Privacy Policy

1. Scope

This Policy applies to:

• Customers who purchase or deploy the Services.
• End Users whose activity is monitored, logged, or analyzed through the Services by their organization.
• Visitors to our websites or communications channels.

For enterprise deployments, your organization (the "Customer") determines the scope and use of the Services, and acts as the controller of personal data collected through its deployment. Above Security acts as a processor or service provider on behalf of the Customer.

2. Information We Collect

Depending on how the Services are configured and used, we may collect the following categories of information:

• Account and identity information: name, email address, organizational identifier, authentication credentials, and tenant configuration.
• Technical data: IP addresses, device identifiers, browser type, operating system, telemetry, performance logs, and connection metadata.
• Usage and event data: URLs or domains accessed, timestamps, activity type, triggers, alerts, security events, incident timelines, audit logs, system interactions, and classification results.
• Derived or analytical data: risk scores, anomaly flags, behavior patterns, aggregated statistics, and investigation-ready event sequences.
• Support and communications data: information provided to our support, sales, or feedback channels, including emails, tickets, and attachments.
• Website data: cookies, analytics, and log files when you visit our public sites.

We do not require or intend to collect sensitive personal data unless configured by the Customer. Where the Services are configured to monitor or intercept content, collection is performed under Customer direction.

3. How We Use Information

We process collected information to:

• Provide, operate, and improve the Services.
• Detect, classify, and surface risky actions and security incidents.
• Generate investigation logs and timelines for security and compliance.
• Authenticate and authorize users.
• Support, troubleshoot, and secure the Services.
• Fulfill legal or contractual obligations.
• Conduct analytics and research, in aggregated or anonymized form.

We do not sell personal information to third parties.

4. Customer Responsibility

Customers deploying the Services are solely responsible for:

• Determining the lawful basis for processing personal data of End Users.
• Providing all required notices to, and obtaining all required consents from, End Users or other data subjects.
• Configuring the Services in compliance with applicable laws and internal policies.
• Determining retention periods, access controls, and export settings for data collected through the Services.

Above Security is not responsible for Customers' acts or omissions in their use of the Services.

5. Legal Bases

Where required by law, we rely on one or more of the following legal bases:

• Performance of contract with Customers.
• Legitimate interests in providing, securing, and improving the Services.
• Compliance with legal obligations.
• Consent where obtained by the Customer.

6. Disclosure of Information

We may share information as follows:

• With Customers (your employer or contracting organization), consistent with deployment settings.
• With service providers and subprocessors that support hosting, analytics, identity management, or support.
• With legal and regulatory authorities where required by law.
• With successor entities in the event of merger, acquisition, or business transfer.

We do not grant third parties rights to use personal information for independent commercial purposes.

7. Data Retention

We retain information only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. By default:

• Event metadata is retained for [e.g., 90 days] unless configured otherwise.
• Audit logs and investigation timelines may be retained up to [e.g., 3 years] depending on Customer configuration.
• Aggregated, anonymized data may be retained indefinitely.

Customers may configure shorter or longer retention periods.

8. Security

We implement reasonable technical and organizational safeguards, including encryption, access controls, monitoring, and periodic testing. No system is completely secure. We disclaim liability for unauthorized access, disclosure, or destruction of information outside our reasonable control.

9. International Transfers

Information may be transferred, stored, and processed in jurisdictions outside your country. By using the Services, you acknowledge such transfers. Where legally required, we implement safeguards such as Standard Contractual Clauses.

10. User Rights

Depending on applicable law, individuals may have rights to access, correct, delete, restrict, or object to processing of their personal data. In enterprise deployments, such rights must be exercised through the Customer, who is the data controller. Above Security will support Customers in responding to such requests.

11. Data Accuracy and Detection Disclaimer

Above Security makes no warranties, express or implied, regarding:

• The accuracy, completeness, or reliability of threat detection, risk scores, anomaly flags, or behavior classifications.
• The absence of false positives or false negatives in security event identification.
• The prevention of all security incidents or unauthorized access.
• The suitability of the Services for any particular security requirement or compliance standard.

Customers are solely responsible for validating, investigating, and acting on all alerts, events, and classifications generated by the Services.

12. Audit Rights Disclaimer

Customers are solely responsible for conducting any audits, assessments, or evaluations required by applicable law, regulation, or contract, including but not limited to privacy impact assessments, data protection impact assessments, security audits, and compliance reviews. Above Security is not responsible for Customer's failure to conduct such assessments or comply with resulting obligations.

13. Customer Indemnification

Customer agrees to indemnify, defend, and hold harmless Above Security, its affiliates, officers, directors, employees, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

• Customer's use or misuse of the Services.
• Customer's violation of applicable laws, regulations, or third-party rights.
• Customer's failure to provide required notices or obtain required consents from End Users.
• Customer's monitoring practices, configurations, or employment decisions.
• Any claim by End Users or third parties related to Customer's deployment of the Services.
• Customer's breach of this Policy or any agreement with Above Security.

14. Limitation of Liability

To the maximum extent permitted by law:

• The Services are provided "as is" without warranties of any kind.
• Above Security disclaims all implied warranties, including merchantability, fitness for purpose, and non-infringement.
• We are not responsible for Customers' monitoring practices, configurations, or compliance with employment or privacy laws.
• In no event will Above Security be liable for indirect, incidental, consequential, special, or punitive damages, including lost profits, business interruption, loss of data, reputational harm, or regulatory fines, even if advised of such possibility.
• Our total aggregate liability arising from or related to the Services shall not exceed the fees paid by the Customer in the twelve (12) months preceding the claim.
• Some jurisdictions do not allow exclusion of certain warranties or limitation of liability for consequential damages. In such jurisdictions, our liability is limited to the greatest extent permitted by law.

15. Force Majeure

Above Security shall not be liable for any failure or delay in performance under this Policy or any agreement due to causes beyond its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, pandemics, strikes, telecommunications or internet failures, or failures of third-party hosting, infrastructure, or service providers.

16. Dispute Resolution and Arbitration

Binding Arbitration: Any dispute, controversy, or claim arising out of or relating to this Policy or the Services, including the breach, termination, enforcement, interpretation, or validity thereof, shall be resolved exclusively by binding arbitration rather than in court, except that either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent actual or threatened infringement, misappropriation, or violation of intellectual property rights.

The arbitration shall be conducted in accordance with the rules of the Israeli Arbitration Law, 5728-1968, before a single arbitrator appointed by mutual agreement or, failing agreement, appointed by the Tel Aviv District Court. The seat of arbitration shall be Tel Aviv, Israel. The language of arbitration shall be English.

Class Action Waiver: Any proceedings to resolve disputes will be conducted solely on an individual basis. Neither Customer nor Above Security shall seek to have any dispute heard as a class action, representative action, collective action, or private attorney general action. The arbitrator may not consolidate more than one party's claims and may not preside over any form of representative, class, or collective proceeding.

Jury Trial Waiver: To the extent any dispute is not subject to arbitration, each party irrevocably waives any right to trial by jury.

17. Governing Law and Jurisdiction

This Policy and any disputes arising from or relating to it shall be governed by and construed in accordance with the laws of the State of Israel, without regard to its conflict of law provisions. To the extent any dispute is not subject to arbitration, the parties consent to the exclusive jurisdiction of the competent courts in Tel Aviv, Israel.

18. No Third-Party Beneficiaries

This Policy is entered into solely between Above Security and its Customers. No End User, employee, contractor, or other third party is an intended beneficiary of this Policy, and no such third party shall have any right to enforce any provision hereof or bring any claim directly against Above Security. All rights under this Policy, including data subject rights, must be exercised through the Customer.

19. Severability

If any provision of this Policy is held to be invalid, illegal, or unenforceable by a court or arbitrator of competent jurisdiction, such provision shall be modified to the minimum extent necessary to make it enforceable, or if it cannot be made enforceable, it shall be severed from this Policy. The invalidity, illegality, or unenforceability of any provision shall not affect the validity, legality, or enforceability of the remaining provisions, which shall remain in full force and effect.

20. Children

Our Services are not intended for individuals under the age of 16 (or other local age of digital consent). We do not knowingly collect data from such individuals.

21. Changes

We may update this Policy periodically. Material changes will be posted on our website with an updated effective date. Continued use of the Services constitutes acceptance of the revised Policy.

22. Contact

For privacy inquiries or requests: