Security overview
A short overview for security and procurement teams.
Data at capture
- Hashing — User and model content is hashed (e.g. SHA-256) at capture. We do not store or transmit raw content.
- No PII — We do not collect or store personally identifiable information. Behavioral signals (tool names, latency, outcome flags) are not PII.
Encryption
- In transit — TLS for all client–server and server–server communication.
- At rest — Data stored in your environment (e.g. SQLite/Postgres) should be configured with encryption at rest per your policy; when using our cloud, data at rest is encrypted.
Self-hosting
You can run the full Driftbase server and API inside your VPC. Data never leaves your network; no dependency on our cloud. See Self-hosting guide.
Access and compliance
We follow standard practices for access control, secrets management, and incident response. For a formal security questionnaire or DPA, contact us at security@driftbase.com.