Aegis

Privacy Policy

Last updated: 2026-05-31

Placeholder: this is a working-draft Privacy Policy. Final language pending legal review.

1. What we collect

  • Account: email address, organization name, role.
  • Project data: endpoint URLs, model names, and API keys you provide for the systems you test (stored encrypted at rest).
  • Assessment data: the attack prompts sent, the target system’s responses, generated reports and findings.
  • Billing: payment is processed by Stripe; we store only your Stripe customer ID and subscription state, not card details.
  • Telemetry: standard server logs (timestamps, IP, user agent, request path) for security and debugging.

2. How we use it

  • To run the Service: send attacks, score responses, produce reports, render the dashboard.
  • To bill you and process subscription events.
  • To diagnose incidents, prevent abuse, and improve product quality.
  • To send transactional emails (verification codes, billing receipts).

3. What we do NOT do

  • We do not train AI models on your attack runs, target responses, or report content.
  • We do not sell or rent your personal data.
  • We do not share your project endpoints or API keys with third parties.

4. Sub-processors

We rely on these vendors to operate the Service. Each has signed industry-standard DPAs:

  • Supabase — authentication, database, file storage.
  • Vercel — application hosting and edge delivery.
  • Stripe — payments and subscription management.
  • LLM providers (Anthropic / OpenAI / Groq, depending on configuration) — used to generate escalated attack prompts and score target responses. Prompts and responses transit these providers and are subject to their data-retention policies.

5. Retention

Assessment data is retained for the lifetime of your account so you can revisit historical reports. You can delete an organization at any time via the dashboard, which removes all associated projects, assessments, and reports within 30 days.

6. Your rights

Depending on your jurisdiction, you may have the right to access, correct, port, or delete your personal data. Contact privacy@aegis.example.com (replace before launch) to exercise these rights.

7. Security

We encrypt data at rest and in transit. Target-system API keys are encrypted using provider-managed keys before being persisted. Access to production data is restricted.

8. International transfers

Our hosting infrastructure runs in the United States. By using the Service you consent to transfer of your data to the U.S.

9. Children

Aegis is not directed to anyone under 16. We do not knowingly collect data from minors.

10. Changes

Material updates to this Policy will be announced at least 14 days in advance via email.

11. Contact

Privacy concerns: privacy@aegis.example.com (replace before launch).