Security and Data Handling
This page is the current operator-facing data-handling statement for Annotate pilots. Counsel-review buyer artifacts are available at /legal.
Storage region
API and SQLite volume run on Railway US East. Dashboard and landing are served by Cloudflare Pages.
API and SQLite volume run on Railway US East. Dashboard and landing are served by Cloudflare Pages.
Training
AI triage uses the configured platform provider or project BYO Anthropic/OpenAI key only when triggered. Provider inputs are redacted before submission.
AI triage uses the configured platform provider or project BYO Anthropic/OpenAI key only when triggered. Provider inputs are redacted before submission.
Deletion and retention
Report deletion removes the report row and cascaded diagnostics; owners can set per-project retention days and run purge jobs.
Report deletion removes the report row and cascaded diagnostics; owners can set per-project retention days and run purge jobs.
Secrets
GitHub tokens, Slack webhooks, and project BYO AI keys are encrypted at rest when
GitHub tokens, Slack webhooks, and project BYO AI keys are encrypted at rest when
SECRET_ENCRYPTION_KEY is configured; older stored integrations are flagged for customer rotation until resaved.Audit trail
Admins can review project, report, integration, export, screenshot, retention, and AI-triage events through
Admins can review project, report, integration, export, screenshot, retention, and AI-triage events through
GET /audit-logs.MCP access
POST /mcp requires a dashboard JWT, scopes every tool to the caller's projects, redacts diagnostic output, exposes canonical QA tasks through annotate_list_qa_tasks and annotate_get_qa_task, and audits configured live external side effects.Backup posture
Production supports Litestream restore-on-boot and continuous SQLite replication when
Production supports Litestream restore-on-boot and continuous SQLite replication when
LITESTREAM_REPLICA_URL is configured.Buyer packet
- Data Processing Addendum draft
- Business Associate Agreement draft
- SOC 2 readiness statement
- Data residency and subprocessors
- Backup, RPO, and RTO runbook
- Legacy integration secret rotation
Privacy controls available in the widget
privacy.requireConsentprompts before screenshot/report capture.privacy.sensitiveSelectormasks matching elements before screenshots are taken.- Console, network, and session recording are opt-in and can be disabled per install.
- Screenshots are private and served only through authenticated report routes.
Current limitations
- SOC 2 Type II and custom residency are not yet available from the shared production deployment.
- Retention purge runs are owner/API-triggered today; operators should schedule them until managed background jobs are added.
- Regulated deployments should use privacy-first widget settings and complete a security review before production rollout.