Security and Data Handling
This page is the current operator-facing data-handling statement for Annotate pilots. Counsel-review buyer artifacts are available at /legal.
Storage region
API and SQLite volume run on Railway US East. Dashboard and landing are served by Cloudflare Pages.
API and SQLite volume run on Railway US East. Dashboard and landing are served by Cloudflare Pages.
Training
AI triage uses Anthropic API. API inputs are not used by Anthropic to train models.
AI triage uses Anthropic API. API inputs are not used by Anthropic to train models.
Deletion and retention
Report deletion removes the report row and cascaded diagnostics; owners can set per-project retention days and run purge jobs.
Report deletion removes the report row and cascaded diagnostics; owners can set per-project retention days and run purge jobs.
Secrets
GitHub tokens and Slack webhooks are encrypted at rest when
GitHub tokens and Slack webhooks are encrypted at rest when
SECRET_ENCRYPTION_KEY is configured; older stored integrations are flagged for customer rotation until resaved.Audit trail
Admins can review project, report, integration, export, screenshot, retention, and AI-triage events through
Admins can review project, report, integration, export, screenshot, retention, and AI-triage events through
GET /audit-logs.Backup posture
Production supports Litestream restore-on-boot and continuous SQLite replication when
Production supports Litestream restore-on-boot and continuous SQLite replication when
LITESTREAM_REPLICA_URL is configured.Buyer packet
- Data Processing Addendum draft
- Business Associate Agreement draft
- SOC 2 readiness statement
- Data residency and subprocessors
- Backup, RPO, and RTO runbook
- Legacy integration secret rotation
Privacy controls available in the widget
privacy.requireConsentprompts before screenshot/report capture.privacy.sensitiveSelectormasks matching elements before screenshots are taken.- Console, network, and session recording are opt-in and can be disabled per install.
- Screenshots are private and served only through authenticated report routes.
Current limitations
- SOC 2 Type II and custom residency are not yet available from the shared production deployment.
- Retention purge runs are owner/API-triggered today; operators should schedule them until managed background jobs are added.
- Regulated deployments should use privacy-first widget settings and complete a security review before production rollout.