Tiresias is a runtime security platform for AI agents. It provides cryptographic agent identity, zero-trust authorization, behavioral anomaly detection, and automated quarantine — all using a zero-knowledge architecture that never accesses your agent payloads.

How does Tiresias detect threats without seeing data?

Tiresias uses a zero-knowledge architecture. It evaluates policies and detects anomalies using only metadata — request patterns, timing, tool call sequences, and behavioral baselines. Agent payloads never leave your infrastructure. Cryptographic proofs replace data inspection.

What types of threats does Tiresias detect?

Tiresias detects 18 behavioral anomaly types including prompt injection, context window exfiltration, privilege escalation via tool calls, unusual agent-to-agent communication patterns, and policy violations. It scores 60 threat patterns in an average of 0.39 milliseconds.

Does Tiresias integrate with existing SIEM platforms?

Yes. Tiresias provides native connectors for Splunk, Elastic, and Microsoft Sentinel. It outputs Sigma-compatible detection rules so you can use your existing SOC workflow and detection engineering pipeline.

SoulAuth is the cryptographic agent identity system in Tiresias. Every AI agent gets a hardware-bound, non-extractable soulkey identity with zero-trust policy evaluation on every request. No standing permissions — all authorization is just-in-time.

Legal

Name: Tiresias
Author: Saluca LLC

Transparency is core to our mission. Review our privacy practices, terms of service, and data processing commitments below.

Saluca LLC ("Saluca," "we," "us," or "our") is committed to protecting the privacy of individuals and organizations that use our products and services. This Privacy Policy explains how we collect, use, store, and share information when you interact with Tiresias, our AI security platform, including our website, dashboard, APIs, documentation, and related services (collectively, the "Service").

This policy applies to all users of the Service, whether you are using our free Community Tier or a paid subscription. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Who We Are

Legal Entity: Saluca LLC, a limited liability company organized under the laws of Delaware, United States.
Role: We act as the data controller for personal data collected through our websites, dashboard, and hosted services. We act as the data processor for customer data processed through the Tiresias API on behalf of our customers.
Data Protection Officer (DPO): privacy@saluca.com

2. Information We Collect

2.1 Information You Provide

Category	Examples	Sensitivity Level
Account Information	Name, email address, organization name, role	L3 — Confidential
Authentication Credentials	Hashed passwords, API keys (hashed), OAuth tokens	L4 — Restricted
Billing Information	Payment method (via Stripe), billing address, invoice history	L3 — Confidential
Support Requests	Ticket content, attachments, communication history	L3 — Confidential
Communications	Emails, feedback, survey responses	L2 — Internal

2.2 Information Collected Automatically

Category	Examples	Sensitivity Level
Usage Analytics	API call counts, endpoint usage, error rates, latency metrics	L2 — Internal
Dashboard Session Data	Pages visited, features used, session duration	L2 — Internal
Server Logs	IP addresses, request timestamps, HTTP methods, response codes	L2 — Internal
Cookie Data	Session identifiers, preference settings	L2 — Internal

2.3 What We Do NOT Collect

No API request content: We do not inspect, log, or store the content of API requests or responses passing through Tiresias. Your prompts, completions, and model interactions remain yours.
No prompts or completions: We never access, read, or retain the actual text of prompts sent to or completions received from AI models.
No ML training on customer data: We do not use any customer data, API traffic, or usage patterns to train machine learning models.
No selling of data: We do not sell, rent, or trade your personal information or customer data to any third party, under any circumstances.

3. How We Use Your Information

Purpose	Legal Basis (GDPR Art. 6)	Data Used
Provide the Service	Performance of contract	Account info, auth credentials, usage analytics
Process payments	Performance of contract	Billing information
Transactional emails	Performance of contract	Account info
Support	Performance of contract	Account info, support requests
Monitor service health	Legitimate interest	Usage analytics, server logs
Improve the Service	Legitimate interest	Usage analytics, dashboard session data
Security and fraud prevention	Legitimate interest	Server logs, usage analytics, auth credentials
Legal compliance	Legal obligation	Account info, billing information
Marketing (opt-in only)	Consent	Account info, communications

We do not engage in profiling or behavioral advertising. We do not build user profiles for the purpose of targeted advertising or sell access to behavioral data.

4. Data Residency and Storage

4.1 Dual-Region Architecture

We operate a dual-region infrastructure to serve customers globally while respecting data sovereignty requirements:

Region	Location	Endpoint
United States	us-central1	api.tiresias.network
European Union	europe-west1	api-eu.tiresias.network

Region assignment is determined by country at signup. Users in the EU, EEA, or UK are automatically routed to the EU region. The following countries are routed to the EU region: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom.

4.2 Cross-Border Transfers

Certain sub-processors may process data outside your designated region. Where data is transferred from the EU/EEA/UK to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Current cross-border sub-processors include:

Stripe — Payment processing (US-based, SCCs in place)
Email service provider — Transactional email delivery (SCCs in place)

4.3 Encryption

In transit: All data transmitted between you and our services is encrypted using TLS 1.2 or higher.
At rest: All stored data is encrypted using AES-256-GCM.
Bring Your Own Key (BYOK): Enterprise and Platform tier customers may supply their own encryption keys via Google Cloud KMS. When BYOK is enabled, Saluca cannot access the encrypted data without the customer's key.

5. Data Retention

Data Category	Retention Period
Account Information	Duration of account + 30 days after deletion
Authentication Credentials	Duration of account (deleted on account closure)
Billing Information	7 years (tax and legal compliance)
Usage Analytics	Per tier: 30 days (Starter), 90 days (Pro), custom (Enterprise/Platform)
Dashboard Session Data	90 days
Server Logs	90 days
Support Requests	2 years after resolution
Cookies	See Section 7

6. Data Sharing and Disclosure

6.1 Sub-Processors

We use a limited number of sub-processors to deliver the Service:

Sub-Processor	Purpose	Data Processed
Google Cloud Platform (GCP)	Infrastructure hosting	All service data
Stripe	Payment processing	Billing information
Resend	Transactional email	Email address, name

A complete list of sub-processors is maintained at tiresias.network/legal/sub-processors. Enterprise customers receive 30 days' notice before any sub-processor changes.

6.2 Legal and Compliance Disclosures

We may disclose information if required by law, regulation, legal process, or governmental request. We will notify you of such requests unless legally prohibited from doing so.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or use of your personal information, as well as any choices you may have.

6.4 No Sale of Data

We do not sell personal information as defined under the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), or any other applicable privacy law. We do not share personal information for cross-context behavioral advertising.

7. Cookies and Tracking

7.1 Cookies We Use

Type	Purpose	Duration
Strictly Necessary	Authentication, session management, security	Session / 30 days
Functional	User preferences, language, theme	1 year
Analytics	Aggregate usage statistics (no personal profiling)	90 days

7.2 What We Don't Use

No advertising cookies or ad network trackers
No tracking pixels or web beacons
No social media widgets or embedded trackers
No browser fingerprinting

7.3 Consent

Users in the EU, UK, and Canada are presented with a cookie consent banner on first visit. Strictly necessary cookies are set without consent as they are essential for the Service to function. Functional and analytics cookies require affirmative consent.

7.4 Do Not Track

We honor Do Not Track (DNT) signals sent by your browser. When a DNT signal is detected, we disable all non-essential cookies and analytics collection for that session.

8. Your Rights

8.1 GDPR Rights (EU/EEA/UK Residents)

If you are located in the EU, EEA, or UK, you have the following rights under the General Data Protection Regulation:

Right	Description
Access	Request a copy of the personal data we hold about you
Rectification	Request correction of inaccurate or incomplete personal data
Erasure	Request deletion of your personal data ("right to be forgotten")
Restriction	Request restriction of processing of your personal data
Portability	Receive your data in a structured, machine-readable format
Objection	Object to processing based on legitimate interest or direct marketing
Withdraw Consent	Withdraw consent at any time where processing is based on consent
Lodge Complaint	File a complaint with your local data protection authority

We will respond to all rights requests within 30 days. To exercise any of these rights, contact us at privacy@saluca.com.

8.2 CCPA/CPRA Rights (California Residents)

California residents have the right to know what personal information is collected, disclosed, or sold; the right to delete personal information; the right to opt out of sale or sharing; and the right to non-discrimination for exercising privacy rights. As stated in Section 6.4, we do not sell personal information.

8.3 Other Jurisdictions

We also comply with the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA). Residents of these states have similar rights to access, delete, and correct personal data, and to opt out of targeted advertising and profiling.

9. Security

We implement comprehensive security measures to protect your data:

Encryption: TLS 1.2+ in transit, AES-256-GCM at rest, BYOK for Enterprise/Platform tiers.
Access Controls: Role-based access control (RBAC) with principle of least privilege across all internal systems.
Authentication: Passwords are hashed using bcrypt. API keys are hashed using SHA-512. No plaintext credentials are stored.
Per-Tenant Isolation: Customer data is logically isolated at the database level. No cross-tenant data access is possible.
Audit Logging: All administrative actions, API key operations, and configuration changes are logged with immutable audit trails.
Incident Response: We maintain a documented incident response plan. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.
Vulnerability Disclosure: We maintain a responsible disclosure program. Security researchers can report vulnerabilities to security@saluca.com.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe that a child under 18 has provided us with personal information, please contact us at privacy@saluca.com.

11. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Policy

We will update the "Last Updated" date at the top of this policy when changes are made.
The current version of this policy is always available at tiresias.network/privacy.
For material changes, we will provide at least 30 days' notice via email to the address associated with your account.
For customers with a Data Processing Agreement, changes will be handled in accordance with the terms of that agreement.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, you can reach us at:

Purpose	Contact
Privacy inquiries	privacy@saluca.com
Security concerns	security@saluca.com
General inquiries	info@saluca.com
Data Protection Officer	privacy@saluca.com

Saluca LLC
A Delaware limited liability company

EU residents may also lodge a complaint with their local data protection authority. A list of EU DPAs is available at edpb.europa.eu.

Last updated: March 21, 2026

Version 1.0