Get started
legal

Trust & Security

Driftless stores your team’s memory anchored to your code. This page is how we keep it safe — who processes your data, how long we keep it, and the controls behind it.

Security posture

  • Encryption in transit. All traffic to the API, dashboard and website is served over TLS, and the database connection is TLS-verified — the API refuses to start if the database certificate can’t be verified.
  • Encryption at rest. Data is stored on managed Postgres with at-rest encryption. Bring-your-own-model provider keys are additionally encrypted with AES-256-GCM before they touch the database.
  • Credentials are never stored in the clear. API keys, OAuth access and refresh tokens, authorization codes and client secrets are stored only as SHA-256 hashes — the raw value is shown to you once and never persisted.
  • Tenant isolation. Every request is scoped to a workspace, and membership is re-checked on each request — removing someone from a workspace revokes their access immediately.
  • Least-privilege agents. Automated agents cannot approve their own work — every change they propose stays a draft until a human reviews it, so an agent can never make an authoritative change on its own.
  • Standards-based auth. The MCP connector supports OAuth 2.1 with PKCE and dynamic client registration.

Subprocessors

We use a small set of trusted infrastructure providers to operate Driftless. Each processes only the data needed for its function.

  • Supabase — primary application database (all workspace and topic data). United States.
  • Render — API and background-job hosting. United States.
  • Vercel — website and dashboard hosting / CDN. Global edge.
  • Clerk — user authentication and identity (name, email, user id). United States.
  • Resend — transactional email (workspace invitations). United States.
  • PostHog — product analytics (usage events, pseudonymous user id).
  • GitHub — repository integration, only for workspaces that install the Driftless GitHub App (commit and pull-request metadata).
  • Model providers (e.g. Anthropic) — large-language-model inference for optional agent features. Used only when you enable an agent, and processes the topic content sent for that task.

We update this list before adding a new subprocessor that handles personal data.

Data retention

  • Active data (workspaces, topics, anchors) is kept until you delete it.
  • Deleted data enters a 30-day recovery grace window, then is permanently removed.
  • Backups — the database is backed up automatically by our infrastructure provider.
  • Revoked OAuth tokens are purged 90 days after revocation.
  • Expired invitations are purged 30 days after expiry.
  • Account deletion removes your associated data within 30 days, except where we must retain records to meet a legal obligation.

Reporting a vulnerability

Email security@driftless.icu. We also publish a security.txt per RFC 9116. Please give us a reasonable window to remediate before public disclosure.

Privacy & terms

See our Privacy Policy for what we collect and your rights, and our Terms of Service for the agreement governing use of Driftless.