Skip to main content

Fixed.sh

← Home

Trust

Security & data privacy

How Fixed.sh protects operational data, gates remediation behind human approval, and handles integrations during the private preview.

Last updated

Overview

Fixed.sh helps operations, SRE, IT, helpdesk, and security teams investigate incidents and tickets with evidence-backed AI. This page describes how we think about security and data privacy for the product and for teams in the private preview.

We are early in the journey. Capabilities, subprocessors, and contractual terms for preview customers are finalized during onboarding. If you need a data processing agreement, security questionnaire, or subprocessor list before joining, say so when you request access.

Product architecture and data flow

Fixed is built around two permission levels that should not be blurred:

  • Investigate mode ingests alerts, tickets, metrics, logs, dependency context, and related metadata to produce ranked hypotheses, timelines, and RCA briefs. It is read-oriented: nothing in your environment changes until a human decides.
  • Repair mode proposes playbooks (for example pool limits, rollbacks, or isolation steps). Those actions stay queued until an authorized person approves them in the product.

What typically flows through Fixed

  • Alert and incident metadata from paging and monitoring tools
  • Ticket fields and comments from ITSM systems
  • Time-series, log excerpts, and trace references needed for correlation
  • Service topology and dependency relationships
  • Change and deploy signals used for attribution
  • User actions inside Fixed: approvals, deprioritized hypotheses, notes

Data we collect in the product

During private preview, the data Fixed processes depends on which connectors your team enables. In general:

  • Account and workspace data: team members, roles, and configuration you set during onboarding
  • Operational content pulled through integrations you authorize: incidents, tickets, observability artifacts, and security signals relevant to an investigation
  • Derived artifacts: ranked hypotheses, confidence scores, timelines, RCA drafts, and repair proposals generated from that context
  • Audit-oriented records: who approved or rejected a playbook, status changes, and human overrides where the product surfaces them

We do not ask you to ship full database dumps or unrestricted log archives by default. Connector scope should match what your runbooks already need for triage.

How we use data

We use customer data to operate Fixed for your team: correlate signals, rank hypotheses, draft investigation output, and queue approved remediation steps.

We do not sell your operational data. We do not use your incident content to train shared foundation models for other customers without a written agreement that says otherwise.

Aggregated, de-identified product metrics (for example feature usage or latency) may inform reliability and roadmap decisions. Those metrics are not intended to expose the contents of your incidents.

AI and model providers

Fixed may call third-party model APIs to summarize, rank, or draft text grounded in evidence you already have in the workspace. When we do:

  • Prompts are built from retrieved context (tickets, alerts, metrics excerpts, graph slices), not open-ended chat history unrelated to the incident
  • Outputs are presented as hypotheses or drafts for human review, with citations back to source artifacts where the product supports it
  • Preview teams can discuss data residency, model choice, and zero-retention options during onboarding

Integrations and subprocessors

Fixed connects to tools your team already uses (for example PagerDuty, ServiceNow, Datadog, Grafana, Intune, CrowdStrike, Slack, and GitHub in workspace examples). Each integration follows the permissions you grant in that vendor.

We also rely on infrastructure and service providers to host the product, deliver email, and operate secure development practices. A current subprocessor list is available to preview customers under NDA or in your order form.

Security practices

Security is part of the product design, not a bolt-on. During private preview we align on your requirements; the practices below reflect our baseline direction:

  • Encryption in transit (TLS) for client and integration traffic
  • Encryption at rest for stored workspace data using platform-managed keys, with customer-managed key options discussed for enterprise deployments
  • Role-based access inside Fixed so only authorized members can approve repair actions or view sensitive investigations
  • Separation between environments used for development and production customer data
  • Logging and monitoring of the Fixed service for abuse, errors, and availability
  • Vulnerability management and dependency patching on a regular cadence

SOC 2 or ISO reports are not published on this page. If your procurement process requires them, ask during preview onboarding and we will share what is available for our stage.

Retention and deletion

Retention periods for workspace data, audit logs, and integration caches are configured per agreement. Preview defaults are documented when your workspace is provisioned.

When you end a preview or request deletion, we delete or return customer data according to your contract and applicable law, subject to limited backup retention needed for disaster recovery or legal hold.

Your choices and privacy rights

Depending on where you operate, you may have rights to access, correct, delete, or restrict processing of personal data. Operational tickets and alerts often contain employee or end-user information: treat Fixed as part of your broader data map.

For preview access requests submitted on this site, contact us through the same email thread we use to reply to your form submission, or ask your Fixed onboarding contact.

For in-product privacy questions, use the channel defined in your preview or enterprise agreement.

Security incidents

If we confirm a breach of Fixed systems that affects customer data, we will notify affected customers without undue delay and share what we know about scope, impact, and remediation steps, consistent with contract and regulatory requirements.

Changes to this page

We may update this page as the product and compliance posture evolve. Material changes will be reflected in the “Last updated” date below. Continued use of Fixed after an update constitutes acceptance of the revised page where your agreement references it.