— Privacy, written plainly

What we store,
and why we store it.

We store data. We have to — the report can't be generated without it. Here's exactly what, for how long, and what it's used for. No dark patterns. No buried clauses.

Last updated · April 23, 2026

01 — What we collect

When you book a demo or engage in a pilot, we collect the minimum we need to talk to you and run the scan: your name, work email, and company name. That's the account-level data.

During a pilot, the Evidence Tracer agent connects to your AWS account via a read-only IAM role. It collects infrastructure configuration metadata from a defined set of AWS services (IAM, S3, CloudTrail, AWS Config, EC2, CloudWatch, KMS, Lambda, RDS, SNS) — things like whether MFA is enforced, whether buckets are encrypted, whether CloudTrail is multi-region. That's the evidence data.

The report that gets generated from that evidence is also stored, alongside the raw API responses it traces to — so every finding remains independently verifiable.

02 — Where we store it

Evidence data lives in Cloudflare D1, a SQLite-compatible edge database. The scan itself runs as a stateless Cloudflare Worker — compute happens at the edge, data is written to D1 only as long as the pilot lifecycle requires it.

— To be clear
We do not run "zero persistence" infrastructure — we've seen that claim made and it's rarely true. What we do is scope persistence tightly: only what's needed to generate the report and support you during the engagement.

Account-level data (name, email, company) is stored separately from evidence data and is retained for standard business communications.

03 — How long we keep it

— Evidence data
30 days after report delivery
Raw AWS API responses, scan state, intermediate analysis artifacts
— Final report
30 days after report delivery
The auditor-facing package. Can be extended on request.
— Account data
Standard business retention
Name, email, company name — kept for communications and billing history
— On your request
Deleted — any time
One email. We confirm in writing once it's done.

We chose 30 days because it gives you a buffer for auditor follow-up questions and report iteration without holding onto data longer than necessary. If you need us to delete sooner, say the word. If you need us to retain longer for a live auditor engagement, that's a decision we make together in writing.

04 — What we never touch

The IAM role you provision grants read-only permissions scoped to configuration metadata. By design, we cannot access:

  • Application data — the contents of your databases, caches, or application layer
  • Customer data — anything stored on behalf of your end users
  • Secrets or credentials — we don't read the contents of Secrets Manager, Parameter Store secure strings, or KMS-encrypted payloads
  • File contents — we can see that an S3 bucket exists and how it's configured; we never read objects inside it
  • Write permissions — the role is read-only at the IAM-policy level. We couldn't modify your account even if we wanted to
— What read-only means in practice
We call APIs like iam:GetAccountSummary, s3:GetBucketEncryption, cloudtrail:DescribeTrails. We never call s3:GetObject, secretsmanager:GetSecretValue, or anything that exposes payloads. The role you deploy enforces this at the AWS policy layer — not our honor system.

05 — How AWS access works

The agent uses AWS STS AssumeRole with an ExternalId trust anchor. You provision a read-only role in your own AWS account using a CloudFormation template we provide; the trust policy names our principal, and the ExternalId prevents confused-deputy attacks.

We don't store long-lived AWS credentials. Ever. Each scan requests short-lived session credentials from STS, uses them for the scan duration, and discards them. If you revoke the role — at any time, for any reason — all access ends immediately.

AWS API requests are signed with AWS Signature Version 4 and transmitted over TLS 1.3. Responses are processed at Cloudflare's edge and written to D1 for the duration of the retention window above.

06 — Your rights

  • Access — request a copy of everything we hold on you or your company
  • Deletion — request permanent deletion of all evidence data, reports, and account records
  • Correction — request changes to inaccurate account-level data
  • Portability — request your data in a standard format
  • Revocation — revoke the IAM role in your AWS account at any time; access ends immediately

We do not sell your information. We do not share it with third parties for marketing. We use standard subprocessors for infrastructure (Cloudflare for compute and storage, Anthropic for AI reasoning) and those are the only parties in the data path. If that list changes, we update this page.

07 — Contact

Questions, deletion requests, or anything you want clarified — email directly or book a call.

Talk to the founder. Directly.
Book a call →