Privacy Policy
Introduction
Welcome to Anomity, an enterprise security platform that gives security teams a single dashboard showing AI agents, MCP servers, IDE extensions, plugins, skills, hooks, CLIs, and secrets running on their managed employee endpoints, with the policy controls to govern them (the “Service”). The Service is offered under the brand “Anomity.ai” and is developed and operated by Deskfirst, Inc. and its subsidiaries (“Anomity”, “Deskfirst” or “we”, “us”, “our”).
This Privacy Policy (“Policy”) explains how information about you — a visitor to our website, a person who submits a contact or early-access request, an Authorized User who has been granted access to the Dashboard by an organization that licensed the Service, or an applicant for a position at Anomity (collectively, “you”) — is collected and used by us when we operate as a data controller.
If you are an Authorized User who has been granted access to the Service by an organization that purchased a license under the Anomity Service Agreement pursuant to an executed Order Form (an “Enterprise Customer”), and if your personal data is processed because you are reflected in Telemetry Data collected by the Endpoint Daemon installed on a Managed Device by an Enterprise Customer, we process your personal data on behalf of that organization (the “Customer”), as described in our Data Processing Addendum, and that organization is the data controller. Please refer to that organization’s privacy notices for information about its processing of your personal data.
You have the right to review the personal information we collect and use about you and the right to request correction of your personal information.
The Service is not directed to users under the age of 18. We do not knowingly collect information or data from children under the age of 18 or knowingly allow minors under the age of 18 to use the Service.
This Policy may be amended from time to time. We will post any change to this Policy on our website at a reasonable time in advance of the effective date of the change, and we will also make efforts to proactively notify you by email of the changes if we have your email address.
Contact us
If you have any questions, comments or concerns regarding this Policy or our processing of your personal information, please contact us at [email protected].
What we collect and why
When you submit our website contact, demo, or early-access form
Purposes: Responding to your request, scheduling demos and walkthroughs, qualifying your interest, providing you with information about Anomity, and our business development.
Categories of information processed: Full name, work email address, company name, job title or role, phone number (if provided), and the content of your message or request.
When you (or your organization) register an Authorized User account on the Service
Purposes: Providing you with access to the Dashboard and APIs, product updates, tips, reminders, contacting you regarding administrative issues related to the Service, this Policy, our Terms, support, and maintenance.
Categories of information processed: Contact details such as full name, business email address, and authentication details such as username and (where the identity provider does not handle this) password. If you authenticate through your organization’s identity provider (such as a SAML or OIDC SSO provider), we may receive your name, business email address, language preferences, and profile picture from that provider, together with the assertion that you are authorized to access the Service. You will not be able to opt out of receiving certain administrative messages which are integral to your use (like password resets, billing notices, security alerts).
When your organization subscribes to the Service
Purposes: Providing the Service requested, invoicing, and managing the subscription.
Categories of information processed: Full name, business contact details, and certain billing information and data that you have provided to us or to our third-party payment processors — such as your billing address and an indication of successful billing.
When the Endpoint Daemon transmits Telemetry Data on behalf of your organization
Purposes: Inventorying, classifying, governing, and auditing AI tooling on your organization’s Managed Devices, providing the Service to your organization, generating Findings, and surfacing alerts to your organization’s security team.
Categories of information processed: Device identifiers (hostname, OS, OS version, architecture, machine UUID); the username under which an AI tool is configured on the device; configuration metadata about AI tools, MCP servers, IDE extensions, plugins, skills, hooks, CLIs, and permission grants found on the device; redacted secret fingerprints (one-way hashes) and metadata about secrets found in AI-tool configuration files; and change events recording when an AI tool, configuration file, or related artifact was added, modified, or removed on the device.
What we do NOT collect: We do not collect source code, prompts, model outputs, browsing history, or the contents of files other than AI-tool configuration files. We do not collect plaintext secret values; secrets are redacted on the Managed Device before transmission, and only a one-way hashed fingerprint and surrounding metadata reach Anomity Cloud.
When the Service is provided to an Enterprise Customer, we process this Telemetry Data as a processor on behalf of that Customer pursuant to our Data Processing Addendum. The Customer is responsible for the lawfulness of the monitoring of its endpoints, including providing any notices and obtaining any consents required of it under applicable employment, privacy, and surveillance laws.
Contacting us with an inquiry through our email or online contact form
Purposes: Responding to your inquiry, our business development.
Categories of information processed: Company name, your email address, the subject of your inquiry, and the text of your message.
When you provide us with feedback or reviews
Purposes: Responding to your feedback and reviews, our business development, and improving the Service.
Categories of information processed: Email address, full name, username, and the feedback or review.
When you use the Dashboard (cloud audit trail)
Purposes: Providing the Service, security monitoring, troubleshooting, customer support, and producing the audit trail of cloud admin actions made available to your organization.
Categories of information processed: Information such as which Findings or pages you accessed, which policies you edited, role and permission changes you performed, timestamps, and the IP address from which you accessed the Service.
Use of cookies & analytics tools on the website
Purposes: Facilitating Service features that you specifically requested; analyzing website usage to evaluate and improve performance; improving user experience on our website.
Categories of information processed: IP address from which you access the website, time and date of access, type of device and browser used, language used, links clicked via a mouse or a touch screen, and actions taken while using the website.
Job Applications
Purposes: Handling applications for a position at Anomity. Information about applicants will be kept private and will only be used for internal recruitment purposes, including identifying applicants, evaluating their applications, making hiring and employment decisions, performing background checks on applicants, and contacting them via telephone or in writing.
Categories of information processed: CVs and contact information.
Submitting your information is not mandatory. You do not have a legal obligation to provide the information that we request. However, if you choose not to provide this information to us, we may not be able to process your feedback and content, respond to your inquiry, or grant you access to some of our Service functionalities.
YOU ARE SOLELY LIABLE FOR PROTECTING THIRD PARTIES’ AND YOUR OWN PRIVACY, AND FOR OBTAINING THE PRIOR CONSENT OF INDIVIDUALS WHOSE PERSONAL INFORMATION IS REFLECTED IN THE TELEMETRY DATA OR OTHER CONTENT YOUR ORGANIZATION SUBMITS TO THE SERVICE. WE WILL NOT BEAR LIABILITY FOR ANY DAMAGES THAT MIGHT INCUR TO YOU OR TO THIRD PARTIES AS A RESULT OF THE PUBLICATION, COLLECTION, OR USE OF SUCH PERSONAL INFORMATION BY YOUR ORGANIZATION.
Methods and sources for collecting your personal information
We collect personal information from several sources:
Directly from you when you submit our website contact or early-access form, register an Authorized User account, authenticate through your organization’s identity provider, contact us through our email or online contact form, or apply for a job at Anomity.
From your organization (when it is an Enterprise Customer) and from the Endpoint Daemon installed on Managed Devices by your organization, when configuration metadata about AI tooling on those devices is transmitted to the Service.
From our service providers helping us to operate the Service.
Through the device you use to access our website, including through cookies and analytics tools, such as Google Analytics and our internal analytics services.
Sharing your personal information
We will not share your information with third parties, except in the events listed below or when you provide us with your explicit and informed consent.
We will share your information with our service providers who assist us with the internal operations of the Service. These companies are authorized to use your personal information in this context only as necessary to provide these services to us and not for their own promotional purposes.
Purposes: Operating the Service and our business.
Examples of third parties involved: Amazon Web Services, Microsoft Azure, Auth0 (Okta), MongoDB Atlas, Pusher, Cloudflare, Stripe, and one or more LLM providers used to generate AI-assisted remediation suggestions and to power the in-product AI assistant, subject to additional policies such as: https://aws.amazon.com/privacy/, https://privacy.microsoft.com/, https://auth0.com/docs/secure/data-privacy-and-compliance, https://www.mongodb.com/legal/privacy/privacy-policy, https://pusher.com/privacy, https://www.cloudflare.com/privacypolicy/, and https://stripe.com/privacy.
