Your data is captured to fix bugs — not to be exposed.
SnagRelay captures sensitive browser state including API payloads and DOM snapshots. We take that responsibility seriously. Here is exactly how we protect it.
SOC 2 Compliant
SnagRelay is SOC 2 Type I compliant. Our controls cover security, availability, and confidentiality. The audit scope covers access control, encryption at rest and in transit, incident response, and vendor risk management.
GDPR Ready
SnagRelay is operated under UK GDPR (post-Brexit) and is compatible with EU GDPR requirements. We act as a data processor for your organisation. A Data Processing Agreement (DPA) is available on request for all paid plans.
Encryption
All data in transit is encrypted with TLS 1.2+ (256-bit SSL). Data at rest is encrypted using AES-256. This includes bug report payloads, session replay recordings, DOM snapshots, and all API request/response data captured by the widget.
Data Residency
SnagRelay infrastructure is hosted in the EU (DigitalOcean AMS3, Amsterdam). Bug report data, session recordings, and API payloads do not leave EU-region servers unless you configure a custom webhook to an external endpoint.
Access Control
Access to production systems is restricted to authorised personnel only, protected by multi-factor authentication and principle of least privilege. All access events are logged and auditable. Employee access is reviewed quarterly.
Vulnerability Disclosure
We operate a responsible disclosure policy. If you discover a security vulnerability in SnagRelay, please report it to [email protected]. We aim to acknowledge reports within 24 hours and resolve confirmed issues within 30 days.
What we capture and how long we keep it.
SnagRelay captures technical context from end-user browsers. Below is a complete breakdown of every data type, how it is stored, and when it is deleted.
| Data type | Retention & handling |
|---|---|
| Bug report content | Screenshot, description, repro steps — stored encrypted, deleted on account closure |
| Session replay recordings | Video recordings are retained for 90 days by default; configurable per project |
| API payloads | Network request/response data stored encrypted; configurable scrubbing rules available |
| Console logs | Retained alongside the bug report; deleted with the report |
| Reporter metadata | Browser, OS, screen resolution — no PII captured unless reporter submits it in description |
| Account data | Name, email, billing details — retained for the life of the account + 90 days post-closure |
Third-party services we use.
We use a small number of trusted subprocessors to operate SnagRelay. Each is bound by appropriate data processing agreements and GDPR-compliant terms.
| Vendor | Purpose |
|---|---|
| DigitalOcean | Cloud infrastructure — compute, storage, database |
| Stripe | Payment processing and subscription management |
| Mailtrap | Transactional email delivery (receipts, alerts) |
| Cloudflare | CDN, DDoS protection, DNS |
| Google Analytics (GA4) | Anonymised website analytics (marketing site only, not app) |
Last updated: May 2026. We will notify customers 30 days before adding new subprocessors.
Data Processing Agreement
A DPA is available for all paid plan customers to satisfy GDPR Article 28 requirements. The DPA covers processing scope, data subject rights, security obligations, and breach notification timelines (72 hours to supervisory authority, 7 days to customers).
Request DPA → [email protected]Security Contact
Found a vulnerability? We operate a responsible disclosure policy. Please do not publicly disclose the issue before we have had a chance to remediate it. We acknowledge reports within 24 hours and aim to resolve confirmed issues within 30 days.
Report a vulnerability → [email protected]99.9%
Uptime SLA
Paid plans — credited if breached
72 hrs
Breach notification
To supervisory authority under GDPR
30 days
Vuln remediation target
Confirmed critical issues