We store data,
we explain why.
Here's exactly what we store for the open-source scanner, for how long, and how it is used, with no buried clauses.
- 01, What we collect (open-source scanner)
- 02, Where we store it
- 03, How long
- 04, What we do not touch
- 05, AWS access
- 06, Design Partner Platform, Privacy
- 07, Your rights
- 08, Contact
01What we collect (open-source scanner)
Scan input: Your IAM Role ARN, ExternalId, and organization name. These are required to perform the scan and label the report.
Evidence data: AWS API responses collected during the scan, IAM configuration, CloudTrail settings, S3 bucket metadata, VPC configuration, and similar infrastructure metadata. This is infrastructure metadata, not your application data, customer data, or secret values.
Report content: The analyzer output, findings, gap scores, and remediation recommendations derived from the evidence.
Edits: If you mark findings as resolved or edit finding text in the workspace, those edits are stored so they persist across sessions.
02Where we store it
Open-source scanner data is stored in Cloudflare's infrastructure: Cloudflare D1 (SQLite at the edge) for scan metadata, evidence, and analysis; Cloudflare R2 for HTML and JSON report files.
Cloudflare's data center locations are governed by their privacy terms. At pilot stage we do not offer a separate data processing agreement. If this is a blocker for your organization, contact us before scanning.
We do not use third-party analytics, session replay, or advertising networks. The primary third parties involved in processing a paid report are Stripe for payments, and the hosted reasoning provider if you opt into hosted analysis.
03How long
| Data type | Retention |
|---|---|
| Raw evidence data | 30 days from scan date, then automatic deletion |
| Generated report (HTML + JSON) | 30 days from generation, then automatic deletion |
| Scan metadata (org name, ARN, scores) | 30 days, then automatic deletion |
| Finding edits / resolved marks | 30 days, deleted with scan |
| Payment records | As required by Stripe and tax regulations (typically 7 years) |
You can delete your scan data instantly using the "Delete all my scan data" button on your scan page. If you have lost access to the scan page, email mehta.arja@northeastern.edu with your scan ID for assistance.
04What we do not touch
- Application data, database contents, S3 object contents, or file contents of any kind
- Customer data, anything your application stores about your users
- Secret values, Secrets Manager secret values, SSM Parameter Store values, and environment variables
- Code, repository contents, Lambda function code, or container images
- Financial data, billing records, cost data, or payment methods
The CloudFormation template we provide denies access to secret values and grants read permissions on configuration metadata only. You can inspect the template before deploying it.
05AWS access
Access is via STS AssumeRole with your ExternalId. Credentials are session-scoped (1 hour TTL) and are not stored. The Worker assumes the role, runs the scan, and the session expires. There is no mechanism to access your account again without a new ExternalId.
The IAM role our CloudFormation deploys is scoped to SecurityAudit and ReadOnlyAccess managed policies, with explicit denies around secret values. You can delete the role after receiving your report, it is not required to persist.
All API calls use TLS 1.3 and are SigV4-signed.
06Design Partner Platform, Privacy
The Design Partner paid platform is account-based and offers persistent org workspaces, longer retention options, and additional services. For Design Partner access, your AWS account is accessed via a read-only IAM role with an ExternalId you generate. We read resource configurations; we do not write, modify, or delete anything in your account. AWS credential values are never stored, not even temporarily.
Evidence data for the paid platform is stored in an isolated, org-scoped workspace. Evidence is not shared across organizations. The AI Analyst (Gideon) receives only an anonymized summary of findings for the duration of a session, without account IDs, ARNs, or raw evidence. That session context is discarded when the session ends. We do not sell, share, or train on your data.
07Your rights
- Access: Email us with your scan ID and we'll provide a full export of your stored data.
- Deletion: Email us with your scan ID for early deletion. Data auto-deletes at 30 days otherwise.
- Correction: If your org name or other metadata is wrong, we can correct it.
- Portability: The JSON report package is a complete export of your scan data. Download it from the workspace.
We do not sell data. We share with third parties only when necessary to operate the service, for example Stripe for payment processing. Hosted analysis calls are limited to anonymized summaries when used.
08Contact
Questions, deletion requests, or anything unclear: Book a meeting. Response within 48 hours on weekdays.