and coverage views, so that work is routed to people who are available.
How we protect it. The credentials that let us read your free/busy data are encrypted before storage, using a key kept separately from our database. Your busy times are stored only as opaque time blocks and are refreshed periodically while the connection is active.
Retention and removal. We retain this data only while your calendar is connected. When you disconnect the calendar in the portal, we delete the stored credentials and stop syncing.
Sharing. We do not sell this data, do not use it for advertising, and do not share it with third parties. Google-sourced data is handled in accordance with the Google API Services User Data Policy, including its Limited Use requirements; Microsoft-sourced data is handled in accordance with the equivalent Microsoft terms.
How We Use Your Information
We use the information we collect for the following purposes:
- To provide, maintain, and improve our managed IT, security, cloud operations, and compliance services
- To operate, monitor, and secure the Marketing Site and the Support Portal, including authenticating users, routing support requests, and delivering notifications
- To respond to your inquiries and fulfill your requests for information or consultations
- To send administrative information, such as service updates, security alerts, ticket notifications, and support messages
- To send marketing communications about our services, where permitted by law and with your consent where required
- To analyze website usage and improve the user experience
- To detect, prevent, and address technical issues and security threats, including by retaining short-term operational logs
- To comply with legal obligations and enforce our terms of service
Information Sharing
We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under California law. We may share your information in the following circumstances:
- Service Providers and Sub-processors: We share information with the third-party processors listed in the Sub-processors section below, each of which is contractually obligated to handle your data only on our instructions and to maintain appropriate safeguards.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
- Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
- Protection of Rights: We may disclose information to protect the rights, property, or safety of Cloud Sentry, our clients, or others.
Sub-processors
The following third-party processors handle data on our behalf to operate the Marketing Site, the Support Portal, or both. Each link points to the provider's published security or trust information; we encourage you to review their certifications and practices directly.
- Cloudflare, Inc. Hosting, edge compute, DNS, and DDoS protection for both properties; the serverless database that is the primary system of record for Support Portal accounts, requests, and history; key-value storage; object storage for request attachments, evidence files, and policy documents; live-chat session infrastructure; bot-management challenges; and an AI inference service used to classify and route intake text (see Automated Processing and Artificial Intelligence below). See the Cloudflare Trust Hub.
- WorkOS, Inc. Authentication provider that brokers single sign-on (Google, Microsoft, and enterprise identity providers) for the Support Portal and returns the limited identity attributes described above. See the WorkOS security page.
- Resend, Inc. Transactional email delivery for Support Portal notifications such as request confirmations, status updates, and approver links. See the Resend security page.
- Google LLC (only if you choose Google single sign-on, or connect a Google work calendar). Google authenticates you and returns the limited identity attributes described above; if you connect a calendar, Google returns read-only free/busy information for the Availability and Coverage feature. See Google Safety.
- Microsoft Corporation (only if you choose Microsoft single sign-on, or connect a Microsoft 365 work calendar). Microsoft authenticates you and returns the limited identity attributes described above; if you connect a calendar, Microsoft returns read-only free/busy information for the Availability and Coverage feature. We also retrieve Microsoft 365 service-health status to power our status pages, which does not involve your personal information. See the Microsoft Trust Center.
- Stripe, Inc. Payment processing and billing for customers who purchase services. Stripe processes the billing contact and payment details entered at checkout; we do not store full payment card numbers. See Stripe privacy.
- DocuSign, Inc.Electronic signature for executing policies and recording acknowledgements. DocuSign processes the signer's name, email address, and the document being signed. See the DocuSign Trust Center.
- Calendly, LLC Scheduling for discovery calls booked from our Marketing Site contact page. Calendly processes the name, email address, and meeting details you enter to book a call. See the Calendly security page.
- Intuit Inc. (QuickBooks) Accounting and invoicing ledger. Where we invoice you for services, your billing contact and invoice records are processed in QuickBooks. See the Intuit privacy page.
We review this list when we add or change a sub-processor and update this Privacy Policy accordingly.
Data Security
We implement administrative, technical, and physical security measures to protect your personal information. Measures specific to the Marketing Site and Support Portal include:
- Encryption in transit. All traffic to both properties is served over HTTPS, terminated at the Cloudflare edge.
- Encryption at rest. Data we store in Cloudflare-managed services (key-value namespaces, the serverless database, and object storage) is encrypted at rest by the platform.
- Signed session and link credentials. Authenticated sessions on the Support Portal are carried by cookies that are signed with a server-held secret and that enforce an idle timeout and an absolute lifetime. Special links such as approver-decision links are likewise signed and time-limited, are scoped to a single recipient and request, and become invalid once the decision is recorded.
- Access controls. Operator access to the Support Portal is gated by a server-side role assignment and by single sign-on with a trusted identity provider.
- Operational monitoring. We retain short-term application and platform logs to detect, triage, and respond to security events.
No method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.
Automated Processing and Artificial Intelligence
We use limited automated processing, including artificial intelligence, to operate our services, and we do so under clear limits:
- Intake routing. Free text you enter into the Support Portal intake may be classified by an AI model, hosted by our infrastructure provider, to suggest the right request type or flag a request that is out of scope. A member of our team reviews and owns the outcome.
- No model training on your data. We do not use your personal information to train third-party AI models, and we do not feed customer environment data into general-purpose AI models.
- People make the decisions. Automated processing supports our team; it does not make decisions that produce legal or similarly significant effects about you without human involvement. The actions taken inside a customer environment are performed by named members of our team.
Your Rights
Depending on your jurisdiction, you may have certain rights regarding your personal information, including:
- The right to access the personal information we hold about you
- The right to request correction of inaccurate or incomplete information
- The right to request deletion of your personal information, subject to legal retention requirements
- The right to opt out of marketing communications at any time
- The right to restrict or object to certain processing of your data
To exercise any of these rights, please contact us using the information provided below.
Your California Privacy Rights
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA"), gives you specific rights regarding your personal information. This section describes those rights and how we handle California personal information.
Categories we collect. In the past twelve months we have collected the following categories of personal information, as defined by the CCPA: identifiers (such as name, email address, phone number, and company); commercial information (such as services purchased or inquired about); internet or other electronic network activity (such as how you interact with our Marketing Site); professional or employment-related information (such as job title); and, for Support Portal users, the contents of the requests and communications you submit. We collect this information from you directly, from your device, and from the sub-processors listed above, for the business purposes described in How We Use Your Information.
No sale or sharing. We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA. Advertising signals are disabled by default, and our analytics load only after you consent through the cookie controls on our site.
Your rights. Subject to the exceptions in the CCPA, you have the right to know and access the personal information we hold about you, to request its deletion, to request correction of inaccurate information, to opt out of any sale or sharing, to limit the use of sensitive personal information, and not to receive discriminatory treatment for exercising these rights.
To exercise these rights, contact us at contact@cloudsentry.com. We will verify your request against information we already hold, and you may use an authorized agent to submit a request on your behalf. You can disable analytics at any time through the cookie controls on our site. Where applicable law requires us to honor opt-out preference signals such as the Global Privacy Control, we do so.
Cookies
Both the Marketing Site and the Support Portal use cookies and similar technologies. On the Marketing Site we use them to enhance your browsing experience, analyze site traffic, and understand where our visitors come from. On the Support Portal we additionally set an authentication cookie when you sign in. The Marketing Site and Support Portal cookies are set on different hosts and are not shared between them. For details on each cookie, including the Support Portal session cookie's attributes and lifetime, please refer to our Cookie Policy.
Data Retention
We retain personal information for as long as needed to provide our services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention practices include:
- Support requests and account data. Information you submit through the Support Portal is stored in our Cloudflare-hosted serverless database, which is our system of record for Support Portal accounts, requests, and history. We retain it for the life of your engagement and for the period afterward needed to meet legal, audit, and contractual obligations, after which it is deleted or de-identified.
- Authenticated session data. Session cookies expire on idle and have an absolute maximum lifetime; sign-in links expire after a short, fixed window.
- Operational logs. Platform and application logs used for security and observability are retained on a short-term rolling basis, subject to the retention windows configured at the platform layer.
Specific retention periods are available on request through the contact channel below.
Third-Party Services
Our website may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our website.
Children's Privacy
Our services are designed for businesses and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will post the revised policy on this page and update the "Last updated" date. We encourage you to review this policy periodically. Your continued use of our website and services after any changes constitutes your acceptance of the updated policy.
Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:
Cloud Sentry
84 W. Broadway Ste. 200
Derry, NH 03038
Email: contact@cloudsentry.com
Website: cloudsentry.com
