check_outbound_endpoints.sh blocks any deviation).
AiEGIS is operated by AiEGIS Ltd (Ireland). Privacy contact: privacy@aiegis.ie. Postal address available on request via that mailbox.
The browser extension and native messaging host capture:
| Field | Source | Stored where | Sent off-device? |
|---|---|---|---|
prompt_redacted | AI-vendor chat box (DOM intercept) or vendor API call (webRequest) | Local SQLite on the capturing machine | No. |
response_redacted | Same as above (response side) | Local SQLite | No. |
ts | Browser clock at capture moment | Local SQLite | No. |
vendor, model_version | Inferred from URL / request payload | Local SQLite | No. |
license_key | From ~/.aegis/license on the capturing machine | Local SQLite (per row) | Sent to aiegis.ie/api/license/check weekly to verify license is still valid. Prompts are not sent. |
tab_title, url | Browser tab metadata | Local SQLite | No. |
Redaction happens in-browser, before the daemon ever sees the prompt. The AiEGIS browser extension's content script applies PII redaction (email addresses, phone numbers, credit-card patterns, IBANs, etc.) inside the browser tab. The redacted text is then sent via Chrome Native Messaging to the local daemon, which stores it in the local SQLite. The daemon never sees, processes, or transmits unredacted prompt content. The daemon also does not invoke any AI model — local or remote — for post-processing. There is no llama, no OpenAI/Anthropic/Google call from the daemon. Capture → redact-in-browser → store-locally is the entire flow.
chat.openai.com, chatgpt.com, claude.ai, gemini.google.com, copilot.microsoft.com).AiEGIS is not a passive logger. The browser extension intercepts AI service calls before they leave the browser, allowing the customer's policy engine to permit or refuse each prompt. The interception is read-only on prompt content — AiEGIS never modifies what the user typed before forwarding. The flow for a single prompt:
window.fetch + XMLHttpRequest. When the user submits a
prompt to ChatGPT / Claude / Gemini / Copilot, the extension reads the
prompt body client-side, in-browser. No data has left the machine yet./api/protect endpoint
on localhost). The customer configures the policy.fetch call is refused — the prompt never reaches the AI vendor.
If ALLOW, the original (unmodified) request is forwarded to the original
vendor URL the user requested (chatgpt.com / api.anthropic.com / etc.).What this means in practice:
localhost) and the audit log is local
(SQLite).The intercept-and-conditionally-block model applies to chat-input
prompt text — the content the user types into the chat box, or the
JSON body of a direct API call to api.openai.com /
api.anthropic.com / generativelanguage.googleapis.com.
It does not currently apply to:
multipart/form-data request bodies which the current content
script does not inspect for redaction or policy check. File-content
scanning ships in v0.5 — until then, customers should configure their
policy to BLOCK on prompt phrases like "summarise the attached" if file
leakage is a concern.Customers deploying AiEGIS with the BLOCK feature enabled should review their employees' workflow with these gaps in mind. The compliance UI surfaces these limitations in the in-app deployment checklist.
If the local policy engine cannot be reached for any reason (engine crashed, configuration error, port collision), AiEGIS defaults to fail-CLOSED for sovereign and enterprise tiers (the BLOCK verdict is returned to the wrapped fetch and the user sees a banner: "AiEGIS could not verify this prompt. Submission paused. Retry or contact admin.") For SMB tier deployments, the default is fail-OPEN with the event logged and a customer-visible warning. The fail-mode is bound to the license tier claim and is configurable via the deployment policy.
AiEGIS protects against the network-layer threats above (data exfiltration,
prompt forwarding, policy bypass). It does not protect against
a malicious co-installed browser extension that has been granted
debugger permission by the user, since such extensions can read
the message traffic of every extension running in the same browser profile.
Customer IT should pin allowed extensions via GPO / Intune / MDM and prevent
users from installing arbitrary "productivity" or "tab-management" extensions
that request debugger permissions. A recommended Edge / Chrome
ExtensionInstallAllowlist + ExtensionInstallForcelist
policy template is on our v0.3.7 roadmap; until then, customer IT can build
their own policy referencing the AiEGIS extension ID published in the
deployment section of /.well-known/privacy.json.
There are exactly three outbound network calls AiEGIS itself makes (separate from the user's own AI-service traffic):
| When | To | What's sent | What's NOT sent |
|---|---|---|---|
| License check (weekly + on-launch, v0.3.5+) | aiegis.ie/api/license/check | License key (Bearer header), nothing else | No prompts, no responses, no metadata about captures, no policy decisions |
| Initial license issuance (one-time, install) | aiegis.ie/api/fleet/license/issue | Machine hostname, OS name, customer email (provided by the admin) | No prompts (none captured yet at install) |
| Cross-machine team sync (admin-side, optional) | aiegis.ie/api/team-share | Files the admin explicitly uploads (specs, scripts, policy bundles) | No captured prompts; admin chooses what to upload |
Captured prompts are never sent to AiEGIS Ltd or any third party.
They live in a local SQLite database on the capturing machine. The compliance
dashboard runs on the customer's own machine and queries the local database
over localhost. AiEGIS Ltd's infrastructure never sees prompt
content — that's both a policy commitment and a structural property of the
system, verified by static analysis (see check_outbound_endpoints.sh).
Per Microsoft Edge Add-ons policy 1.6 and 1.5.3:
| Permission | Why we need it |
|---|---|
storage | Persist license key, dashboard endpoint, and the per-customer enforcement flag (aegis_enforce) across browser sessions. |
nativeMessaging | Send captured prompts to the local native host (which writes them to local SQLite). Customer-cloud-only deployment keeps captured data off AiEGIS Ltd cloud — data_residency property documented at /privacy.json + enforced via static-analysis gate check_outbound_endpoints.sh. |
webRequest | Observe outbound API calls to AI vendors (api.openai.com, api.anthropic.com, generativelanguage.googleapis.com) for prompts that bypass the chat UI (e.g., direct API integrations). |
host_permissions | Inject content scripts on the 5 AI-vendor chat pages above. Each entry is necessary for a specific declared capture path. |
The extension shows a first-run consent dialog before any capture occurs. Capture is opt-in (administrator policy), and the user can disable enforcement via the popup at any time, even when policy-installed.
None. AiEGIS does not share captured data with OpenAI, Anthropic, Google, Microsoft, AiEGIS Ltd, or any other third party. The data lives on the customer's machine, end of pipeline.
Lawful basis: Article 6(1)(f) — legitimate interest. The customer (the data controller) has a legitimate interest in evidencing AI usage for regulatory compliance (EU AI Act Article 26 record-keeping obligations, ISO 42001 controls).
Data subjects' rights: Employees of customer organisations may request access, rectification, or deletion of records pertaining to them through their employer's compliance officer. AiEGIS Ltd does not have access to the customer's local database and cannot fulfill these requests directly — only the customer can.
AiEGIS Ltd retains zero captured prompt data — it never reaches us.
Captured data persists in the customer's local SQLite database
indefinitely, until the customer deletes it. The daemon does not
auto-prune or rotate the database; that decision sits with the customer
and their IT / DPO. A 90-day local-rotation policy is on our v0.4
roadmap as a configurable opt-in. Until then, retention is 100% under
customer control: the database file at
~/Library/Application Support/AiEGIS/captured.db (Mac),
%LOCALAPPDATA%\AiEGIS\captured.db (Windows), or
~/.local/share/AiEGIS/captured.db (Linux) is the
authoritative store.
When a license is revoked (admin action), the daemon stamps subsequent
events as license_revoked security events but does not
delete prior captures (Article 26 evidence retention). The customer
retains full local access to their database; AiEGIS Ltd has no access
before, during, or after revocation.
The aiegis.ie marketing site uses no third-party trackers, no advertising pixels, and no cross-site cookies. A single first-party session cookie is set on the admin dashboard for authentication only.
A machine-readable summary of this policy is published at
/.well-known/privacy.json
for enterprise procurement / DPIA tooling. The JSON document mirrors
this page's data-flow tables and is updated when this policy is revised.
/.well-known/privacy.json exposes the data-flow tables on this
page in a structured form (data_flows array, interception_model object,
data_flows_explicitly_NOT_PRESENT). Suitable for bulk import into CSA STAR /
Vanta / OneTrust workflows. A formal JSON Schema definition is on our v0.5
roadmap.
Material changes are announced 30 days in advance via email to the registered admin contact for each customer. The version number and effective date at the top of this page are authoritative.