Privacy Policy

Account Information

When you create an account, we collect:

• Email address
• Password (encrypted and hashed)
• Account creation date
• Email verification status

Usage Data

When you use the Service, we automatically collect:

• Agent call logs (timestamps, agent IDs, tool calls, security alerts)
• API key metadata (key names, creation dates, last used dates, revocation status)
• Security policies (policy names, rules, severity levels)
• Monthly usage statistics (number of agent calls and audits per month)
• IP addresses (for security and abuse prevention)
• Browser type and version
• Device information

Agent Interaction Data

To provide security monitoring, we collect:

• Agent prompts and inputs (for security analysis)
• Tool names and function calls
• Security verdicts (allow/block decisions)
• Alert details (when security policies are triggered)
• Agent metadata (agent IDs, names, descriptions)

Note: We do NOT store the actual responses or outputs from your agents — only the security-relevant metadata needed to protect your application.

Security Audit Data

When you run security audits through the Service, we collect and process:

• Agent endpoint URLs submitted for testing
• Audit configuration (selected modules, test parameters)
• Test payloads sent to your agent during security testing (e.g., injection probes, permission escalation attempts)
• Agent responses to audit test payloads (used for vulnerability analysis)
• Vulnerability findings, severity scores, and compliance mappings
• Generated audit reports and PDF exports

Audit data is associated with your account and is not shared with other users. Agent responses collected during audits are used solely for security analysis and scoring — they are not used to train AI models or shared with third parties.

Security Analysis

AI models analyze your agent's responses to security test payloads to determine whether vulnerabilities exist. This includes evaluating responses against multiple criteria such as instruction compliance, refusal detection, data leakage, and prompt injection susceptibility.

Compliance Mapping

AI models map audit findings to regulatory frameworks (SOC 2, HIPAA, GDPR, EU AI Act) to generate compliance assessments and recommendations.

Data Handling

Data sent to AI models for analysis is processed in real-time and is not retained by the AI model provider for training purposes. We use enterprise-grade AI APIs with data processing agreements that prohibit the use of your data for model training or improvement.

No Automated Decision-Making

AI-generated findings and scores are informational. The Service does not make automated decisions that produce legal effects or similarly significant effects concerning you. All audit results should be reviewed by qualified security professionals.

Where We Store Your Data

Your data is stored securely using enterprise-grade cloud infrastructure, including:

• Authentication: Account credentials and authentication tokens are stored with industry-standard encryption
• Application Data: Agent calls, policies, alerts, audit results, and usage data are stored in managed database services
• Audit Reports: Generated PDF reports are stored in encrypted cloud storage

All data is stored in data centers with enterprise-grade physical security, and all data is encrypted at rest (AES-256) and in transit (TLS 1.3).

Security Measures

We implement industry-standard security measures to protect your data:

• TLS 1.3 encryption for all data transmission
• AES-256 encryption at rest for all stored data
• Encrypted password storage using secure hashing algorithms
• API key encryption and secure key management
• Role-based access controls and security rules to prevent unauthorized access
• Regular security audits and monitoring
• Rate limiting to prevent abuse

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you via email within 72 hours of becoming aware of the breach, as required by applicable data protection laws.

Account Data

Retained until you delete your account. After deletion, personal information is removed within 30 days, except where retention is required for legal or regulatory purposes.

Audit Results and Reports

• Free tier: Audit results retained for 30 days
• Pro tier: Audit results retained for 1 year
• Enterprise tier: Custom retention period per your agreement
• One-time audits: Audit results retained for 90 days

Agent Call Logs

Retained for 90 days for analytics and security purposes, regardless of tier.

Other Data

• Security alerts: Retained for 90 days or until manually dismissed
• Usage statistics: Retained for 12 months for billing and analytics
• API keys: Retained until manually revoked

Access and Portability

You can access and export your data at any time through your dashboard. Contact us at support@agent-shield.com to request a complete copy of your data.

Correction

You can update your account information (email) through your account settings page.

Deletion

You can delete your account at any time through your settings page or by contacting us. Upon deletion, all your personal data will be removed within 30 days.

Objection and Restriction

You can object to or restrict certain data processing activities by contacting us. However, this may limit your ability to use certain features of the Service.

Opt-Out

You can opt out of marketing emails by clicking the "unsubscribe" link in any email we send. Note that you cannot opt out of essential service-related emails (e.g., security alerts, account notifications).

Legal Basis for Processing

We process your personal data based on:

• Consent: You have given explicit consent for us to process your data
• Contract: Processing is necessary to perform our contract with you (Terms of Service)
• Legitimate Interests: Processing is necessary for our legitimate interests (e.g., fraud prevention, security)

Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all sub-processors who handle personal data on our behalf, including infrastructure providers, AI model providers, and payment processors. Enterprise customers may request a copy of our DPA or execute a custom DPA by contacting privacy@agent-shield.com.

Data Protection Officer

For GDPR-related inquiries, please contact our data protection officer at: privacy@agent-shield.com

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, our business purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (such as data needed to complete a transaction or comply with legal obligations).

Right to Correct

You have the right to request correction of inaccurate personal information we hold about you.

Right to Opt-Out of Sale or Sharing

We do not sell or share your personal information as defined under the CCPA/CPRA. We do not use your personal information for cross-context behavioral advertising.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality of service, or level of service for exercising your rights.

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@agent-shield.com or through your account settings. We will verify your identity before processing your request and respond within 45 days.