Privacy Policy

Last updated: June 19, 2026

1. Controller

Softure UG (haftungsbeschränkt)
Scharfenberger Str. 28, 13505 Berlin, Germany
Email: customers@softure-ug.de

For data protection inquiries, contact us at customers@softure-ug.de.

2. What We Collect

We process the following categories of personal data:

• Account data — email address and organization name provided during registration.
• Usage data — API calls, timestamps, endpoints accessed, and request metadata for service operation.
• Test data — the URLs, test suites, steps, and run results you submit through Tripwire. These are processed to generate and execute your end-to-end tests and to root-cause failures.
• Technical data — IP address, browser type, and device information collected automatically via server logs.

3. Legal Basis

We process your data based on:

• Contract performance (Art. 6(1)(b) GDPR) — to provide the Tripwire service.
• Legitimate interests (Art. 6(1)(f) GDPR) — for security, abuse prevention, and service improvement.
• Legal obligation (Art. 6(1)(c) GDPR) — for tax and accounting compliance.

4. Sub-Processors

To deliver the service, we share data with the following sub-processors:

• Anthropic, PBC — USA (the AI model that drives and diagnoses your tests; Standard Contractual Clauses in place)
• Contabo GmbH — Germany (infrastructure hosting)
• Resend, Inc. — USA (transactional email: verification and invitations)

All sub-processors are contractually bound not to use your data for training or purposes beyond providing the service.

Bring Your Own Key (BYOK): Tripwire drives tests with your own Anthropic API key, configured by you. Anthropic processes the test content under your account and your agreement with Anthropic.

Self-hosted deployments: No data is transmitted to Softure UG. The AI provider is configured by you (BYOK), and all data stays on your infrastructure. You are solely responsible for your provider relationships.

5. Data Retention

• Account data is retained while your account is active and for 30 days after organization deletion.
• When an organization owner deletes the organization, all data (users, suites, runs, issues, settings, API keys) is permanently and irreversibly removed.
• Server logs are retained for 90 days.

6. Cookies

Tripwire does not use tracking cookies or third-party analytics. We use only strictly necessary session storage to maintain your authenticated session. No consent banner is required.

7. Your Rights

Under the GDPR, you have the right to access, rectification, erasure, data portability, restriction, and objection. To exercise any of these rights, email customers@softure-ug.de. We will respond within 30 days.

8. Data Security

All data is encrypted in transit (TLS) and integration secrets are encrypted at rest (AES via Fernet). Access to production systems is restricted by role-based access control. Per-organization runs are isolated, and outbound network access is restricted on the cloud edition.

9. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence. Our lead supervisory authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

10. Changes

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice at least 30 days before they take effect.