1. Introduction
This privacy policy describes how Reva ("the Service"), provided by x-idra.de ("we", "us"), handles data when deployed as a Microsoft Teams bot for release management. Reva is designed with privacy as a core principle — your data stays within your infrastructure.
Reva is an on-premise solution. All data processing occurs entirely within your organization's infrastructure. We do not operate a cloud service and do not receive or store your data.
2. Data Processing
Reva processes the following categories of data within your infrastructure:
- Conversation data: Messages exchanged between users and the Reva bot in Microsoft Teams. Stored in your local database (PostgreSQL recommended).
- User identity: Microsoft Teams display names and, if configured, mapped Release/Jira usernames. Used solely for request routing and tool authorization.
- Release & issue data: Information retrieved from your Digital.ai Release and Jira Cloud instances via MCP (Model Context Protocol) connections.
- Session data: Temporary session state stored in your local Redis instance. Automatically expired.
3. On-Premise Architecture
Reva is deployed as a Docker Compose stack within your network. The complete processing pipeline — including AI inference via a local LLM (Ollama) — runs on your hardware. No data is sent to external AI services or cloud APIs.
External network connections are limited to:
- Microsoft Bot Framework: Required for sending and receiving Teams messages. Authenticated via Azure AD JWT validation.
- Digital.ai Release: Your organization's Release instance (outbound API calls only).
- Jira Cloud: Your organization's Jira instance (outbound API calls only).
4. GDPR Compliance
As an on-premise deployment, your organization is the data controller. Reva is designed to support GDPR compliance:
- Data minimization: Only data necessary for release management operations is processed.
- No individual monitoring: Reva does not track, compare, or report on individual user activity or performance. Activity summaries are always anonymized.
- Data portability: All data is stored in a standard SQL database — fully exportable.
- Right to erasure: Conversation data can be deleted directly from the database.
- No third-party transfers: No personal data is transmitted to us or any third party.
5. BetrVG Compliance (German Works Council)
Reva is designed to comply with the German Works Constitution Act (Betriebsverfassungsgesetz):
- No features exist for monitoring individual employee performance or behavior.
- Activity logs and reports use anonymized descriptions ("a team member") rather than attributing actions to named individuals.
- Team and role lookups are limited to organizational information (e.g., who is assigned to a release team) — this is permitted as it constitutes organizational data, not surveillance.
6. Credential Security
All sensitive credentials (API tokens, database passwords, LDAP bind passwords) are managed via Docker Secrets and mounted as files at runtime. Credentials are typed as SecretStr in the application configuration, ensuring they are never logged or serialized in plaintext.
7. Data Retention
Data retention is controlled by your organization:
- Conversation history is stored in the database with no automatic expiration — your DBA controls retention.
- Redis session data expires automatically based on configured TTL values.
- Database backups (if configured) follow your organization's backup schedule and retention policy.
8. Website
This website (reva.x-idra.de) is a static informational site. All fonts are self-hosted — no data is transferred to third-party services (such as Google Fonts). No cookies are set.
We use Umami, a privacy-focused, open-source web analytics tool, self-hosted on our own infrastructure. Umami collects:
- Page views (which pages are visited, referrer URL)
- Browser type and operating system (from the User-Agent header)
- Country of origin (derived from IP address, which is then discarded)
Umami does not use cookies, does not collect personal data, and does not track individual users across sessions. IP addresses are not stored. All data is aggregated and cannot be traced back to individual visitors. The analytics data is stored exclusively on our own server and is not shared with third parties.
9. Contact via Email
When you contact us by email — whether to schedule a demo (info@x-idra.de), for privacy inquiries (privacy@x-idra.de), or for legal matters (legal@x-idra.de) — we process the personal data you provide. This typically includes your email address, name, and message content.
- Legal basis: Art. 6(1)(b) GDPR for demo requests and pre-contractual inquiries; Art. 6(1)(f) GDPR (legitimate interest) for general inquiries.
- Purpose: We use this data solely to respond to your request and, in the case of demo requests, to arrange and conduct the demonstration.
- Retention: Your data is deleted once the purpose has been fulfilled, unless statutory retention obligations (e.g. commercial or tax law) apply.
- No third-party sharing: Your data is not shared with third parties.
10. Contact
For questions about this privacy policy or data protection matters, contact us at: