Last updated: March 25, 2026
Shraga ("we", "us", or "our") is operated by Shraga Security Ltd. This Privacy Policy describes how we collect, use, and protect information when you use the Shraga platform, including the web application, browser extension, mobile app, and Slack integration (collectively, the "Service").
When you sign in via your organization's Microsoft Entra ID (Azure AD), we receive your name, email address, and organizational tenant identifier. We do not receive or store your Microsoft password.
We collect information about how you interact with the Service, including conversations with the AI assistant, queries, investigation actions, and feature usage. This data is scoped to your organization's tenant and is used to provide and improve the Service.
When you connect security tools (e.g., Microsoft Defender, Splunk, Okta) through our connector framework, we process data from those tools on your behalf to provide investigation and analysis capabilities. Connector credentials are encrypted at rest.
The Shraga browser extension may access the content of the active tab when you explicitly interact with it (e.g., selecting text for analysis). The extension does not passively monitor or collect browsing activity.
Shraga is a multi-tenant platform with strict data isolation. Each organization's data is logically separated at the database level using row-level security. Users from one organization cannot access data belonging to another organization.
Conversation data and investigation history are retained for as long as your organization maintains an active account. Session tokens expire after 24 hours. Your organization's administrator can request deletion of all tenant data by contacting us.
The Service uses third-party AI models to power its analysis capabilities. Queries sent to AI providers are processed in accordance with our data processing agreements and are not used to train third-party models. We use cloud infrastructure providers (AWS) to host the Service.
We implement industry-standard security measures, including encryption in transit (TLS), encryption at rest for sensitive data, role-based access controls, and comprehensive audit logging. Connector credentials and API keys are stored using encrypted storage.
Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data. Organization administrators can manage users and data through the Shraga settings panel. For individual requests, contact us at the address below.
We may update this Privacy Policy from time to time. We will notify users of material changes by posting the updated policy on this page with a revised "Last updated" date.
If you have questions about this Privacy Policy or our data practices, please contact us at: privacy@shragasec.com