Realm9 Logo
Terms of ServiceHome

Privacy Policy

Last Updated: October 2025

Privacy by DesignGDPR ReadySecurity Controls Framework

1. Introduction & Deployment Model

Realm9 ("we," "us," or "our") is a self-hosted infrastructure management platform designed for enterprise deployments. This Privacy Policy explains how data is handled in both our trial SaaS offering and production self-hosted deployments.

SaaS Trial

  • • 14-day free trial for evaluation
  • • Hosted on Realm9 infrastructure
  • • Demo and testing purposes only
  • • Standard GDPR data protections apply

Self-Hosted (Production)

  • • Deployed on your infrastructure
  • • You own and control all data
  • • Data never leaves your premises
  • • Full data sovereignty

Important: In self-hosted deployments, you are the data controller, and Realm9 has zero access to your production data. This policy describes how the software handles data, but your organization maintains full control and responsibility.

2. Data Controller Information

For SaaS Trial: Realm9 is the data controller
For Self-Hosted: Your organization is the data controller

For privacy-related inquiries regarding the Realm9 software:

Privacy Contact
Email: support@realm9.app
Subject: Privacy Inquiry

3. Information We Collect (SaaS Trial Only)

During the 14-day SaaS trial, we collect the following data to provide the service:

3.1 Account Information

  • Identity: Name, email address, organization name, job title
  • Authentication Data: Password (hashed with Argon2id), MFA secrets (encrypted with AES-256-GCM), backup codes (hashed with SHA-256)
  • Profile: Timezone, preferences, notification settings

3.2 Security & Session Data

  • Session Information: Login times, session duration, device fingerprints, IP addresses
  • Authentication Events: Login attempts (success/failure), MFA verification events, password changes
  • Security Logs: Failed login attempts, suspicious activity, IP change detections

3.3 Usage Data

  • Application Usage: Features accessed, pages visited, API calls, timestamps
  • Performance Metrics: Page load times, error logs, system performance
  • Infrastructure Configuration: Environment metadata, Terraform configurations, observability data

4. Data Handling in Self-Hosted Deployments

In production self-hosted deployments:

  • All data remains on your infrastructure - Realm9 has zero access
  • You control data retention policies - Configure as per your requirements
  • You own all encryption keys - We never have access to decrypt your data
  • No telemetry sent to Realm9 - Completely air-gapped if desired
  • License validation only - Anonymous machine fingerprint for license enforcement (optional)

Data Sovereignty Guarantee: For self-hosted deployments, you decide where data resides (on-premise, private cloud, specific regions). Realm9 never processes, stores, or accesses your production data.

5. Security Measures Implemented in Realm9

Realm9 implements enterprise-grade security controls aligned with industry standards:

5.1 Authentication & Identity Protection

  • Multi-Factor Authentication (MFA): TOTP-based (RFC 6238), compatible with Google Authenticator, Microsoft Authenticator, Authy. Includes 10 backup recovery codes (hashed with SHA-256)
  • Password Security: Argon2id hashing (memory-hard, GPU-resistant), 12+ character minimum, complexity requirements, 90-day expiration, password history (prevents reuse of last 5 passwords)
  • Enterprise SSO/SAML 2.0: Azure AD, Okta, Google Workspace, Generic SAML providers with assertion encryption (RSA 4096-bit), single logout (SLO) support, certificate revocation checking
  • OAuth 2.0: Google OAuth with encrypted refresh tokens (AES-256-GCM), automatic token rotation
  • SCIM 2.0 Provisioning: Automated user lifecycle management (RFC 7644), bulk operations support, real-time user deprovisioning when users leave your organization
  • Break-glass Emergency Access: Time-limited emergency admin access with mandatory justification, comprehensive audit logging, and automatic security team notifications
  • Rate Limiting: Login (5 attempts/min), MFA (10 attempts/10min), API (100 calls/min), password reset (3 requests/hour)

5.2 Encryption & Data Protection

  • At Rest: AES-256-GCM for all secrets, credentials, OAuth tokens, SAML private keys
  • In Transit: TLS 1.3, HSTS headers, secure WebSocket connections
  • Application-Level: Per-organization encryption keys, org-bound encryption for API keys
  • Database: Encrypted columns for sensitive data, field-level encryption

5.3 Session & Access Control

  • Session Security: Device fingerprinting, IP binding, concurrent session limits, automatic timeout
  • RBAC (Role-Based Access Control): Granular permissions, least-privilege principle
  • Organization Isolation: Multi-tenant data separation, per-org encryption keys
  • API Security: Bearer token authentication, scoped API keys, key rotation support

5.4 Audit Logging & Monitoring

  • Comprehensive Audit Trail: All authentication events, password changes, MFA events, admin actions
  • Security Event Tracking: Failed login attempts, IP changes, device fingerprint mismatches, session terminations
  • User Lifecycle Logging: Account creation, modification, deactivation (SCIM), break-glass access
  • Compliance-Ready Logs: Structured, tamper-evident, exportable (7-year retention default)

5.5 Network Security

  • HTTP Security Headers: HSTS, X-Frame-Options (DENY), CSP, X-Content-Type-Options (nosniff)
  • Content Security Policy: Strict CSP directives, frame-ancestors denial, upgrade-insecure-requests
  • Cookie Security: Secure, HTTP-only, SameSite=Lax cookies
  • CORS Configuration: Strict origin validation

Production-Ready Security: All security features mentioned above are battle-tested implementations deployed in production environments. Our security architecture follows defense-in-depth principles with multiple layers of protection at the application, session, network, and data layers.

6. Compliance Framework

Realm9 implements security controls and privacy practices aligned with:

GDPR (EU 2016/679)

  • ✓ Data minimization
  • ✓ Right to erasure
  • ✓ Data portability
  • ✓ Privacy by design
  • ✓ Breach notification (72hr)

Security Standards

  • ✓ OWASP Top 10 controls
  • ✓ NIST 800-63B identity guidelines
  • ✓ CIS Controls framework
  • ✓ ISO 27001 control alignment
  • ✓ SOC 2 Type II controls

Note on Certifications: Realm9 is designed for self-hosted deployments where you control the infrastructure. While we implement controls aligned with SOC 2 and ISO 27001 standards, formal certifications are your responsibility as the data controller in self-hosted environments. The software provides compliance-ready features, but certification applies to your deployment, not the software vendor.

7. Data Retention

SaaS Trial

  • Trial Data: Deleted within 30 days after trial ends or explicit request
  • Audit Logs: Retained for 90 days (compliance requirement)
  • Account Deletion: All data deleted within 30 days of request

Self-Hosted Deployments

  • You control all retention policies - Configure as per your requirements
  • Recommended: 7-year audit log retention for compliance (ISO 27001, SOC 2)
  • Configurable: Observability data (30 days to 2 years), Terraform state history, session logs

8. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights:

8.1 Right of Access (Art. 15)

Request a copy of your personal data. For self-hosted deployments, contact your organization's IT/security team.

8.2 Right to Rectification (Art. 16)

Update or correct inaccurate personal data via your profile settings or by contacting your administrator.

8.3 Right to Erasure ("Right to be Forgotten") (Art. 17)

Request deletion of your personal data. Note: Some data may be retained for legal compliance (audit logs).

8.4 Right to Data Portability (Art. 20)

Export your data in machine-readable format (JSON, CSV) via the Data Export feature in Settings.

8.5 Right to Object (Art. 21)

Object to processing based on legitimate interests or for marketing purposes.

To Exercise Your Rights:
SaaS Trial: Email us at support@realm9.app with "GDPR Request" in the subject line.
Self-Hosted: Contact your organization's IT/security team, as they are the data controller.

9. International Data Transfers

SaaS Trial

Trial data may be processed in the United States with appropriate safeguards (Standard Contractual Clauses).

Self-Hosted Deployments

You control data location entirely. Deploy Realm9 in any region, on-premise, or in your private cloud. Data never crosses borders unless you choose to replicate it.

10. Third-Party Services (SaaS Trial Only)

During the SaaS trial, we may use these third-party services:

  • Cloud Infrastructure: AWS (hosting and compute)
  • Email Services: AWS SES (transactional emails)

Self-Hosted: No third-party services involved. You choose all integrations.

11. Data Breach Notification

SaaS Trial: In the event of a data breach, we will notify affected users within 72 hours and report to the relevant supervisory authority as required by GDPR.

Self-Hosted: Your organization is responsible for breach detection, notification, and response. Realm9 provides comprehensive audit logging to support your incident response procedures.

12. Cookies & Tracking

Realm9 uses minimal cookies for essential functionality:

  • Session Cookies: Authentication and session management (required)
  • Preference Cookies: Theme settings, language preferences (optional)

No marketing or analytics cookies. No third-party tracking in self-hosted deployments.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of personal information collected, used, or shared
  • Right to Delete: Request deletion of your personal information (subject to legal exceptions)
  • Right to Opt-Out: Opt-out of sale/sharing of personal information (Note: Realm9 does not sell personal information)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Personal Information: Limit use/disclosure of sensitive data
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, email us at support@realm9.app with "California Privacy Rights" in the subject line. We will verify your identity before processing requests.

14. Sub-Processors and Data Processing

SaaS Trial Sub-Processors

For the SaaS trial, we use the following sub-processors:

  • Amazon Web Services (AWS) - Cloud infrastructure and hosting (US)
  • AWS SES - Transactional email delivery (US)

Data Processing Addendum (DPA)

Enterprise customers requiring a Data Processing Addendum (DPA) with Standard Contractual Clauses (SCCs) for GDPR compliance should contact enterprise@realm9.app. Self-hosted deployments do not require a DPA as you are the data controller.

15. Children's Privacy

Realm9 is an enterprise service not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at support@realm9.app.

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. For material changes, we will:

  • Email notification to registered users (SaaS trial)
  • Prominent notice in the Realm9 dashboard
  • Update the "Last Updated" date at the top of this policy

Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact Us

For privacy-related questions, concerns, or to exercise your data rights:

Privacy Contact
Realm9 Privacy Team
Email: support@realm9.app
Response Time: Within 30 days (GDPR requirement)

By using Realm9, you acknowledge that you have read, understood, and agree to this Privacy Policy. This policy describes privacy practices for the Realm9 software. For self-hosted deployments, your organization is the data controller and responsible for compliance with applicable data protection regulations.