Privacy Policy

1. Introduction

Welcome to CloudSigma, a product of A13E Limited ("A13E Limited", "we", "us", or "our"). We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use CloudSigma, our automated threat intelligence to Sigma detection rule conversion platform.

CloudSigma enables security teams to ingest threat intelligence from various sources—including URLs, CVE identifiers, and raw text—and automatically extract MITRE ATT&CK TTPs, generate validated Sigma detection rules, and convert them to SIEM-specific query formats. This Privacy Policy applies to all interactions with our platform, including our website, API, and related services.

By accessing or using CloudSigma, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described herein, please do not use our services.

2. Data Controller

The data controller responsible for your personal data is:

A13E Limited operates CloudSigma as a product under its portfolio of cybersecurity tools and services. As the data controller, A13E Limited determines the purposes and means of processing your personal data in connection with CloudSigma.

3. Personal Data We Collect

We collect and process the following categories of personal data when you use CloudSigma:

3.1 Account Information

• Registration data: name, email address, and authentication credentials when you create a CloudSigma account
• Profile information: organisation name, role, and preferences you provide
• Billing data: payment method details, billing address, and transaction history (processed via our payment provider)

3.2 Usage Data

• Service usage: features accessed, rules generated, input types used (URL, CVE, text), SIEM formats selected, and cloud providers targeted
• Technical data: IP address, browser type and version, operating system, device identifiers, and session information
• Log data: access timestamps, API call records, error logs, and performance metrics

3.3 Threat Intelligence Inputs

• URLs submitted: links to threat intelligence blog posts and reports provided for analysis
• CVE identifiers: Common Vulnerabilities and Exposures IDs submitted for rule generation
• Free-text input: raw threat intelligence text pasted or uploaded for TTP extraction
• Note: We strongly advise you not to include personal data in threat intelligence inputs. If personal data is inadvertently included, it will be processed as described in this policy.

3.4 Generated Output Data

• Sigma rules: generated detection rules, validation results, and conversion outputs
• TTP extractions: MITRE ATT&CK technique mappings and indicators of compromise (IOCs) extracted from your inputs
• Pipeline metadata: detection gaps, merge reports, and quality metrics associated with generation runs

4. Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b)): processing necessary to provide the CloudSigma service, manage your account, and fulfil our contractual obligations under the Terms of Service
• Legitimate interests (Article 6(1)(f)): processing for service improvement, security monitoring, fraud prevention, and analytics, where our interests do not override your fundamental rights and freedoms
• Legal obligation (Article 6(1)(c)): processing required to comply with applicable laws, regulations, or lawful requests from public authorities
• Consent (Article 6(1)(a)): where we rely on your consent, such as for optional marketing communications, you may withdraw consent at any time without affecting the lawfulness of prior processing

5. How We Use Your Data

We use your personal data for the following purposes:

5.1 Service Delivery

• Processing threat intelligence inputs to extract TTPs and generate Sigma detection rules
• Validating generated rules via pySigma and converting to your selected SIEM format
• Managing your account, authentication, and subscription tier
• Providing customer support and responding to your enquiries

5.2 Service Improvement

• Analysing usage patterns to improve rule generation quality and accuracy
• Monitoring pipeline performance, error rates, and detection coverage gaps
• Developing new features and enhancing existing capabilities

5.3 Security and Compliance

• Protecting against prompt injection attacks, abuse, and unauthorised access
• Detecting and preventing fraudulent or malicious use of the service
• Maintaining audit logs for security incident response and compliance purposes

6. Data Sharing and Third Parties

We may share your personal data with the following categories of third parties:

6.1 AI Processing Provider

6.2 Infrastructure Providers

• Amazon Web Services (AWS): cloud hosting, compute, storage, and database services in the eu-west-2 (London) region
• CloudFront CDN: content delivery and DDoS protection for the web application

6.3 Payment Processors

Subscription payments are processed by our third-party payment provider. We do not store full payment card details on our servers.

6.4 Legal and Regulatory

We may disclose personal data where required by law, regulation, legal process, or enforceable governmental request, or where necessary to protect the rights, property, or safety of A13E Limited, our users, or the public.

We do not sell your personal data to third parties. We do not share your threat intelligence inputs or generated rules with other customers.

7. International Data Transfers

Our primary infrastructure is hosted in AWS eu-west-2 (London, United Kingdom). However, certain third-party services we use may process data outside the UK. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office
• Transfers to countries with an adequacy decision from the UK Secretary of State
• Data processing agreements with appropriate technical and organisational measures

In particular, threat intelligence inputs processed via our AI provider may be processed in the United States. This transfer is governed by our data processing agreement and appropriate standard contractual clauses.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Account data: retained for the duration of your account and for 30 days after deletion, to allow for account recovery
• Threat intelligence inputs: cached for up to 24 hours for performance optimisation, then deleted. Inputs are not retained long-term.
• Generated rules: retained for the duration of your account so you can access your generation history
• Usage and log data: retained for up to 12 months for analytics and security purposes
• Billing records: retained for 7 years in accordance with UK tax and accounting regulations
• Security audit logs: retained for 12 months for incident response and compliance

9. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of access: you may request a copy of the personal data we hold about you
• Right to rectification: you may request correction of inaccurate or incomplete personal data
• Right to erasure: you may request deletion of your personal data where there is no compelling reason for its continued processing
• Right to restriction of processing: you may request that we restrict processing of your personal data in certain circumstances
• Right to data portability: you may request to receive your personal data in a structured, commonly used, and machine-readable format
• Right to object: you may object to processing based on legitimate interests or for direct marketing purposes
• Rights related to automated decision-making: you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects

To exercise any of these rights, please contact us at privacy@a13e.com. We will respond to your request within one month. In certain circumstances, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Authentication via AWS Cognito with secure token management
• Input normalisation and prompt injection protection for AI processing pipelines
• SSRF protection with DNS rebinding defences on URL ingestion
• Regular security assessments and monitoring
• Access controls and principle of least privilege for internal systems

For more details on our security practices, please see our Security Policy.

11. Cookies and Similar Technologies

CloudSigma uses cookies and similar technologies to enhance your experience and collect usage data. The types of cookies we use include:

• Strictly necessary cookies: required for the operation of our platform, including authentication session management. These cannot be disabled.
• Performance and analytics cookies: help us understand how you interact with CloudSigma so we can improve the service. These are only set with your consent.
• Functional cookies: remember your preferences, such as selected cloud providers, SIEM formats, and interface settings.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of CloudSigma.

12. Children's Privacy

CloudSigma is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information as soon as practicable. If you believe that a child has provided us with personal data, please contact us at privacy@a13e.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective Date" at the top of this policy
• Notify you via email or through a prominent notice on the CloudSigma platform
• Where required, seek your consent before applying changes that affect how your data is processed

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

14. Complaints

If you have concerns about how we handle your personal data, we encourage you to contact us first so that we can try to resolve the matter. You also have the right to lodge a complaint with a supervisory authority. The relevant authority for the United Kingdom is:

15. Contact Information

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us: