1. About JetStack AI
JetStack AI is a product developed and operated by ambrstack, designed to make platform implementations scalable, repeatable, and efficient. The platform empowers Solutions Partners and customers to deploy workflows, migrate schemas, replicate assets, and audit configurations across CRM and work management platforms — including HubSpot, Salesforce, Dynamics 365, Jira, Asana, Monday.com, and ClickUp — without manual effort.
In order to deliver these services, JetStack AI processes limited technical information related to your platform account — specifically schema-level metadata such as property names, field types, object relationships, pipeline structures, and workflow configurations.
Unlike traditional middleware or data migration tools, JetStack AI does not read, ingest, or store customer CRM records such as contacts, companies, deals, tickets, or communications. This principle is central to our architecture: we focus exclusively on the "shape" of a portal, not its operational data.
2. Scope of This Policy
This Privacy Policy applies to all aspects of JetStack AI's operations, including:
- Systems and Infrastructure — Production, staging, and development environments; APIs, connectors, and integrations; monitoring, logging, and cloud service layers
- Data Types Covered — Schema metadata, operational logs, and authentication data
- Subprocessors and Vendors — All third-party infrastructure providers supporting JetStack AI's operations
- Personnel and Contractors — All ambrstack employees, contractors, or consultants with access to JetStack AI systems
- Customer and Partner Engagements — All customers using JetStack AI for platform replication, workflow automation, or schema mapping
This policy does not extend to data processing activities performed entirely within HubSpot or other customer-managed platforms, customer-side integrations created independently of JetStack AI, or third-party applications installed by customers outside the scope of JetStack AI's subprocessors.
3. Data We Process
Schema Metadata Confidential
Metadata describing the structure of your platform portal, including property names, field types, pipelines, object definitions, workflow setups, and schema relationships. This is required for JetStack AI's core functions such as replicating workflows, creating lists, mapping objects, and configuring automation.
- Encrypted in transit and at rest
- Accessible only to systems and personnel performing authorized processing
- Stored only for the duration necessary to provide replication or automation services
- Processed in memory whenever possible to avoid persistence
Operational & System Logs Internal
Information about system performance, ETL jobs, authentication events, error traces, and monitoring alerts. Used for debugging, performance optimization, and security incident detection.
- Logs do not contain CRM record content
- Logs may include schema identifiers, error codes, and timestamped events
- Retention is time-limited (typically 30–90 days depending on category)
Authentication Data Confidential
Credentials, tokens, and session identifiers processed through PropelAuth to authenticate users. User sessions are tokenized, stored in encrypted databases, and expired tokens are automatically purged. JetStack AI never stores or has access to plaintext passwords.
4. Data We Do Not Process Excluded
JetStack AI does not access, process, or store customer content data.
This includes: contacts, companies, deals, tickets, emails, notes, attachments, files, or any transactional CRM data. All customer content remains within your platform environment under your sole control.
This exclusion is not a policy choice — it is an architectural decision. JetStack AI's systems are engineered so that CRM record data is never read from, written to, or passed through our infrastructure.
5. How We Use Your Data
JetStack AI processes schema metadata exclusively for the following purposes:
- Platform Replication — Replicating workflows, pipelines, properties, and other assets between portals
- Automated Audits — Running 800+ automated data point checks across your portal configuration
- Schema Mapping — Mapping objects, fields, and relationships for migration and deployment
- Template Deployment — Deploying pre-built configuration templates from our Marketplace
- Service Improvement — Analyzing anonymized usage patterns to improve platform performance
We do not sell, rent, or share your data with third parties for advertising or marketing purposes.
6. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), JetStack AI processes data on the following legal bases:
- Contractual Necessity — Processing is necessary to fulfill our contractual obligations to you as a customer or partner (Article 6(1)(b))
- Legitimate Interest — Processing for security monitoring, fraud prevention, and service improvement (Article 6(1)(f))
- Consent — Where applicable, for analytics cookies and marketing communications (Article 6(1)(a))
7. Data Storage & Residency
Data is primarily processed within Stockholm, Sweden and US East using AWS and Google Cloud infrastructure.
- Schema metadata is processed in-memory whenever possible and stored only when required for functionality
- Where required by contract, JetStack AI can localize processing to specific regions, subject to subprocessor capabilities
- All subprocessors are selected for their global compliance with GDPR, CCPA, and SOC 2 requirements
8. Encryption & Security
| Measure | Standard |
|---|---|
| Data in Transit | TLS 1.2 or higher |
| Data at Rest | AES-256 encryption |
| Backups | AES-256, stored on secure AWS infrastructure |
| Authentication Tokens | Time-limited, automatic rotation |
| Passwords | Never stored in plaintext; managed via PropelAuth |
JetStack AI employs a multi-layered security strategy combining encrypted communication channels, secure storage, automated vulnerability scanning, static code analysis, environment segregation, and infrastructure-as-code provisioning.
9. Access Controls
- Role-Based Access Control (RBAC) — Access to data and systems is governed by job function
- Least Privilege Principle — Users and systems are granted only the access necessary for their role
- Multi-Factor Authentication (MFA) — All privileged accounts authenticate using MFA
- Access Logging — All system access is logged, monitored, and reviewed periodically
- Peer Code Review — All new code undergoes review to ensure adherence to secure coding guidelines
10. Subprocessors
JetStack AI engages the following third-party subprocessors to deliver its services. Each subprocessor has been vetted for compliance with industry security standards and is bound by Data Processing Agreements (DPAs).
| Subprocessor | Purpose | Certifications |
|---|---|---|
| Firebase (Google Cloud) | Metadata processing and schema data mapping | ISO 27001, SOC 2, GDPR |
| Amazon Web Services (AWS) | ETL processing and cloud infrastructure hosting | ISO 27001, SOC 2, GDPR, HIPAA |
| PropelAuth | Authentication and identity management | OAuth2, SSO, MFA; GDPR-aligned |
| Sentry | Error monitoring and ETL logging | SOC 2 |
| New Relic | Performance monitoring and system telemetry | SOC 2 |
| MongoDB | Storage of imported asset schemas | SOC 2, ISO 27001 |
Customers are notified of material changes to this subprocessor list in accordance with GDPR Article 28 requirements.
11. Data Retention & Deletion
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Schema Metadata | Duration of service + 30 days | Cryptographic erasure |
| Operational Logs | 30–90 days | Automatic purge |
| Authentication Data | Duration of active session | Automatic token expiry |
| Backups | Per retention schedule | Secure destruction |
Schema metadata that is no longer required is securely deleted using cryptographic erasure techniques, rendering encrypted data unreadable by destroying the encryption keys.
12. Your Rights
Under GDPR and applicable data protection laws, you have the following rights:
- Right of Access — Request a copy of the data we hold about you
- Right to Rectification — Request correction of inaccurate data
- Right to Erasure — Request deletion of your schema metadata
- Right to Data Portability — Request export of your data in a machine-readable format
- Right to Restrict Processing — Request limitation of how we process your data
- Right to Object — Object to processing based on legitimate interests
- Right to Withdraw Consent — Withdraw consent at any time where processing is consent-based
To exercise any of these rights, contact us at team@jetstack.ai. We will respond within 30 days.
14. Incident Response
JetStack AI maintains a documented incident response framework covering detection, containment, eradication, recovery, and reporting.
- Breach Notification — Customers and supervisory authorities are notified within 72 hours of a confirmed incident involving schema metadata
- Real-Time Monitoring — Sentry and New Relic provide continuous system monitoring with automated alerts for anomalies
- Recovery Objectives — Recovery Time Objective (RTO) of 24 hours; Recovery Point Objective (RPO) of 12 hours
15. Children's Privacy
JetStack AI is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at team@jetstack.ai and we will delete the information promptly.
16. Changes to This Policy
This policy is formally reviewed at least once every 6 months. Interim reviews occur when there are material changes to JetStack AI's architecture, subprocessors, or applicable regulations. Updates are communicated to customers proactively, and previous versions are archived for at least 5 years.