Job Applications
Purposes: Handling applications for a position at Anomity. Examples of third parties involved: recruiting third-party cloud services, such as LinkedIn and Greenhouse or comparable applicant-tracking platforms. Applicants who use LinkedIn are bound also by LinkedIn’s terms of service and privacy policy, as registered LinkedIn users.
Sharing within your organization
When the Service is provided to an Enterprise Customer, the personal data we process about you in your capacity as an Authorized User (and personal data we process about Customer’s personnel reflected in Telemetry Data on Managed Devices) is made available to that Enterprise Customer through the Dashboard, the audit trail, and the alerts and integrations the Customer has configured.
Purposes: Performance of our contract with the Enterprise Customer.
Examples of third parties involved: Other Authorized Users of the Service belonging to the same Enterprise Customer organization.
If you abuse your rights to use the Service or violate any applicable law
Purposes: Responding to, handling, and mitigating suspected violations of law in connection with our business.
Examples of third parties involved: Competent authorities, legal counsel, and advisors.
If a judicial, governmental, or regulatory authority requires us to disclose your information
Purposes: Complying with a binding request from a competent authority.
Examples of third parties involved: Competent authorities.
Corporate transactions
Purposes: Enabling a structural change in the operation of the Service and our business.
Examples of third parties involved: The target entity of the merger or acquisition, legal counsel, and advisors.
Data retention and security
We retain your information for as long as needed to operate the Service, and thereafter as needed for record-keeping matters.
We will retain your information for as long as needed to operate the Service. Thereafter, we will still retain your personal information as necessary to comply with our legal obligations, resolve disputes, establish and defend legal claims, and enforce our agreements. The overall period of retention is approximately seven (7) years for contractual and accounting records.
Where we process Telemetry Data and audit-trail entries on behalf of an Enterprise Customer, the standard audit-trail retention period is ninety (90) days; longer retention may be specified in the applicable Order Form.
Anomity may retain the information provided by job applicants even after the position has been filled or closed so that we can re-consider them for other employment opportunities, or, if an applicant is hired, for additional employment or business purposes. If you previously submitted your job application information to us, and now wish to access it, update it, or have it deleted (if we still have it), please contact us at [email protected].
We implement measures to secure your information.
We implement measures to reduce the risks of damage, loss of information, and unauthorized access or use of information, including encryption of data in transit and at rest, on-endpoint redaction of secrets so that plaintext secret values never leave the Managed Device, strict tenant isolation at the query layer, per-device daemon credentials hashed at rest using bcrypt, single sign-on via the Customer’s identity provider, and a SOC 2 Type II attested control environment, as further detailed in the Anomity Trust Center — https://trust.anomity.ai. However, these measures do not provide absolute information security. Therefore, although efforts are made to secure your personal information, there is no guarantee that it will be immune from information security risks.
Additional information for individuals in the EU or UK
Controller
Deskfirst, Inc. is the data controller of the personal information collected via the Service when we operate as a controller. If you are an Authorized User of an Enterprise Customer, or if your personal data is reflected in Telemetry Data collected from a Managed Device, Anomity is the data processor for the personal information it processes on the Customer’s behalf, as described in our Data Processing Addendum, and that Customer is the data controller.
Deskfirst, Inc.
850 New Burton Rd Ste 201, Dover, DE 19904, US.
International data transfers
To facilitate processing your information through the Service and by our service providers, we may transfer your information to countries outside the EU or the UK, including the United States and Israel. We do so to countries or organizations which are recognized by the European Commission (or, as applicable, by the UK Information Commissioner’s Office) as having adequate protection for personal data, or under the terms of a data transfer agreement which contains standard data protection contract clauses with adequate safeguards determined by the EU Commission and UK Information Commissioner’s Office.
Legal basis for processing your personal data
Submitting our website contact, demo, or early-access form
Legal Basis: Our legitimate interest in responding to your inquiry, qualifying your interest, and our business development.
Registering and using our Service or through a third-party identity provider
Legal Basis: Performance of a contract with you or with the Customer that authorized your access, and our legitimate interest in providing you with the Service you requested, contacting you regarding administrative issues and updates related to the Service, this Policy, our Terms, support, and maintenance.
