This Privacy Policy describes how AttackIQ, Inc. (“AttackIQ,” “we,” “us,” or “our”) collects, uses, and shares personal data when you use the AttackIQ AVA application (“Service”) through OpenAI’s ChatGPT platform.

1. Data We Collect

1.1 Authentication Data

When you connect to the Service, we collect your user identifier, username, email address, company identifier, and platform URL through our OAuth 2.1 authentication flow. These are required to authenticate your identity and authorize access to your AttackIQ platform tenant.

1.2 Tool Usage Data (Telemetry)

Each time you invoke a tool, we log: the tool name, a truncated version of the input and output (up to 4,000 characters), your email address, company identifier, a unique request identifier, status (success/error), and a timestamp. Sensitive fields (API tokens, passwords, secrets) are automatically redacted before storage.

1.3 Session Data

We store temporary session data, including OAuth flow state and CSRF tokens, to maintain your authenticated session. Session data is automatically expired and deleted.

2. How We Use Your Data

• Authentication and authorization: To verify your identity and enforce access controls scoped to your AttackIQ tenant.
• Service delivery: To execute the tools you invoke (searching scenarios, analyzing threats, creating assessments, managing detection rules, etc.) on your behalf.
• Telemetry and diagnostics: To monitor service health, debug errors, and generate anonymized usage dashboards.
• Rate limiting: To enforce fair-use limits using your email address as a rate-limit key.

3. Third-Party Services

To deliver the Service, your queries and tool inputs may be processed by the following third-party services:

• LLM Providers (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI): Your natural-language queries and tool inputs are sent to large language model providers for processing. No explicit user identifiers (name, email) are included in prompts sent to LLM providers.
• Elasticsearch (Cloud): Your queries are used to search internal knowledge bases (documentation, MITRE ATT&CK data, assessment results). Queries to assessment data are scoped by your company identifier to ensure tenant isolation.
• AttackIQ Platform API: Your platform API token is used to perform actions on your AttackIQ tenant (searching scenarios, creating assessments, etc.). Your token is encrypted at rest.
• AWS SES: If you request early access features, your email address and platform URL may be sent via AWS Simple Email Service.
• Observability (Langfuse/LangSmith): When enabled, LLM interaction traces (prompts, responses, token usage) may be sent to observability platforms for performance monitoring. These traces do not include explicit user identifiers.

We do not sell your personal data. We do not use your data for advertising.

4. Data Storage and Retention

• Authentication data is stored in PostgreSQL and encrypted at rest. OAuth tokens have defined lifetimes (access tokens: approximately 1 hour; refresh tokens: approximately 30 days) and are deleted upon revocation.
• Telemetry data (tool call logs) is stored in PostgreSQL. [RETENTION PERIOD: recommend specifying, e.g., “Telemetry logs are retained for 90 days and then automatically purged.”]
• Session data is stored in Redis with automatic TTL-based expiration.
• Cache data (query results) is stored in Redis with TTLs ranging from 5 minutes to 24 hours depending on the data type, and is automatically expired.

5. Data We Do Not Collect

• We do not collect payment card information (PCI).
• We do not collect protected health information (PHI).
• We do not collect government identifiers (Social Security numbers, etc.).
• We do not collect precise geolocation data (GPS coordinates, street addresses).
• We do not collect or store full conversation histories from ChatGPT. We operate only on the explicit inputs provided to each tool invocation.

6. User Controls

• You may revoke your OAuth tokens at any time, which immediately terminates your authenticated session.
• You may request deletion of your account and associated data by contacting [email protected].
• Data access requests (to view what data we hold about you) can be directed to the same email address.
• Your AttackIQ platform administrator can manage user access and permissions independently.

7. Security

We implement industry-standard security measures including:

• Encrypted API tokens at rest
• Automatic redaction of sensitive fields (tokens, passwords, secrets) in all logs
• Company-scoped data isolation (multi-tenant separation)
• Rate limiting to prevent abuse
• CSRF protection for all authenticated sessions
• OAuth 2.1 with PKCE for secure authentication flows

8. Children’s Privacy

The Service is designed for enterprise security professionals and is not intended for use by individuals under the age of 13. We do not knowingly collect personal data from children under 13.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify users through the Service or by other appropriate means. Your continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

For questions, data access requests, or concerns regarding this Privacy Policy, contact:

Email: [email protected]

AttackIQ, Inc.
171 Main Street, Suite 656
Los Altos, CA 94022
+1 (888) 588-9116