Legal

Privacy Policy

This policy explains what Sutra collects when you connect a Salesforce org, how that data is processed and protected, and the choices you have over it.

Last updated 2026-05-29

1. Who we are

Sutra is a Salesforce DevOps platform that helps teams compare, validate, deploy, and audit Salesforce metadata. This policy describes how Sutra (“we”, “us”) handles personal and organizational data when you use the service.

2. Data we collect

We collect only what we need to operate the service:

  • Account data. Your name, email address, and authentication credentials required to create and secure your account.
  • Salesforce connection data. When you connect a Salesforce org, we store the OAuth access and refresh tokens issued by Salesforce. We never see or store your Salesforce password — connections are OAuth 2.0 only.
  • Metadata we process. To compare and deploy, we retrieve Salesforce metadata components (such as Apex classes, flows, and configuration) on your behalf. This is processed to render diffs, validate changes, and execute deployments you initiate.
  • Operational data. Audit events, deployment history, and diagnostic logs needed to run, secure, and support the platform.

3. How we use data

We use the data above to provide the service you ask for: to authenticate you, connect your orgs, compute metadata diffs, run the deployments and retrieves you trigger, maintain an append-only audit trail, and provide support. We do not sell your data, and we do not use your Salesforce metadata to train models.

4. How we protect data

Each workspace is isolated at the database layer, and Salesforce OAuth tokens are encrypted before they are stored. For a fuller technical description of our security architecture, see the Security page.

5. Data retention & deletion

We retain data for as long as your account is active or as needed to provide the service. You can disconnect a Salesforce org at any time, which revokes the stored tokens. When you close your account, we delete or anonymize your data within a reasonable period, except where retention is required for legal, security, or audit-integrity reasons.

6. Sub-processors

We rely on a small set of infrastructure providers (hosting, storage, and email delivery) to operate the service. These providers process data only on our instructions and under contractual confidentiality and security obligations.

7. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise these rights, contact us using the details below.

8. Contact

Questions about this policy or your data? Reach us at privacy@sutra.dev.