This Privacy Policy explains how Adversa AI LTD. (“Adversa AI,” “we,” “us,” or “our”) collects, uses, and protects personal data in connection with our AI Red Teaming platform and related services (the “Service”).

This Privacy Policy applies to:

• Visitors to our website at adversa.ai
• Users of the Adversa AI platform (the “Service”)
• Representatives of our business customers and partners

Adversa AI is a business-to-business (B2B) service. We process personal data both as a data controller (for our own business purposes) and as a data processor (when handling customer data submitted to the platform for AI security testing).

1. Introduction

Adversa AI is a global leader in Agentic AI Security and Continuous AI Red Teaming. Our platform protects enterprises by continuously stress-testing GenAI applications, AI agents, and MCP-based architectures to identify and fix vulnerabilities before deployment. Adversa AI works with Fortune 500 companies, financial institutions, and AI startups building next-generation AI systems.

This policy explains the data Adversa AI collects, uses, and shares. It applies only to our services—not to third-party websites, platforms, or services. It also does not apply to Adversa AI employees, contractors, or job candidates, who are covered by separate internal policies.

2. Personal Data We Process

2.1 Account and Contact Data (We Are the Controller)

When you sign up for the Adversa AI platform or contact us, we collect:

• Account information: Company name, business legal name, business address, account holder name, email address, phone number
• User information: Name, email address, job title, authentication credentials (passwords are encrypted)
• Service provider authentication data: Logins or tokens (e.g., GitHub, AWS) you provide to enable integrations
• Billing information: Payment method details, billing history, VAT number (if applicable)
• Communication data: Content of emails, support tickets, demo requests, and other communications with us

Legal basis: Performance of contract, Legitimate interests (customer relationship management, service improvement)

2.2 Usage and Technical Data (We Are the Controller)

When you use the Adversa AI platform, we automatically collect:

• Device data: IP address, hardware information, operating system, browser type and version, network information, preferences and settings
• User activity: Time spent on pages, buttons clicked, features used, configuration settings, dashboard interactions
• Performance data: Error logs, system performance metrics, service uptime data
• Derived data: Information inferred from usage, such as geolocation

Legal basis: Performance of contract, Legitimate interests (service operation, security, improvement)

Usage and technical data described in this section do not include the content of customer testing data processed under Section 2.3.

2.3 Customer Testing Data (We Are the Processor)

When you use Adversa AI to red-team your AI models, GenAI applications, AI agents, or MCP-based architectures, the data you submit for testing may contain personal information such as:

• AI model inputs and outputs containing personal identifiers
• API keys and service credentials
• Prompts, training data samples, or configuration data that may include personal data
• Any other personal data present in systems you connect to our platform

For this data, you are the data controller and we are the data processor. You determine which data is submitted to the Adversa AI platform and are responsible for ensuring you have a legal basis to process it. Our processing is governed by our Data Processing Agreement (DPA) as described in Section 12.

2.4 Marketing and Website Data (We Are the Controller)

If you visit our website or interact with our marketing materials:

• Website analytics: Pages visited, time on site, referral sources (via cookies)
• Marketing data: Responses to campaigns, event attendance, downloaded resources (e.g., reports, whitepapers)
• Social networks and other sources: Information from marketing campaigns, social platforms, referrals, or third-party datasets

Legal basis: Consent (for marketing cookies and direct marketing where required), Legitimate interests (website analytics, marketing effectiveness)

3. How We Use Personal Data

3.1 As Data Controller

We use personal data we control for:

• Service provision: Creating and managing your account, processing payments, delivering AI red teaming results, and providing support
• Service improvement: Analyzing usage patterns, developing new features, improving detection capabilities
• Communication: Sending service notifications, responding to inquiries, providing technical support
• Compliance: Meeting legal obligations, preventing fraud, enforcing our terms
• Marketing: Sending product updates, security research digests, and promotional materials (with consent where required)
• Operations: Processing payments, issuing invoices, handling referrals and audits, keeping business records
• Security: Assisting AI security professionals, investigating misuse, preventing fraud and verifying identity

We may use aggregated and de-identified data derived from service usage for analytics, security research, and service improvement. We apply technical and organizational measures designed to prevent re-identification. This data does not identify you or your users.