When your organization subscribes to the Service
Legal Basis: Our legitimate interest in providing the subscription, and performance of our contract with the Customer.
Telemetry Data transmitted by the Endpoint Daemon
Legal Basis: Performance of our contract with the Enterprise Customer; the Customer is responsible for identifying its own legal basis for monitoring its endpoints under applicable employment, privacy, and surveillance laws.
Responding to your inquiry
Legal Basis: Our legitimate interest in responding to your inquiry and our business development.
When you provide us with feedback and reviews
Legal Basis: Our legitimate interest in developing and enhancing our business and the Service, responding to your feedback or reviews.
Cloud audit trail
Legal Basis: Performance of our contract with the Enterprise Customer and our legitimate interest in providing security and accountability for the Service.
Use of cookies on the website
Legal Basis: Our legitimate interest in providing you with the website functionality you requested.
Responding to, handling, and mitigating suspected violations of law in connection with our business
Legal Basis: Legitimate interest in defending and enforcing against violations and breaches that are harmful to our business.
Complying with a binding request from a competent authority
Legal Basis: Legitimate interest in complying with mandatory legal requirements imposed on us.
Enabling a structural change in the operation of the Service and our business
Legal Basis: Legitimate interest in our business continuity.
Job Applicants
Legal Basis: Our legitimate interest in recruitment of new job applicants.
Data subject rights
If you are in the EU or the UK, you have the following rights under the GDPR:
Right to Access and receive a copy of your personal information that we process.
Right to Rectify inaccurate personal information we have concerning you and to have incomplete personal information completed.
Right to easily and at any time withdraw your consent to the use of non-essential cookies on our website. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
Right to Data Portability, that is, to receive the personal information that you provided to us in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another person or entity. Where technically feasible, you have the right to have your personal information transmitted directly from us to the person or entity you designate.
Right to Object to our processing of your personal information based on our legitimate interest. However, we may override the objection if we demonstrate compelling legitimate grounds, or if we need to process such personal information for the establishment, exercise, or defense of legal claims.
Right to Restrict us from processing your personal information (except for storing it): (a) if you contest the accuracy of the personal information (in which case the restriction applies only for a period enabling us to determine the accuracy of the personal information); (b) if the processing is unlawful and you prefer to restrict the processing of the personal information rather than requiring the deletion of such data by us; (c) if we no longer need the personal information for the purposes outlined in this Policy, but you require the personal information to establish, exercise, or defend legal claims; or (d) if you object to our processing based on our legitimate interest (in which case the restriction applies only for the period enabling us to determine whether our legitimate grounds for processing override yours).
Right to be Forgotten. Under certain circumstances, such as when you object to our processing of your personal information based on our legitimate interest and there are no overriding legitimate grounds for the processing, you have the right to ask us to erase your personal information. However, notwithstanding such request, we may still process your personal information if it is necessary to comply with our legal obligations, or for the establishment, exercise, or defense of legal claims. If you wish to exercise any of these rights, please contact us through the channels listed in this Policy.
When you contact us, we reserve the right to ask for reasonable evidence to verify your identity before we provide you with information. Where we are not able to provide you with information that you have asked for, we will explain the reason.
If your personal data is processed by us as a processor on behalf of an Enterprise Customer (for example, where you are reflected in Telemetry Data from a Managed Device), please direct your data subject requests to that Customer in the first instance, as it is the data controller. We will assist the Customer in responding to your request as required by law and our Data Processing Addendum.
Subject to applicable law, you have the right to lodge a complaint with your local data protection authority. If you are in the EU, then according to Article 77 of the GDPR, you can lodge a complaint to the supervisory authority in the Member State of your residence, place of work, or place of alleged infringement of the GDPR. If you are in the UK, you can lodge a complaint to the Information Commissioner’s Office (ICO).
California and Delaware “do not track” Disclosures
We do not monitor or respond to Do Not Track browser requests. Please ensure to change any settings of your browser and/or our Service whenever you wish cookies to cease.