Privacy Policy

Last updated 7 June 2026

1. Introduction

Aegis Eight (“Aegis Eight”, “we”, “our”, or “us”) is committed to protecting the privacy and security of personal information.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you use the Aegis Eight platform and related services.

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using our services, you acknowledge that your information will be handled as described in this Privacy Policy.

2. Information We Collect

Account and Contact Information

When you register for Aegis Eight, we may collect:

• name;
• work email address;
• organisation name;
• account identifiers; and
• authentication information provided through our identity provider.

Microsoft 365 Configuration Information

To perform Essential Eight assessments, Aegis Eight collects read-only configuration and security posture information from connected Microsoft 365 environments, including:

• multi-factor authentication status;
• security policies and configurations;
• device compliance information;
• administrative role assignments;
• software and security control settings; and
• other configuration data relevant to Essential Eight assessments.

What We Do Not Collect

Aegis Eight does not access, read, or store the contents of:

• emails;
• attachments;
• SharePoint documents;
• OneDrive files;
• Teams messages;
• chat content; or
• other customer-generated content stored within Microsoft 365.

Billing Information

Payments are processed by authorised third-party payment providers. We do not store complete payment card details on Aegis Eight systems.

Technical and Usage Information

We collect limited operational information necessary to provide and secure the Service, including:

• IP addresses;
• browser and device information;
• login events;
• audit logs;
• service performance metrics; and
• security monitoring information.

3. How We Use Information

We use collected information to:

• provide Essential Eight assessments and reporting;
• monitor changes to your Microsoft 365 security posture;
• deliver alerts, notifications, and recommendations;
• authenticate users and maintain account security;
• process subscriptions and payments;
• provide customer support;
• improve the reliability and performance of the Service;
• investigate security incidents and suspected misuse; and
• comply with legal and regulatory obligations.

We do not sell personal information.

We do not use customer data, tenant data, assessment results, or report content to train artificial intelligence or machine learning models.

4. Disclosure of Information

We may disclose information to trusted service providers that assist us in operating the Service.

These providers may include:

• Microsoft (Microsoft Graph and related services);
• a cloud hosting provider (hosting, storage, database, and infrastructure services);
• a payment processor (subscription billing);
• an authentication provider (dashboard sign-in and identity management); and
• professional advisers where required for legal, accounting, or regulatory purposes.

We only disclose information necessary for those providers to perform their services.

We may also disclose information where required by law, court order, or regulatory authority.

5. Data Storage and International Transfers

By default, Aegis Eight stores customer assessment data and reports within Australia. Customers with data-residency requirements in another jurisdiction can request a dedicated deployment in their required region.

Some service providers may process limited personal information outside Australia as part of delivering authentication, payment, infrastructure, or support services.

Where information is disclosed overseas, we take reasonable steps to ensure it is handled securely and in accordance with applicable privacy obligations.

6. Data Retention

Assessment data is retained only for as long as necessary to provide the Service and meet legal, operational, and security requirements.

Unless otherwise required:

• assessment snapshots and supporting evidence are retained for ninety (90) days;
• after ninety (90) days, raw evidence data may be removed while retaining metadata and integrity records necessary to support historical reporting and auditability;
• account information is retained while an account remains active; and
• information may be retained for longer where required by law or legitimate business purposes.

Upon account closure or a valid deletion request, data will be deleted in accordance with our retention procedures.

7. Your Privacy Rights

Subject to applicable laws, you may request:

• access to personal information we hold about you;
• correction of inaccurate or incomplete information;
• deletion of personal information;
• withdrawal of consent where consent applies; and
• information regarding how your personal information has been used or disclosed.

You may also revoke Aegis Eight’s access to your Microsoft 365 tenant at any time through Microsoft Entra Admin Centre.

Where a valid deletion request is received, we will take reasonable steps to delete applicable customer data within thirty (30) days, unless retention is required by law.

8. Security Measures

We implement technical and organisational safeguards designed to protect customer information, including:

• encryption in transit and at rest;
• role-based access controls;
• least-privilege access principles;
• tenant-level data isolation;
• audit logging and monitoring;
• secure software development practices; and
• regular security reviews and vulnerability management activities.

While no system can guarantee absolute security, we maintain controls designed to protect information from unauthorised access, disclosure, alteration, or destruction.

9. Cookies and Analytics

Aegis Eight may use cookies, session technologies, and analytics tools to:

• maintain user sessions;
• improve website functionality;
• understand platform usage patterns; and
• support platform security and performance.

Users may control cookie preferences through their browser settings, although some functionality may be affected.

10. Privacy Complaints

If you have a privacy concern, complaint, or request, please contact us first using the details below.

We will investigate and respond within a reasonable timeframe.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

Website: https://www.oaic.gov.au

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements, or business practices.

Where material changes are made, we will provide notice through the Service, by email, or through other appropriate communication channels.

The updated version will always be available on our website and will include the revised effective date.

12. Contact Us

For privacy-related enquiries, requests, or complaints:

Email: [email protected]

Please also review our Terms of Service and Security & Privacy documentation for additional information regarding the operation of the Service.