Privacy Policy.

1. Who we are

airlock is a governance and proxy plane for AI agents, operated from the European Union and hosted on AWS in Frankfurt (eu-central-1). This Privacy Policy explains what data we collect from visitors to our website and from customers of the airlock Service, how we use it, and the choices you have.

For the purposes of the GDPR, airlock acts as a data controller for account, marketing, and website-analytics data, and as a data processor for the Customer Data your organization sends through the Service (including audit logs, approval records, and connected-API credentials).

2. Information we collect

Account & organization data

• Account information: name, work email, and organization details when you create an account.
• Authentication data: OAuth tokens and session identifiers used to authenticate you with the Service and with third-party APIs you connect. Passwords are not stored by airlock. Authentication is handled by AWS Cognito (OAuth 2.0 with PKCE), with optional federation to Google Workspace and Microsoft Entra ID.

API & proxy data

• API credentials: credentials you supply to connect third-party services (API keys, OAuth tokens). Encrypted at rest using AES-256-GCM and only decrypted at the moment of API execution.
• Request metadata: when AI agents call third-party APIs through airlock we log metadata such as the tool invoked, timestamp, organization, and approval status, along with redacted and truncated copies of the request and response bodies so you can audit and replay execution. Sensitive fields are stripped before storage.
• Approval records: when a request requires approval, the request payload and tool arguments are stored to drive the workflow.

Audit log data

airlock writes an audit log for each customer organization. These logs are for your auditing. airlock personnel do not read the contents of your audit logs, approval payloads, or proxied request/response data unless you have given us explicit, written approval: for example, when you open a support ticket that asks us to investigate. Limited exceptions apply where strictly required to maintain the security or integrity of the Service, or where compelled by law.

Website & usage data

• Anonymous behavioural analytics: we monitor how visitors interact with the website and the Control Room (pages viewed, features used, session length) in anonymized form, to improve the product. See "Cookies & Analytics" below.
• Technical data: browser type, operating system, approximate region derived from IP, and device identifiers, used for security, debugging, and abuse prevention.

3. How we use your information

• Provide, maintain, and improve the Service, including proxying API requests on your behalf and enforcing your configured policies and approval workflows.
• Authenticate you and authorize access to the third-party APIs you have connected.
• Communicate with you about updates, security alerts, and support.
• Monitor for abuse, enforce rate limits, and maintain system security.
• Generate aggregated, anonymized usage analytics to improve the Service.
• Comply with legal obligations.

We do not use your data to train AI models. Your API credentials, request data, and response data are never used for machine-learning training by airlock or shared with third parties for that purpose. We do not sell your personal information.

4. Legal bases (GDPR)

We process personal data under the following legal bases:

• Contract: to provide the Service to you (account, authentication, proxy, audit log).
• Legitimate interest: for security, abuse prevention, anonymized product analytics, and limited service-related communications.
• Consent: for optional marketing emails and any cookies that are not strictly necessary or are not in anonymized form.
• Legal obligation: for tax, accounting, and compliance with lawful requests.

5. Data storage & security

All data is stored on AWS in the EU (Frankfurt, eu-central-1). We implement, among other measures:

• Encryption at rest: API credentials and sensitive fields encrypted with AES-256-GCM under AWS KMS envelope encryption (per-record data keys wrapped by a customer master key); all database tables use AWS-managed encryption at rest.
• Encryption in transit: TLS 1.2+ everywhere; calls to third-party services use HTTPS.
• Authentication: AWS Cognito with OAuth 2.0 and PKCE. Passwords are not stored by airlock.
• Tenant isolation: each organization's data is logically separated and access is enforced at the application and database layer.
• Audit trail of staff access: any airlock-personnel access to a tenant's environment is itself logged.

No transmission over the Internet or electronic storage is 100% secure; we cannot guarantee absolute security.

6. Cookies & analytics

Strictly necessary cookies. The website and Control Room set a small number of cookies and similar storage items required to keep you signed in, remember your theme/preferences, and maintain session security. These are essential to the Service and cannot be disabled.

Usage analytics (with your consent). We use PostHog (EU-hosted) to understand how visitors and customers use the site and product. Page views, click events, and session data are captured to PostHog's EU project. We display a cookie consent banner on first visit; analytics only load after you click Accept.

Form submissions. When you submit the beta application form, the fields you enter (name, work email, company, company size, AI tools, governance pain) are sent directly to PostHog as a beta_application_submitted event with your email as the identifier. When you submit the Teams subscription form, the fields you enter (name, work email, phone, company, number of users, location, and any additional info) are sent the same way as a team_subscription_requested event. Both happen regardless of cookie consent, because you are explicitly providing this information to us. We use it to contact you about your beta application or subscription and to maintain our prospect pipeline.

No advertising cookies. airlock does not run advertising, retargeting pixels, or third-party marketing trackers on this site.

7. Third-party services

We rely on the following categories of sub-processors and service providers:

• Cloud infrastructure: Amazon Web Services (AWS) for hosting, database, authentication (Cognito), serverless compute, transactional email (Amazon SES), and the AWS Bedrock embedding models used to index code you connect for search. All AWS services are in the EU.
• Runtime application security: Aikido Zen Firewall, receives runtime telemetry from our Lambda functions (route, request shape, suspicious-traffic signals) to detect and block attacks against the Service.
• Product analytics: PostHog, anonymized product analytics.
• Embedded video: some blog posts embed YouTube videos via Google's privacy-enhanced domain (youtube-nocookie.com). The video player only loads, and Google may only then set cookies, after you click play. Nothing is requested from Google before that. Playback is governed by Google's privacy policy.
• Connected APIs: when you connect third-party services (e.g., GitHub, Google Workspace, Datadog, Zoom, or your own OpenAPI endpoints), airlock acts as an authorized proxy. Requests are forwarded using credentials you supplied. airlock does not share your data with these services beyond what you explicitly request through tool execution.

We do not sell your personal information. We share data with third parties only as described above or when required by law. A current sub-processor list is available on request from privacy@air-lock.ai.

8. International data transfers

Customer Data and personal data are stored and processed in the EU. Where a sub-processor processes personal data outside the EEA (for example, support tooling hosted in the United States), the transfer is governed by Standard Contractual Clauses and, where applicable, additional safeguards.

9. Data retention

• Account data: retained while your account is active. Personal data is deleted within 30 days of account closure (longer retention may apply where required by law).
• API credentials: retained while the connected service is active; deleted immediately when you disconnect that service.
• Audit logs & approval records: retained for 90 days from creation, then automatically deleted. Contact us if you need a longer retention window for compliance.
• OAuth client registrations: dynamically registered OAuth clients expire 90 days after registration.
• Session data: Cognito access and ID tokens expire after 8 hours; refresh tokens expire after 30 days.
• Anonymized analytics: may be retained indefinitely in aggregated form (it contains no personal identifiers).

10. Your rights

Depending on where you live, you may have the right to access, correct, delete, or port your personal information; to object to or restrict processing; and to withdraw consent at any time where processing is based on consent. EU/EEA residents may lodge a complaint with their local data protection authority. To exercise any of these rights, contact privacy@air-lock.ai.

11. Children's privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn we have collected such data, we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by updating the "Last updated" date and, where appropriate, by direct notice. Continued use of the Service after the effective date constitutes acceptance.

13. Contact

For privacy questions or to exercise your rights, contact privacy@air-lock.ai.