Data & Privacy
This page documents exactly what data the Saviour agents collect and send to the Saviour platform. Use this during security reviews and procurement.
What Centurion collects
Centurion watches Kubernetes API resources. It collects metadata and state — never the contents of workloads.
✅ Collected by Centurion
| Category | What exactly | Purpose |
|---|---|---|
| Kubernetes Events | Event type, reason, message, involved object (name, namespace, kind), count, timestamps | Anomaly detection, incident context |
| Pod state | Name, namespace, labels, status phase, container names, image names (not image contents), restart count, conditions | Topology, health tracking |
| Deployment / ReplicaSet / StatefulSet / DaemonSet | Name, namespace, labels, desired/ready/available replicas, conditions | Topology, ownership graph |
| Service | Name, namespace, labels, selector, ports (number + protocol, not payload) | Service discovery |
| Node | Name, labels, conditions (Ready/NotReady), capacity (CPU/memory totals), allocatable resources | Topology, node health |
| Ingress / Gateway | Name, namespace, rules (host + path), TLS settings (host only, not cert content) | Service exposure |
| Jobs / CronJobs | Name, namespace, status, schedule expression | Job health tracking |
| PersistentVolumeClaims | Name, namespace, storage class, access modes, status (Bound/Pending) | Volume health |
❌ Never collected by Centurion
| What | Why it's excluded |
|---|---|
| Secret values | watchSecrets is false by default. Even if enabled, only metadata (name, namespace, labels) is collected — never data or stringData |
| ConfigMap values | watchConfigMaps is false by default. Same as Secrets if enabled |
| Environment variables | Not accessible via the Kubernetes watch API |
| Container filesystem | Centurion has no mount into workload containers |
| Network traffic / payloads | Centurion does not tap network traffic |
| Application logs | Centurion does not read pod logs (that's Sentinel's containerLogs collector) |
What Sentinel collects
Sentinel reads host-level data from the Linux kernel and container runtime.
✅ Collected by Sentinel
| Category | What exactly | Purpose |
|---|---|---|
| CPU metrics | Per-core utilization %, system/user/iowait split | Host performance |
| Memory metrics | Total, used, available, swap, buffer/cache (bytes) | Host performance |
| Disk I/O | Read/write bytes per device, IOPS, latency (per device name) | Host performance |
| Network metrics | Bytes in/out per interface, packet counts, error counts (interface names, not payload) | Host performance |
| Process samples | Top-N processes by CPU/memory: PID, name, CPU%, memory bytes, user (UID) | Performance diagnosis |
| Container logs | Log lines from /var/log/pods/ with pod name, namespace, container name | Log collection |
| journald logs | Log lines at configured priority levels (err/warning/notice/info) with unit name, PID, message | System log collection |
| systemd service state | Service name, active state (running/stopped/failed), enabled state | Service health |
| Crash events | OOM kill events (process name, bytes, node), kernel panic messages | Crash detection |
| cgroup metrics | Per-cgroup CPU and memory usage (when cgroupMetrics.enabled=true) | Container resource attribution |
✅ Collected in eBPF mode (opt-in, sentinel.ebpf.enabled=true)
| Category | What exactly | Purpose |
|---|---|---|
| Process events | exec/exit events: PID, process name, parent PID, timestamp | Process lifecycle |
| Network flows | Source IP:port → destination IP:port, protocol, bytes transferred, duration | Network observability |
| HTTP traces | Method, URL path (not query string or body), status code, latency, source/destination | L7 performance |
❌ Never collected by Sentinel
| What | Why it's excluded |
|---|---|
| Network payload contents | Flow tracking records connection metadata only — no packet inspection |
| HTTP request/response bodies | HTTP tracing records method, path, and status code only |
| HTTP query strings | Excluded by default — may contain tokens or PII |
| File contents | Sentinel reads /proc and /var/log/pods line-by-line; it does not read arbitrary files |
| Kubernetes Secrets | Sentinel has no Kubernetes API access |
| SSH sessions / terminal input | Not captured |
| Application memory | No memory dumps or heap inspection |
| Credentials / tokens in env vars | Process monitoring captures process name and PID, not environment variables |
Data transmission
| Property | Value |
|---|---|
| Protocol | HTTPS (TLS 1.2+) |
| Destination | api.saviourops.com:443 |
| Authentication | Ingestion key in HTTP Authorization header |
| Compression | gzip |
| Direction | Agents → Backend only (no inbound connections to your cluster) |
| Batch interval | Events: every 5s; Metrics: every 15s (configurable) |
| Offline buffer | Up to 72h of data buffered locally in SQLite if backend is unreachable |
Data residency
All data is stored in the Saviour platform. Contact support@saviourops.com for information about data residency regions and data processing agreements (DPAs).
Reducing the data collected
You can narrow what each agent collects via Helm values:
# Disable container log collection
helm upgrade saviour oci://ghcr.io/saviourops-labs/charts/saviour \
--set sentinel.containerLogs.enabled=false --reuse-values
# Disable journald log collection
helm upgrade saviour oci://ghcr.io/saviourops-labs/charts/saviour \
--set sentinel.collectors.journaldLogs=false --reuse-values
# Disable eBPF entirely (baseline metrics only)
helm upgrade saviour oci://ghcr.io/saviourops-labs/charts/saviour \
--set sentinel.ebpf.enabled=false --reuse-values
# Exclude specific namespaces from Centurion event watching
helm upgrade saviour oci://ghcr.io/saviourops-labs/charts/saviour \
--set "centurion.watcher.excludeNamespaces={kube-system,kube-public,my-sensitive-ns}" \
--reuse-values
Security hardening
For additional security controls, see:
- Centurion RBAC reference — exact ClusterRole permissions
- Architecture Overview — network requirements and data flow diagram
- Contact support@saviourops.com for a full security questionnaire response