This Privacy Policy (the “Policy”) describes how Strike Security LLC and its affiliated companies (“Strike,” “we,” “us,” or “our”) collect, use, disclose, and protect personal information and certain security-related service data processed through the Always-on Platform, our website (https://strike.sh), and related services (collectively, the “Platform”). This Policy applies to all users of the Always-on Platform, including clients (“Users” or “Clients”), ethical security researchers (“Strikers”), and website visitors.

‍
Strike operates an AI-powered, Always-on Platform with hybrid validation, including Continuous Hybrid Validation capabilities, that helps organizations identify, prioritize, and remediate security vulnerabilities across their digital infrastructure.

‍
By accessing or using the Always-on Platform, you acknowledge that you have read and understood this Policy. Where required by applicable law, we will obtain your consent before processing your personal information. If you do not agree with this Policy, you should not use the Always-on Platform.
For questions about this Policy or data protection at Strike, contact us at: legal@strike.sh.

1. Definitions

“Account” means the user account created by you to access the Always-on Platform, as described in the applicable Terms of Use.

“AI Agents” means Strike’s proprietary artificial intelligence systems that perform automated security testing, vulnerability detection, attack emulation, and related analysis functions within the Always-on Platform.

“Client Content” means any data, files, documents, configurations, code, or other content uploaded, submitted, or made available by a User or End User through the Always-on Platform in connection with the Services. Client Content does not include Testing Credentials, which are governed separately.

“Always-on Platform” means Strike’s AI-powered, Always-on Platform with hybrid validation, including Continuous Hybrid Validation capabilities, AI Agents, integrations, APIs, and related services.

“End User” means an individual authorized by a Client to access and use the Always-on Platform on the Client’s behalf.

“Personal Information” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws including GDPR, CCPA, and LGPD.

“Platform” means Strike’s website at https://strike.sh, the Always-on Platform application, and all related tools and interfaces.

“Security Data” means technical security information generated or processed through the Always-on Platform, including vulnerability findings, scan results, attack emulation outputs, threat intelligence, asset inventories, and security posture assessments. Security Data may or may not contain Personal Information depending on context.

“Services” means all products and services provided by Strike through the Always-on Platform, including the Always-on Platform, Hybrid Testing, Manual Pentesting Projects, Red Teaming Projects, and any add-on services.

“Striker(s)” means independent security researchers and ethical hackers who perform human-led security testing, validation, and expert analysis through the Always-on Platform.

“Telemetry Data” means technical data automatically collected from the Always-on Platform about system performance, feature usage patterns, error logs, and operational metrics.

“Testing Credentials” means passwords, API keys, access tokens, SSH keys, certificates, and any other authentication materials provided by a Client to enable the Services on the Client’s assets.

“Usage Data” means information about how users interact with the Always-on Platform, including login activity, feature access, queries, session data, and behavioral analytics.

“User(s)” or “Client(s)” means any individual or legal entity who accesses the Always-on Platform to engage Services.

2. Who we are?

Strike Security LLC is a corporation organized under the laws of Delaware, USA, with its principal address at 848 Brickell Avenue, Suite 600, Miami, FL 33131. Strike operates through affiliated entities including Strike SAS (Uruguay), Airstrike SRL de CV (Mexico), and Strike Brazil LTDA (Brazil).

Strike provides an AI-powered, Always-on Platform with hybrid validation that delivers continuous security testing. Our Always-on Platform combines AI Agents that perform automated attack emulation, vulnerability detection, and security posture assessment with expert human validation by Strikers who verify findings, perform deep-dive testing, and provide remediation guidance.

For purposes of applicable data protection laws, Strike acts as a data controller with respect to the Personal Information of Always-on Platform users (account data, usage data), and as a data processor with respect to Client Content and Testing Credentials processed on behalf of Users in connection with the Services. The specific roles and obligations are further detailed in our Data Processing Agreement (“DPA”), available upon request.

3. What personal information we collect from you and for what reason?

We collect the following categories of information. Note that not all categories constitute Personal Information under applicable data protection laws; some categories are technical or security-related service data governed by our contractual obligations.

3.1. Account and Registration Information

Information you provide when creating an Account, including: name, email address, phone number, company name, job title, billing address, payment information (processed by our payment processors), and authentication credentials.

3.2. Client Content

Data you upload or provide in connection with the Services, including: asset information (URLs, IP addresses, domains, API endpoints), application source code or documentation, network architecture details, and any other content submitted for security testing purposes.

3.3. Testing Credentials

Authentication materials provided by you to enable the Services on your assets, including passwords, API keys, access tokens, SSH keys, and certificates. Testing Credentials receive enhanced security treatment and are subject to specific retention rules (see Section 8).

3.4. Security Data

Technical security information generated through the Platform’s operation, including: vulnerability findings and severity assessments, scan and attack emulation results, security posture scores and trends, remediation status and verification results, threat intelligence and exposure data, and asset inventory data.

3.5. Usage Data and Telemetry

Information about how you interact with the Platform, including: login activity and session data, features accessed and actions performed, search queries and filter configurations, Platform performance and error data, browser type, device information, IP address, and operating system.

3.6. Communication Data

Information exchanged through Platform communication channels between Users, Strikers, and Strike, including messages, support requests, and feedback.

3.7. Striker-Specific Information

For Strikers, we additionally collect: professional qualifications and certifications, background verification data, performance and quality metrics, payment and tax information, and identity verification documents.

‍

‍

4. How do we use your data?

‍

‍

5. AI AND AUTOMATED PROCESSING

Always-on Platform uses artificial intelligence and automated processing as core components of the Services. This section explains how we handle data in connection with our AI systems.

5.1. How AI Operates Within Always-on Platform

Our AI Agents process Client Content and Security Data to perform automated security testing, including attack emulation, vulnerability detection, severity assessment, and remediation recommendations. AI processing occurs within Strike’s controlled infrastructure and is subject to the same security and confidentiality protections as all Platform data.

5.2. Data Use for AI and Product Improvement

We distinguish between the following types of data use:

• Service Delivery: We use Client Content, Testing Credentials, and Security Data to provide the Services to you. This includes AI processing of your assets and data as necessary to perform the security testing you have requested.
• Detection Improvement: We may use Security Data outputs (such as vulnerability patterns and attack signatures) in de-identified and aggregated form to improve our detection engines and threat intelligence capabilities.
• Product Improvement: We use de-identified and aggregated Telemetry Data and Usage Data to improve Platform features, performance, and user experience.
• No General-Purpose AI Training: Strike does not use Client Content to train general-purpose AI models or models made available to other clients, unless expressly agreed in writing. Client-specific data is not shared across tenants.

5.3. Automated Decision-Making

Our AI Agents make automated assessments regarding vulnerability severity, risk prioritization, and remediation recommendations. These outputs are informational and advisory. For Hybrid Testing engagements, AI findings are validated by human Strikers. Clients retain full discretion over remediation decisions.5. AI AND AUTOMATED PROCESSING

6. DISCLOSURE OF INFORMATION

We may disclose your information to the following categories of recipients, in compliance with this Policy and applicable law:

6.1. Strike Affiliates

We share data with Strike’s affiliated entities (Strike SAS, Airstrike SRL de CV, Strike Brazil LTDA) as necessary to provide the Services.

6.2. Strikers

For engagements involving human-led testing or hybrid validation, we share strictly necessary Client Content and Security Data with Strikers. Strikers are bound by confidentiality and data handling obligations under the Terms and Conditions for Strikers.

6.3. Subprocessors and Service Providers

We engage third-party service providers who process data on our behalf. All subprocessors are bound by data processing agreements with obligations no less protective than those in our DPA. A current list of subprocessors is available at https://strike.sh/subprocessors or upon request. The list is updated with at least 30 days’ advance notice. Clients may raise reasonable objections to new subprocessors in accordance with the DPA.

6.4. Third-Party Integrations

When you enable third-party integrations (e.g., Jira, Slack, CI/CD tools), data will flow to those services in accordance with your configuration. These services operate under their own privacy policies.

6.5. Legal and Regulatory Authorities

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Strike, our users, or others.

6.6. Corporate Transactions

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections. We will notify you of any such transfer.

7. INTERNATIONAL DATA TRANSFERS

Strike processes data primarily in the United States, Mexico, Brazil, and Uruguay. Your data may be transferred to and processed in countries outside your country of residence.

For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we implement appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs). Copies are available upon request.

For transfers from Brazil, we comply with LGPD requirements for international data transfers, relying on standard contractual clauses, consent, or other legally recognized mechanisms.

8. DATA RETENTION

We retain your information for the periods described below, unless a longer retention period is required or permitted by law:

‍

‍

Upon termination of the Services, we will, at your election and in accordance with the DPA: (a) return your Client Content in a standard machine-readable format, or (b) securely delete your Client Content and Testing Credentials, and upon request provide written certification of deletion.

9. YOUR PRIVACY RIGHTS

Depending on your location, you may have the following rights under applicable data protection laws. To exercise any of these rights, contact us at legal@strike.sh.

9.1. Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the right to: access your personal data and obtain a copy; rectify inaccurate or incomplete data; erase your data (right to be forgotten) where there is no compelling reason for continued processing; restrict processing in certain circumstances; data portability; object to processing based on legitimate interests or for direct marketing; withdraw consent at any time; and lodge a complaint with your local supervisory authority.

Legal bases for processing: performance of a contract (to provide the Services); legitimate interests (to improve and secure the Platform, prevent fraud); consent (for marketing communications); and legal obligation (to comply with applicable laws).

9.2. Rights Under CCPA / CPRA (California)

If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; delete your personal information (subject to exceptions); correct inaccurate personal information; and non-discrimination for exercising your privacy rights.

Strike does not sell personal information as defined by the CCPA. Where required by applicable law, we provide mechanisms to opt out of sale or sharing of personal information, including certain advertising or analytics cookies.

9.3. Rights Under LGPD (Brazil)

If you are located in Brazil, you have the right to: confirmation of the existence of processing; access to your data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data; data portability; information about third parties with whom your data is shared; and revocation of consent.

9.4. Response and Verification

We will respond to your request within the timeframes required by applicable law (generally 30 days for GDPR, 45 days for CCPA). We may need to verify your identity before processing your request. For requests related to Client Content processed on behalf of a User, please contact your organization’s administrator.

10. DATA PROCESSING AGREEMENT

For enterprise Clients, Strike offers a Data Processing Agreement (DPA) that governs the processing of personal data contained within Client Content. The DPA addresses: the nature and purpose of processing; categories of data subjects and personal data; obligations of Strike as data processor and the Client as data controller; security measures; subprocessor management; data breach notification procedures; audit rights; and data return or deletion upon termination.

To request a copy of Strike’s DPA, contact legal@strike.sh.

11. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to operate and improve the Platform:

• Essential Cookies: Required for the Platform to function, including authentication, security, and session management. These cannot be disabled.
• Analytics Cookies: Help us understand how the Platform is used so we can improve performance and features. These can be declined.
• Marketing Cookies: Used to deliver relevant advertising and measure campaign effectiveness. These are only set with your consent where required by applicable law.

You can manage your cookie preferences through the cookie banner displayed when you first visit our website, or through your browser settings.

12. SECURITY OF YOUR INFORMATION

Strike maintains comprehensive security measures to protect your information, including: encryption of data in transit (TLS 1.2+) and at rest (AES-256); access controls and role-based permissions; regular vulnerability assessments and penetration testing of our own infrastructure; intrusion detection and prevention systems; security incident response procedures; and employee and contractor security training and background checks.

Strike maintains SOC 2 Type II and ISO 27001 certifications, and a HIPAA-aligned compliance program where applicable.

While we implement industry-standard security measures, no method of transmission or storage is completely secure. You are responsible for maintaining the confidentiality of your Account credentials and for notifying us promptly of any unauthorized access.

13. CHILDREN’S PRIVACY

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a minor, we will take steps to delete it promptly. Contact us at legal@strike.sh if you believe a minor has provided us with personal information.

14. THIRD-PARTY WEBSITES AND SERVICES

The Platform may contain links to third-party websites and services. This Policy does not apply to those third-party services. We encourage you to review their privacy policies. Strike is not responsible for the privacy practices of third-party services.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Policy from time to time. We will notify you of material changes by posting the updated Policy on our website and, where required by law, by email or through the Platform. The “Last updated” date at the top indicates when it was last revised. Continued use of the Platform after the effective date constitutes acceptance.

16. CONTACT US

If you have questions, concerns, or complaints about this Privacy Policy or our data practices:

Strike Security LLC

Attn: Legal / Data Protection

848 Brickell Avenue, Suite 600, Miami, FL 33131

Email: legal@strike.sh

For EEA/UK data subjects, you also have the right to lodge a complaint with your local data protection supervisory authority.