Data Privacy Policy / Data Processing Policy

Red Sword Strix Data Privacy and Processing Policy

Effective Date: 15 May, 2026

Company: Red Sword Security Private Limited

Registered Location: Hamirpur, Himachal Pradesh, India

Contact Email: contact@redswordsecurity.com

Default Data Retention Period: 180 days

1. Purpose

This Data Privacy and Processing Policy explains how Red Sword Security Private Limited handles customer security data, personal data, telemetry, alerts, logs, AI processing, retention, deletion, and incident handling within Red Sword Strix.

This document is intended to support compliance with applicable Indian data protection and cybersecurity obligations, including the DPDP Act, IT Act, SPDI Rules, and CERT-In Directions.MeitY

2. Data Categories Processed

Red Sword Strix may process the following categories of data.

2.1 Customer Organization Data

  • Organization name
  • Admin users
  • Subscription details
  • Integration configuration
  • Notification settings

2.2 User Data

  • Name
  • Email
  • Role
  • Login logs
  • Access permissions
  • Actions performed in dashboard

2.3 Security Alert Data

  • Alert name
  • Severity
  • Rule ID
  • Timestamp
  • Risk score
  • Device ID
  • Hostname
  • IP address
  • Username/system user
  • Process name
  • File path
  • Command metadata
  • Duplicate count
  • Correlation metadata
  • Analyst feedback

2.4 Device and Agent Data

  • Device identifier
  • Operating system
  • Agent version
  • Last seen time
  • Health status
  • Security event summaries

2.5 AI Processing Data

  • Normalized alert context
  • Risk breakdown
  • Timeline data
  • Recommended action context
  • Report summary data
  • Redacted/anonymized prompts where feasible

3. Data Minimization

Red Sword Strix follows data minimization principles. Where possible, we:

  • Avoid collecting raw logs unnecessarily
  • Store alert summaries instead of full raw telemetry
  • Group duplicate alerts instead of storing every duplicate separately
  • Use hashed or pseudonymized identifiers where feasible
  • Limit AI prompts to necessary alert context
  • Avoid storing secrets, passwords, private keys, or full sensitive file contents

4. Processing Purposes

Customer data is processed to:

  • Detect and prioritize security events
  • Reduce duplicate and noisy alerts
  • Generate risk scores
  • Build incident timelines
  • Provide dashboards and reports
  • Send notifications
  • Support integrations
  • Improve system reliability
  • Provide customer support
  • Maintain audit records
  • Comply with legal obligations

5. Data Flow

Typical data flow

  1. 1Customer Endpoint
  2. 2Red Sword Strix Ingestion
  3. 3Risk Scoring and Deduplication
  4. 4Database / Indexer / Storage
  5. 5Dashboard / Reports / Notifications

AI-assisted flow

  1. 1Processed Alert Context
  2. 2Sanitization / Redaction
  3. 3AI Provider or Local Model
  4. 4Explanation / Summary / Recommendation
  5. 5Stored or displayed in Dashboard

6. AI Data Handling

Where AI features are enabled:

  • AI is used to assist, not replace, analyst judgment
  • Red Sword Strix may use third-party or local AI models
  • Prompts are restricted to necessary security context
  • Sensitive secrets are not intentionally sent to AI models
  • Customer may request disabling external AI processing where supported
  • Local/private model deployment may be offered separately
  • AI outputs must be reviewed by authorized users before operational, legal, security, or disciplinary decisions are made

7. Data Security Controls

Red Sword Security Private Limited uses reasonable security practices, including:

  • TLS/HTTPS encryption in transit
  • Access controls
  • Role-based permissions
  • Least privilege
  • Secure secret management
  • Logging and monitoring
  • Database backups
  • Firewall and network restrictions
  • Vulnerability management
  • Authentication controls
  • Audit trails
  • Incident response procedures

The IT SPDI Rules, 2011 require reasonable security practices and procedures for handling sensitive personal data or information.PRS Legislative Research

8. Access Control

Access to customer data is limited to:

  • Authorized customer users
  • Authorized Red Sword Security Private Limited personnel
  • Support engineers where required
  • Infrastructure providers under appropriate controls
  • Legal/regulatory authorities where required by law

Access is granted on a need-to-know basis.

9. Data Retention Policy

Unless otherwise agreed in writing, the default retention period is 180 days.

Data TypeDefault Retention
Actionable alerts180 days
Noise/duplicate summaries180 days
Reports180 days
Audit logs180 days
BackupsUp to 180 days
Account recordsAccount duration + legal requirement
Support records180 days

Customers may request custom retention under paid plans.

10. Log Retention and CERT-In

Where applicable, customers and Red Sword Security Private Limited may need to maintain logs and cooperate with CERT-In requirements.

CERT-In Directions require covered entities to report specified cyber incidents within 6 hours of noticing or being brought to notice of such incidents.CERT-In

Customers remain responsible for their own statutory reporting obligations unless otherwise agreed in writing.

11. Data Deletion

Customers may request deletion of their data by contacting contact@redswordsecurity.com.

Deletion may be subject to:

  • Legal obligations
  • Security investigation requirements
  • Backup retention cycles
  • Contractual obligations
  • Fraud prevention
  • Audit requirements

Backup deletion may occur during normal backup rotation.

12. Data Breach Handling

If Red Sword Security Private Limited identifies a confirmed breach affecting customer data, it will:

  • Investigate the issue
  • Contain and remediate the incident
  • Notify affected customers where required
  • Provide available details needed for customer response
  • Cooperate with lawful requests from authorities
  • Take reasonable steps to prevent recurrence

13. Cross-Border Processing

Depending on infrastructure, AI provider, or customer configuration, data may be processed outside India.

Where required by law, contractual controls or customer-specific data residency options may be used.

14. Third-Party Subprocessors

Red Sword Security Private Limited may use subprocessors such as:

  • Cloud hosting providers
  • Email providers
  • Payment processors
  • Monitoring tools
  • AI API providers
  • Analytics tools
  • Support tools

A list of subprocessors may be provided upon request or published separately.

15. Customer Instructions

Red Sword Security Private Limited processes customer data according to:

  • Customer configuration
  • Contractual agreement
  • Product functionality
  • Applicable law
  • Written customer instructions

If an instruction creates a legal, security, or operational risk, Red Sword Security Private Limited may refuse or suspend the instruction.

16. Confidential Security Data

Customer security data, threat intelligence, vulnerabilities, incident details, and logs are treated as confidential.

Red Sword Security Private Limited will not disclose customer security data except:

  • To provide services
  • With customer authorization
  • To comply with law
  • To protect rights, safety, and security
  • To approved subprocessors under confidentiality obligations

17. Data Principal Requests

Where Red Sword Security Private Limited receives a request from an individual relating to customer-controlled data, it may direct the request to the relevant customer unless legally required to respond directly.

18. Contact

For data protection, privacy, legal, support, or grievance-related queries:

Red Sword Security Private Limited

Hamirpur, Himachal Pradesh, India

Email: contact@redswordsecurity.com