3.2 As Data Processor

For customer testing data you submit to the Adversa AI platform, we process it solely in accordance with your instructions and as necessary to provide the Service. We do not:

• Use your testing data for our own purposes
• Share it with third parties except as required to provide the Service
• Analyze it for marketing or product development

Your testing data is processed in accordance with your configuration, retention settings, and the terms of our DPA.

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases as required by the General Data Protection Regulation (GDPR) and UK GDPR:

• Contract performance: To provide the Adversa AI platform and fulfill our Terms of Service
• Legitimate interests: To operate our business, improve our service, ensure security, and prevent fraud
• Legal obligation: To comply with accounting, tax, anti-money-laundering, and other legal requirements
• Consent: For marketing communications and non-essential cookies (you may withdraw consent at any time)

For data we process as a processor, the legal basis is determined by you as the controller.

5. Data Sharing and Disclosure

5.1 Subprocessors and Service Providers

We use third-party service providers (subprocessors) to help deliver the Adversa AI platform. These may include:

• Cloud infrastructure providers (e.g., AWS, GCP)
• Payment processing providers
• Transactional email and communication services
• Analytics and monitoring tools
• Integration partners (e.g., GitHub, CI/CD pipeline providers)

A current list of subprocessors is available by request. We notify customers at least 30 days before adding or replacing subprocessors. If you object to a new subprocessor on reasonable data protection grounds, you may terminate your subscription without penalty.

All subprocessors are contractually bound to protect your data and process it only as instructed.

5.2 Legal Disclosures

We may disclose personal data if required by law, court order, or government authority, or if necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Enforce our Terms of Service

We will notify affected customers of such disclosures unless prohibited by law.

5.3 Business Transfers

If Adversa AI LTD. is involved in a merger, acquisition, or sale of assets, personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.4 Data Sales

We do not sell, rent, or trade personal data to third parties for marketing or any other purposes.

5.5 On-Premises Deployments

If you use an on-premises version of the Adversa AI platform, data sharing and subprocessing arrangements differ from those described above and are governed by a separate agreement specific to your deployment. Please contact us for details.

6. International Data Transfers

Adversa AI operates from Israel and uses cloud infrastructure that may be located in the European Union, United States, or other jurisdictions. When personal data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Additional technical and organizational safeguards as required

Israel has been granted an adequacy decision by the European Commission, confirming an adequate level of data protection.

If you are located outside the EEA and use our services, your personal data (account information) is transferred under the applicable legal mechanism described above.

7. Data Retention

7.1 Account and Billing Data

• Active accounts: Duration of your subscription
• After termination: 30 days for potential reactivation, then deleted
• Billing records: Retained as required by applicable accounting and tax laws

7.2 Customer Testing Data

Customer testing data retention is controlled by you through your Adversa AI platform settings. Upon subscription termination:

• Testing data is retained for 30 days (unless you request immediate deletion)
• After 30 days, all testing data is securely deleted unless retention is required by law

7.3 Marketing Data

Marketing communication data is retained until you unsubscribe or withdraw consent, plus 6 months to honor your preferences.

7.4 Legal Holds

We may retain data beyond normal retention periods if required by legal proceedings, investigations, or regulatory requirements.

7.5 Data During Service Suspension

If your service is suspended (e.g., for non-payment), your data remains stored but may not be processed until service is restored. Data retention periods begin upon formal termination, not suspension.

7.6 Demo Accounts

Data from demo accounts is subject to the same security and privacy protections as paid accounts. If you do not convert to a paid subscription, your data will be deleted 30 days after the demo period expires.

7.7 Periodic Reviews

We conduct periodic reviews of retained data to ensure it is still necessary for its stated purpose. Data that is no longer required is securely deleted or anonymized.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data:

Technical measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for user accounts
• Regular security testing and vulnerability assessments
• Intrusion detection and prevention systems
• Secure data centers with physical access controls
• Continuous monitoring, logging, and backup procedures

Organizational measures:

• Access controls and least-privilege principles
• Employee and contractor confidentiality obligations
• Security awareness training
• Incident response procedures
• Regular security audits
• Third-party partners are required to meet equivalent security standards

Access to customer testing data is strictly limited to authorized personnel and only as necessary to provide the Service or as instructed by you. All access is logged and monitored.

A comprehensive description of our data security measures, including technical specifications and compliance certifications, is available in our Data Processing Agreement (DPA).

Data breach notification:

• We will notify relevant supervisory authorities within 72 hours where required by GDPR (when acting as controller)
• We will notify you without undue delay upon becoming aware of a personal data breach affecting customer testing data (when acting as processor), as required by GDPR Article 33(2)
• We will notify affected data subjects without undue delay where required by GDPR (when acting as controller)

9. Your Rights Under GDPR

As a data subject, you have the following rights regarding personal data we control:

9.1 Right of Access

Request confirmation of whether we process your personal data and obtain a copy of it.

9.2 Right to Rectification

Request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure (“Right to Be Forgotten”)

Request deletion of your personal data in certain circumstances, such as:

• Data is no longer necessary for the purposes collected
• You withdraw consent (where consent was the legal basis)
• You object to processing based on legitimate interests
• Data was unlawfully processed

This right may be limited by legal retention obligations.

9.4 Right to Restriction of Processing

Request that we limit how we use your data in certain circumstances.

9.5 Right to Data Portability

Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

9.6 Right to Object

Object to processing based on legitimate interests, including profiling and direct marketing.

9.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time by:

• Clicking the unsubscribe link in marketing emails
• Adjusting cookie preferences via our cookie banner
• Contacting us by email at the address in Section 14

Withdrawal does not affect the lawfulness of processing before withdrawal.

9.8 Right to Lodge a Complaint

You may lodge a complaint with the relevant data protection authority. Depending on your location, this may include:

• UK: Information Commissioner’s Office (ICO) — ico.org.uk
• EU: Your local supervisory authority via the European Data Protection Board (EDPB) — edpb.europa.eu
• Israel: Privacy Protection Authority (PPA) — gov.il

9.9 Exercising Your Rights

To exercise any of these rights, contact us as described in Section 14. We will respond within 30 days. We may request additional information to verify your identity. Where requests are complex or numerous, we may extend this period by up to 60 days, as permitted under the GDPR. We will inform you of any such extension within the initial 30-day period.

9.10 Rights Regarding Customer Testing Data

If you are an employee or end-user of our customer and your personal data appears in data processed through the Adversa AI platform, you should direct any rights requests to your organization (the data controller). We will assist them in fulfilling these requests as required under our DPA.

10. Cookies and Tracking Technologies

Our website and platform use cookies and similar tracking technologies to operate, secure, and improve our services. We maintain a separate, detailed Cookie Policy that describes the categories of cookies we use (essential, analytics, and marketing), their purposes, retention periods, and how you can manage your preferences.

Please refer to our Cookie Policy for full details.

The Adversa AI platform also uses essential analytics to operate the service. These do not require consent as they are necessary for service provision under our Terms of Service.

11. Children’s Privacy

The Adversa AI platform is a business service not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we discover we have inadvertently collected such data, we will promptly delete it. If you believe a child has provided personal information to us, please contact us immediately.

12. Data Processing Agreement (DPA)

For customers who process personal data through the Adversa AI platform, our separate Data Processing Agreement (DPA) applies. The DPA is described in detail on our dedicated DPA page at adversa.ai/dpa, and contains additional details about the scope and nature of processing, categories of data subjects and personal data, data subject rights procedures, security measures, sub-processing arrangements, data breach notification procedures, audit rights, and more.

A Data Processing Agreement in accordance with GDPR Article 28 must be in place before we process personal data as your processor. To review or execute the DPA, please visit adversa.ai/dpa or contact us at the address in Section 14.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

• Email to registered account holders
• Notice in the Adversa AI platform dashboard
• Updated “Effective date” at the top of this policy

Continued use of the Adversa AI platform after changes take effect constitutes acceptance. We encourage you to review this policy periodically. Previous versions are available upon request.

14. Contact Us

For questions about this Privacy Policy or our data practices, contact us:

EU Representative (GDPR Article 27): If you reside in the EU, you can contact our EU representative for any GDPR-related questions:

For GDPR-related concerns, you may also contact the relevant data protection authority as described in Section 9.8.

If you believe your privacy rights were violated, contact us. We will investigate and respond. You may need to verify your identity.

← Back to Security & Trust