Iris · Legal
Privacy Policy
Last updated: June 2026
1. Who we are
Iris ("the Service") is operated by Plan4 (Yannis Iliadis), based in Greece. We act as a data processor on behalf of our customers (the "controllers") for any firewall log data they send to Iris, and as a controller for the limited account data we collect to operate the Service (admin email, billing details).
Contact: iliadis@plan4.gr
2. What we process
2.1 Account data (we are controller)
- Full name, work email address, hashed password (Argon2id)
- Workspace (tenant) name and slug
- Billing data: Stripe customer/subscription IDs, plan, invoices (Stripe holds card details, we do not)
- Authentication events: login timestamps, password resets, email verification
2.2 Firewall log data (we are processor)
When you send firewall syslog to Iris, we receive and normalise events that may include:
- Source/destination IP addresses (which can be personal data under Breyer v. Germany, C-582/14)
- Usernames embedded in firewall log lines (e.g. SSH login attempts)
- URL/hostname accessed (when your firewall logs include URL filtering)
- Device identifiers, MAC addresses
- Connection metadata: ports, protocols, timestamps, bytes transferred
This data is processed strictly to provide the security monitoring service you have asked us for.
2.3 Microsoft 365 / Entra ID data (optional, we are processor)
If you choose to connect your Microsoft 365 / Microsoft Entra ID tenant via the Iris Connectors page, we will read the following data from your tenant through the Microsoft Graph API on a 5-minute interval:
- Sign-in logs (user, app, IP address, geographic location, MFA outcome, Identity Protection risk score)
- Directory audit logs (admin actions: role assignments, application consents, user/group changes, conditional-access policy edits)
- Mailbox-rule metadata (rule names and forwarding targets — never mailbox contents)
Access is granted by your Global Administrator via the standard Microsoft admin-consent flow and uses read-only application permissions. You can revoke access at any time from Microsoft Entra admin center → Enterprise applications → Iris SIEM → Disable.
2.4 What we do NOT collect
- Packet payload contents
- Special category data (Art. 9 GDPR) — we never request it; if a customer sends such data in firewall logs, it is incidental and not used by Iris.
- Tracking cookies, advertising identifiers, cross-site tracking
3. Legal basis (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)) — Account data and the processing of your firewall logs are necessary to deliver the Service.
- Legitimate interest (Art. 6(1)(f)) — System logs (your login times, IPs for fraud prevention) are kept to secure the platform itself, balanced against your rights and interests.
- Legal obligation (Art. 6(1)(c)) — Billing data is retained for tax law (10 years per Greek law).
4. Retention
| Data | Retention |
|---|---|
| Firewall events | Per your plan (Standard = 90 days, automatic deletion) |
| Detection alerts | 365 days after the alert is resolved |
| Audit logs | 2 years (NIS2 minimum) |
| Account data | Until you delete your workspace |
| Billing/invoices | 10 years (Greek tax law) |
| Backups | 30 days rolling window (Cloudron managed backups) |
5. Sub-processors
We use the following sub-processors to operate the Service:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Hetzner | VPS hosting (production server) | Germany (EU) | DPA in place; GDPR applies natively |
| Cloudron | Application platform, automated backups | Germany (EU) | DPA in place |
| Stripe | Payment processing | Ireland / USA | SCCs (Standard Contractual Clauses); PCI DSS Level 1 |
| Anthropic | AI alert triage (Claude API) | USA | SCCs; zero data retention setting; only alert metadata is sent, never raw events outside the alert's own context |
| Microsoft | Optional — Microsoft Graph API (M365 connector) used to fetch your own tenant's sign-in & audit logs into Iris | EU data centres (default) | Microsoft acts under the customer's existing M365 agreement; Iris is the recipient, not the controller, of this read flow |
| Cloudron sendmail | Transactional email | Germany (EU) | EU-only routing |
The current list is also published in any Data Processing Agreement (DPA) we sign. We give at least 30 days' notice before adding a new sub-processor; you can object via the contact email and terminate if the change is unacceptable.
6. International data transfers
Stripe and Anthropic involve transfers to the USA. Both rely on the EU Standard Contractual Clauses (2021/914). For the Anthropic processing specifically, we enable the "zero data retention" mode so prompt inputs are not retained by Anthropic beyond the response.
7. Your rights (GDPR Art. 15–22)
If we hold data about you, you can ask us to:
- Access — receive a copy. Workspace admins can download a complete JSON export from Account → Privacy.
- Rectify — correct inaccurate data. Edit your profile, or email us.
- Erase — delete your workspace and all associated data. Use Account → Privacy → Delete workspace; the deletion is irreversible and runs within 7 days, including backups.
- Restrict / object — pause processing while we resolve a dispute.
- Portability — the JSON export is in a structured, machine-readable format you can import elsewhere.
- Withdraw consent — close your account at any time.
- Lodge a complaint with the Hellenic Data Protection Authority or with your local supervisory authority.
We respond to verified requests within 30 days (Art. 12(3)).
8. Security
Technical and organisational measures include: Argon2id password hashing, HTTPS-only access, CSRF protection on every form, rate limiting on auth and ingestion endpoints, per-tenant row-level isolation with regression tests, encryption at rest at the disk layer (Hetzner), backups encrypted in transit, distributed-lock-protected background jobs, an append-only audit log of admin actions, and email verification before first login.
9. Changes
Material changes will be announced by email to workspace admins at least 30 days before they take effect.
Questions? Email iliadis@plan4.gr. See also Privacy · Terms · Cookies · Data schema