AtalayaAtalaya

← Back to site

Privacy & data handling

Atalaya is privacy-first by design: every flow of data outside your organization is an EXPLICIT operator decision, never a default. This page summarizes exactly what is processed, where and when.

What is processed and where

Data / operationWhere it is processedDoes it leave your org?
Email parsing, heuristic rules, scoring, QR decoding, reportsLocal (Atalaya server)No
IOCs: URLs, domains, public IPs, SHA256 hashesExternal threat intelligence feedsOnly if you enable “Enrich”
Email headers + body (truncated) + your org contextAI model (LLM)Only if you enable “AI”
Following a link (HTTP request to the destination)The link's destination serverYes — the destination is contacted, with an SSRF guard
Organization profile (domains, key people, vendors, rules)Backend storeNot shared; used only for your analyses
Email body via enrichmentNEVER through this path

Retention

What we NEVER do

Subprocessors (by category)

Atalaya relies on external providers for hosting, storage and enrichment. The full named list is available on request and in the Data Processing Agreement (DPA).

Hosting / computeCloud provider (EU region) running the application.
Key-value storeQuota, cache and history (no email content).
Threat intelligence feedsURL/domain/IP/hash reputation — they only receive IOCs.
AI model provider (LLM)Assisted verdict — only when you enable “AI”.

On-premise / air-gapped mode

For regulated environments (ENS, public sector, banking) Atalaya can be deployed on-premise. Local analysis (parsing, rules, scoring, QR) works WITHOUT any external service: enrichment and AI are simply disabled. Available via Docker container.

Contact

For the DPA, the named subprocessor list or any privacy query: contact@alexfernandezlab.com