Legal

Privacy Policy

Last updated: May 18, 2026

1. Introduction

Strike Atlas is an AI-powered automated penetration testing platform operated by Buguard ("we", "us", "our"). This Privacy Policy explains how we collect, use, disclose, and protect information when you use Strike Atlas (the "Platform") and related services.

By accessing or using Strike Atlas, you agree to the practices described in this policy. If you do not agree, please do not use the Platform.

For questions or concerns, contact us at hello@strikeatlas.ai.

2. Information We Collect

Account Information

When you create an account or request a demo, we collect:

• Full name, job title, and company name
• Work email address and phone number
• Target domain(s) and organization details provided during onboarding
• Billing and payment information (processed by our payment provider)

Security Scan & Target Data

The core function of Strike Atlas involves running automated security assessments. In doing so, we collect and process:

• Target domains, IP ranges, and application URLs you submit for testing
• Discovered subdomains, services, endpoints, and network topology
• Identified vulnerabilities, security findings, and risk classifications
• Proof-of-concept artifacts generated by AI agents during testing
• Security reports and remediation recommendations

Agent Interaction & Usage Data

We collect telemetry to operate and improve the Platform:

• Agent execution logs, task queues, and reasoning traces (anonymized before use for improvement)
• Platform feature usage, scan configurations, and workflow interactions
• Browser type, operating system, IP address, and referring URLs
• Session identifiers and authentication events

3. How We Use Your Information

We use the information we collect to:

• Deliver penetration testing services - provision and execute automated security scans against your authorized targets
• Generate security reports - compile findings, prioritize vulnerabilities, and produce actionable remediation guidance
• Improve AI agents - use aggregated, anonymized scan telemetry to refine agent reasoning, detection capabilities, and accuracy (never using customer vulnerability data in identifiable form)
• Communicate with you - send scan status notifications, security alerts, product updates, and support responses
• Operate and maintain the Platform - authenticate users, prevent abuse, and ensure platform stability
• Comply with legal obligations - respond to lawful requests from authorities and meet regulatory requirements

4. Security Scan Data

Specifically:

• Encryption at rest: All scan results, findings, and vulnerability data are encrypted using AES-256 at rest in our database and object storage systems.
• Encryption in transit: All data transmitted between your browser, our platform, and AI agent infrastructure uses TLS 1.3 or higher.
• Access controls: Scan data is scoped to your organization. Access within Buguard is restricted to personnel required for support and operations, governed by role-based access controls and audit logging.
• No cross-customer data sharing: Your scan results are never shared with, or accessible by, other Strike Atlas customers.
• AI model isolation: When AI agents use third-party model inference, target-identifying metadata is stripped before transmission. Prompts do not contain customer names, domain names, or personally identifiable context beyond what is operationally necessary.

5. Data Retention

We retain your data for as long as necessary to provide services and comply with legal obligations:

• Scan data and security findings: Retained for the duration of your active subscription plus 90 days following termination or expiry, after which they are permanently deleted.
• Account information: Retained while your account is active. Deleted within 30 days of account closure upon request.
• Usage and audit logs: Retained for up to 12 months for security monitoring and compliance purposes.
• Billing records: Retained for 7 years as required by financial regulations.

You may request early deletion of your data at any time by contacting hello@strikeatlas.ai. Deletion requests are processed within 30 days, subject to legal retention requirements.

6. Third-Party Services

We rely on trusted third-party providers to deliver the Platform:

• Cloud infrastructure: We use industry-leading cloud providers for compute, storage, and network infrastructure. These providers are contractually bound to process data only on our instructions and maintain equivalent security standards.
• AI model providers: Strike Atlas agents use large language models for security reasoning. We maintain data processing agreements with all AI providers and minimize data transmitted to model APIs (no raw scan output containing PII is sent to external models).
• Payment processing: Billing is handled by PCI-DSS-compliant payment processors. We do not store full card numbers on our systems.
• Analytics and monitoring: We use infrastructure monitoring tools to ensure platform health. These tools receive anonymized, aggregated operational metrics only.

We do not sell, rent, or share your data with third parties for advertising, marketing, or commercial purposes.

7. Data Security

We implement a comprehensive security program to protect your data:

• SOC 2 Type II: Strike Atlas infrastructure and processes are audited against the SOC 2 Trust Services Criteria, covering security, availability, and confidentiality.
• Encryption: AES-256 at rest, TLS 1.3 in transit, and encrypted backups.
• Access management: Principle of least privilege, multi-factor authentication for all internal systems, and quarterly access reviews.
• Vulnerability management: We regularly scan and test our own infrastructure. Security patches are applied within defined SLAs based on severity.
• Incident response: We maintain a documented incident response plan. In the event of a data breach affecting your data, we will notify you within 72 hours as required by applicable law.
• Employee training: All Buguard personnel handling customer data complete security awareness training and are bound by confidentiality obligations.

8. International Data Transfers

Buguard operates globally. Your data may be processed in countries outside your home jurisdiction, including countries that may not offer the same level of data protection as your local law.

Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to third countries, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data Processing Agreements with all sub-processors

We are committed to GDPR compliance and process EU personal data lawfully, fairly, and transparently.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Deletion: Request erasure of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Portability: Request your data in a structured, machine-readable format.
• Object to processing: Object to processing based on legitimate interests or for direct marketing purposes.
• Restrict processing: Request that we limit how we use your data in certain circumstances.
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@strikeatlas.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. Cookies

Strike Atlas uses a minimal set of cookies necessary to operate the Platform:

• Session cookies: Required to authenticate and maintain your login session. These are deleted when you close your browser.
• Preference cookies: Store lightweight UI preferences (e.g., theme settings). These expire after 12 months.
• Security cookies: CSRF protection tokens and fraud prevention signals.

We do not use advertising tracking cookies, third-party retargeting pixels, or any cookies that build behavioral profiles for commercial purposes. We do not participate in advertising networks.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to registered account holders
• Display a prominent notice within the Platform for a reasonable period

We encourage you to review this policy periodically. Your continued use of Strike Atlas after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: