Security & privacy

How we think about your data

This page summarizes practices and expectations for the product as shipped from this repository. It is not a substitute for your organization's procurement review, DPA, or legal counsel.

• Accounts and organizations

  Workspace data is scoped to organizations and memberships. API keys and automation hooks inherit those boundaries on the server.

• Crawling and scan artifacts

  Scans process publicly reachable content you configure (or submit for instant scans). When S3-compatible object storage is configured, verification screenshots are stored as object keys; otherwise they are kept as inline JPEG data on snapshot rows (larger database footprint). Retention and export behavior follow your plan and in-app settings for this deployment.

• AI and third-party models

  When enabled, draft assist may send bounded context to configured model providers per your operator's environment. Review queues exist so suggestions are not silent production changes.

• Reporting issues

  For security-sensitive reports, contact your deployment operator through the channel they publish for this instance. We do not publish a global vulnerability disclosure SLA here because hosted deployments may differ.

Why we ship this page: buyers and security teams need a straight description of scope—not marketing claims dressed as certifications. Trust overview· Privacy· Terms· Home