Data Processing Addendum

For customer workspace data, AegisRail generally acts as a processor or service provider and the customer acts as the controller or business, depending on applicable law.

For account, billing, security, and service administration data, AegisRail may act as an independent controller where required to operate the service.

AegisRail processes customer data to provide AI observability, eval, compliance, incident, evidence, notification, billing, support, security, and reliability features.

Customers configure workspace membership, raw trace retention, API keys, notification destinations, evidence exports, and integration settings.

Controls include organization-scoped access checks, role-based permissions, hashed API keys, encrypted outbound webhook secrets, audit logs, secure cookies in production, production security headers, and monitored scheduled jobs.

Operational logs and error events are designed to exclude secrets, raw request bodies, raw prompts, raw completions, and payment details.

AegisRail uses subprocessors for hosting, database infrastructure, billing, email, observability, analytics, and optional AI provider execution.

The current subprocessor list is published at `/subprocessors` and should be reviewed before production customer data is processed.

Customers may request deletion or export of workspace data through support or product workflows where available.

Backups, audit logs, billing records, and security records may be retained for a limited period where required for legal, security, fraud prevention, or operational continuity.