Private Terms
Effective date: April 15, 2026
Last updated: April 15, 2026
Note: This document is under legal review. Enterprise customers requiring a countersigned agreement should contact sales@sigmashake.com.
These Private Terms ("Private Terms") are an addendum to the Terms of Use and govern the use of private organizational Ruleset hosting on the SigmaShake Hub. They apply to Pro and Enterprise account holders. Capitalized terms not defined here have the meanings given in the Terms of Use or the DPA.
1. Scope
These Private Terms apply when you create, upload, or manage Rulesets within a private organizational namespace on the Hub — that is, Rulesets that are not publicly visible and are restricted to your organization's Authorized Members. Public Rulesets are governed by the Open Source Terms instead.
2. Definitions
- "Private Ruleset" — a Ruleset stored in an organizational Hub namespace with visibility set to private.
- "Organization" — the legal entity or team you represent, as identified by your SigmaShake organizational Account.
- "Authorized Member" — a user who has been granted access to your organizational namespace by an Account admin.
3. Ownership
You retain all intellectual property rights in and to your Private Rulesets. SigmaShake claims no ownership, license, or interest in your Private Rulesets except the limited operational license described in Section 4.
4. Limited Operational License
By storing Private Rulesets with SigmaShake, you grant SigmaShake a limited, non-exclusive, revocable license to:
- Store and replicate your Private Rulesets on Hub infrastructure for redundancy and disaster recovery;
- Transmit your Private Rulesets to your Authorized Members and your own agents when requested via authenticated API calls;
- Evaluate your Private Rulesets against tool-call requests from your agents;
- Perform necessary format migrations to maintain compatibility with new versions of the SigmaShake rule engine.
This license is strictly limited to operating the Services for your benefit. SigmaShake will not access, use, or disclose your Private Rulesets for any other purpose.
5. Access Controls
SigmaShake implements role-based access controls (RBAC) for organizational namespaces:
- Only Authorized Members designated by your Account admin may access your Private Rulesets.
- All access to your Private Rulesets is logged in the audit trail accessible from your dashboard (Pro/Enterprise).
- You are responsible for managing your Authorized Members list and revoking access promptly when members leave your organization.
6. Confidentiality
SigmaShake treats your Private Rulesets as confidential information. Our personnel will not access your Private Rulesets except:
- When you request support that requires access to diagnose a specific issue, with your explicit permission;
- When required by law, court order, or regulatory authority (in which case we will notify you promptly unless prohibited);
- For automated operations (backups, migrations) as described in Section 4.
7. Data Protection
The processing of any personal data within your Private Rulesets or associated metadata is governed by our Data Processing Agreement (DPA), which is incorporated into these Private Terms for Pro and Enterprise customers. The security measures, sub-processor list, international transfer safeguards, and breach notification obligations in the DPA apply in full to your private Ruleset data.
8. Security
SigmaShake applies the technical and organizational measures described in DPA Section 6 to all Private Ruleset storage and transmission, including TLS 1.3 in transit and AES-256 encryption at rest. For our full security posture and responsible disclosure process, see our Security Policy.
9. Sub-processors
The sub-processors used to store and serve your Private Rulesets are listed in DPA Section 7 (currently Cloudflare, Inc. for storage). We will provide at least 30 days' notice before adding new sub-processors with access to private content.
10. Export on Termination
Upon cancellation or termination of your Pro or Enterprise subscription:
- You have 30 days from the termination date to export your Private Rulesets in JSON format via the Hub API or CLI:
- API:
POST https://hub.sigmashake.com/api/orgs/{slug}/export(owner only) — returns a 30-day signed download URL. - CLI:
ssg orgs export {slug}— prints the download URL to stdout.
- API:
- After the 30-day window, your Private Rulesets will be deleted from Hub infrastructure within 30 days.
- Audit log data will be deleted per the retention schedule in DPA Section 10.
We recommend exporting your Private Rulesets before cancelling your subscription.
Your org's access audit log (all private ruleset reads, publishes, and member changes) is viewable at:
- API:
GET https://hub.sigmashake.com/api/orgs/{slug}/audit(admin or owner) - CLI:
ssg orgs audit {slug}
11. Deletion SLA
Following Account deletion or subscription termination, SigmaShake will delete your Private Ruleset data and associated Personal Data from all active systems within 30 days, consistent with DPA Section 10, except for billing records retained as required by law (7 years).
12. Breach Notification
In the event of a security incident affecting the confidentiality, integrity, or availability of your Private Rulesets or associated Personal Data, SigmaShake will notify you within 72 hours of becoming aware of the incident, consistent with DPA Section 4 and applicable data protection law.
13. Enterprise Agreements
Enterprise customers may request a countersigned Master Services Agreement (MSA), Data Processing Agreement (DPA), or custom SLA. Contact sales@sigmashake.com to initiate the enterprise contract process.
14. Changes
SigmaShake may update these Private Terms to reflect new features or legal requirements. Material changes will be communicated at least 14 days in advance to active Pro and Enterprise account holders. Continued use of private Ruleset hosting after the effective date of changes constitutes acceptance.
Contact
Data protection and privacy: privacy@sigmashake.com
Security incidents: security@sigmashake.com
Enterprise contracts and DPA: sales@sigmashake.com