Privacy Policy

Aegis is the controller of the personal information described below. If you have questions about this policy or how we handle your data, write to privacy@aegis.example.com.

For data that you submit to the Service on behalf of an organisation (an “Account” or “Workspace”), your organisation is the controller and Aegis acts as a processor under the Data Processing Addendum that forms part of the customer agreement.

We collect personal information in three ways:

• You provide it. Account details (name, work email, workspace name), profile settings, support correspondence, and content you create in the Service (policies you author, comments, answers to questionnaires).
• Your integrations provide it. When you connect AWS, GitHub, Google Workspace, or another integration, we receive only the data the connection allows and only what is required to evaluate the controls you have enabled. Examples: account IDs, repository metadata, user email addresses, MFA enrolment status. We never receive your source code, your customer data stored in those systems, or credentials.
• We collect it automatically. Technical information about how you use the Service: IP address, user agent, device, pages viewed, audit events (sign-in, role change, evidence run). We use this to keep the Service secure and to debug.

We do not knowingly collect information from anyone under 16. The Service is not directed to children.

We process personal information to:

• provide and maintain the Service you have signed up for;
• evaluate the security and compliance signals you have asked us to monitor, and present the results back to you;
• authenticate users, manage workspaces, send transactional messages (verification codes, invitation emails, evidence-run results, policy assignments);
• keep the Service secure (rate limiting, anomaly detection, abuse prevention);
• comply with our legal obligations and enforce our Terms;
• improve the Service — measuring which features are used, where errors occur, and how to make the next release safer or faster. We do this on aggregated and pseudonymised data wherever possible.

We do not sell personal information, and we do not use the data your integrations expose to us to train general-purpose machine learning models that benefit other customers.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract — to create your account, run the Service you have asked for, and send the messages required to operate it.
• Legitimate interests — for product analytics, security monitoring, and improving the Service, balanced against your privacy rights.
• Legal obligation — when we need to respond to lawful requests or maintain records required by law.
• Consent — where we ask for it explicitly (for example, for non-essential cookies). You can withdraw consent at any time.

We share information with a limited set of third parties, and only when we need to:

• Sub-processors — cloud infrastructure (AWS), email delivery (Zeptomail), error tracking, and analytics providers. The current list is published in the Data Processing Addendum.
• Other workspace members — your name, work email, role, and activity inside a workspace are visible to other members of the same workspace.
• Successors — if we go through a corporate transaction (merger, acquisition, sale of assets), personal information may be transferred to the successor under equivalent confidentiality protections.
• Law enforcement — when required to comply with a lawful request, court order, or to protect the rights, property, or safety of Aegis, our customers, or the public.

The Service is hosted in the United States (US-East region by default). If you are accessing the Service from outside the US, your information will be transferred to and processed in the US. Where required by law, we rely on Standard Contractual Clauses or other approved transfer mechanisms to safeguard those transfers.

We retain personal information for as long as your account is active and for a limited period afterwards to satisfy our legal, accounting, and audit obligations. Specifically:

• Account and workspace records: deleted within 90 days of workspace deletion, except where retention is required by law.
• Audit logs (workspace events, evidence runs): retained for up to 7 years to support compliance audits.
• Server-side request logs: 30 days, then automatically purged.

You can request deletion of your personal information at any time — see “Your rights” below.

Depending on where you live, you may have the right to:

• access the personal information we hold about you;
• correct or update inaccurate information;
• delete your personal information (subject to limited exceptions);
• port your personal information to another service;
• object to or restrict certain processing, including processing based on legitimate interests;
• withdraw consent where processing is based on consent.

To exercise any of these rights, contact privacy@aegis.example.com. We will respond within the timeframes required by applicable law (typically 30 days). You also have the right to complain to your local supervisory authority.

We protect personal information with industry-standard technical and organisational measures: TLS 1.2+ for data in transit, AES-256 for data at rest, scoped IAM, MFA-enforced admin access, least-privilege secrets handling, and continuous monitoring. No system is perfectly secure; in the event of a breach affecting your personal data we will notify you and the relevant authorities within the timeframes required by law.

We use a small number of strictly necessary cookies to keep you signed in and to protect against fraud. We do not use third-party advertising cookies. For analytics, we use a first-party, privacy-preserving setup that does not store identifying information in cookies.

We may update this Privacy Policy from time to time. When we do, we will update the “effective” date at the top. Material changes will be announced in-app or by email at least 30 days before they take effect.