PRIVACY POLICY

How we handle
your data

A plain-language account of what AEGIS Nexus collects, why, how long we keep it, and the rights you can exercise. This is a template published for counsel review, not final legal wording.

Data-minimisation by defaultClear purpose for every fieldRights honoured on requestWritten for counsel review

AEGIS Nexus is a business-to-business security-operations platform sold to enterprise organisations. The personal data we handle is overwhelmingly workforce and administrative in nature — the accounts, contacts and audit records that let a security team operate the product — rather than consumer data gathered for marketing. We treat that distinction as foundational: a security product that mishandled data would contradict everything it exists to protect.

This page is written as a template. It sets out the categories of data we process and the principles we apply, in the same terms a Fortune 100 buyer would expect to review. It is deliberately structured so that your legal counsel and our own can adapt it into a binding policy and data-processing agreement for your jurisdiction, contract and deployment model. Nothing here should be read as a final legal representation until it has been reviewed and executed by both parties.

What it delivers

Only what we need

We collect the minimum data required to deliver, secure and support the platform. Fields without a defined purpose are not gathered.

Purpose-bound processing

Every category of data is tied to a stated reason — operating the service, securing accounts, or meeting a contractual and legal obligation. We do not repurpose it for unrelated ends.

Defined retention

Data is kept only as long as its purpose requires or a contract and law demand, then deleted or anonymised on a documented schedule.

Your rights, respected

Access, correction, deletion, export and objection requests are handled through a defined process, subject to the legal basis and our role as processor.

Security as the product

The same enterprise controls we build for customers govern our own handling of your data — encryption in transit and at rest, least-privilege access and audit.

Sub-processors disclosed

Where a third party helps us deliver the service, they are bound by contract and disclosed, so you always know who touches your data.

Illustrative data-flow: what we collect, why, and how it converges into a secured vault (retention windows shown are illustrative).

What we collect and why

The data we process falls into a small number of clearly-scoped categories. Account and identity data — names, work email addresses, roles and authentication records — lets us provision access, enforce permissions and keep accounts secure. Usage and operational data — logs of actions taken in the platform, timestamps and audit trails — lets us run the service reliably, investigate issues and give you the evidence trail an enterprise security tool must maintain.

We also process the configuration and integration settings you provide so the platform can connect to the tools in your existing stack, and standard billing and contract data needed to administer the commercial relationship. Where the product ingests security signals from your environment, that content is handled as your data under your instruction; we process it to deliver the ranked, explainable output you have engaged us for, not for any purpose of our own.

Retention and deletion

We keep personal data only for as long as it serves the purpose it was collected for, or for as long as a contract, a legitimate business need, or applicable law requires. Different categories carry different clocks: audit and security logs are retained for the period an enterprise and its regulators expect an evidence trail to survive, while account data is retained for the life of the relationship and a defined wind-down window afterwards.

When a retention period ends, or when you terminate the relationship and no longer require the data, it is deleted or irreversibly anonymised on a documented schedule. The specific periods, and any exceptions where law compels longer retention, are defined in the data-processing agreement your counsel and ours will settle for your engagement.

Illustrative Sankey of how each data category maps to its purpose and retention window; band widths are illustrative, not measured volumes.
Illustrative treemap of the data-handling categories in this policy: each block groups the kinds of data we may process and the sub-types within it. Tile sizes are illustrative proportions for layout only, not measured data volumes.

Your rights and how to exercise them

Individuals whose data we process may have the right to access it, correct it, request its deletion, receive a portable copy, or object to certain processing, depending on the applicable privacy regime and on whether we act as a data controller or as a processor operating under our customer's instruction. In most enterprise deployments we act as a processor: requests from your workforce are routed to you as the controller, and we support you in fulfilling them.

We maintain a defined intake and verification process so that any valid request is acknowledged, authenticated and actioned within the timelines the relevant law sets. Because obligations differ across jurisdictions and deployment models, the precise catalogue of rights, response windows and escalation contacts for your engagement is something your legal counsel and ours will confirm together.

Security, sharing and international transfers

The controls we apply to your data reflect the product we sell: encryption in transit and at rest, least-privilege and role-based access, logging of administrative actions, and separation between customer environments. We follow the principle we ask our customers to hold us to — validation, not assurance — meaning we describe the safeguards we have demonstrably implemented and are candid about the boundaries of any control.

We do not sell personal data. We share it only with sub-processors that help us deliver the service — each bound by contract to protect it and disclosed to you — and where law or a valid legal process requires. Where data crosses borders, transfers are governed by the mechanisms your applicable law recognises, and the specific sub-processor list, transfer safeguards and breach-notification commitments for your engagement are set out in the agreement your counsel and ours execute.

Illustrative data-retention lifecycle: a stacked area view of how the retained share of records in each data-handling category (operational telemetry, account & identity, security & audit logs, support & correspondence) decays from collection through a representative multi-year horizon toward scheduled, automated deletion. The stack total shows records under management shrinking as retention windows expire. All quantities are illustrative and categorical, abstracted from any proprietary internals or real customer data.

Frequently asked

No. This page is a template published so buyers can see how we think about data handling. The binding policy and data-processing agreement are settled between your legal counsel and ours for your specific jurisdiction, contract and deployment.

No. We do not sell personal data, and we do not repurpose the operational data you entrust to us for marketing. We share data only with disclosed sub-processors that help deliver the service, or where law requires.

In most enterprise deployments we act as the processor, handling data under your instruction as the controller. The exact allocation of roles and responsibilities is confirmed in the data-processing agreement for your engagement.

Those specifics live in the executed data-processing agreement rather than on a public page, because they depend on your deployment model and applicable law. Your counsel can review them with us before signing.

Review the details with your counsel

Talk to iQs Group to obtain the data-processing agreement and sub-processor disclosures your legal team needs to review before an engagement.

Request a walkthrough →