Privacy architecture
Privacy is built into the platform, not bolted on as a disclaimer. This page explains, in plain language, the data we store and why, how long we keep it, how we minimise what we collect, how aggregate analytics are kept non-identifying, and how a tenant can export or erase a person's data. For the legal handling statement, see the privacy policy.
The short version
Every category of data we persist has a documented purpose and a default retention window. Telemetry is aggregate and minimised — there is no raw telemetry lake. Aggregate analytics below a minimum cohort size are suppressed. Tenant administrators can export and erase the records a tenant controls, and we tell you exactly what is erased and what is retained under a legal obligation.
Data classes
We keep an explicit internal data map that inventories every stored category, its processing purpose, and its default retention. Each category is classified so the right handling rules apply:
| Class | What it covers |
|---|---|
| Identifier | Account, profile, membership, and provisioned-directory records that identify a person. |
| Credential | Authenticators and key material (passkeys, MFA methods, device credentials, data-protection keys). |
| Ephemeral | Short-lived single-use artifacts (challenges, proof nonces, reset tokens) that expire quickly. |
| Operational | Configuration and relationship data (sessions, grants, authorization, applications, device lifecycle). |
| Telemetry | Minimised posture and usage signals, kept aggregate wherever possible. |
| Audit | Security and compliance event log, retained under obligation. |
| Commercial | Billing, licensing, and subscription records. |
Configurable retention
Each category has a default retention window, configurable per deployment. A background purge worker enforces the windows once an operator enables it for the environment, so retention is a deliberate, reviewable setting rather than an accident of how long a table grows. Representative defaults:
| Category | Default window |
|---|---|
| Ephemeral security artifacts (challenges, nonces, reset tokens) | Purged shortly after expiry |
| Expired sessions and OAuth grants | 30 days |
| Device posture & attestation telemetry | 90 days |
| Aggregate usage telemetry | 90 days |
| Audit events | Retained for compliance (may be held longer under legal obligation) |
Identifiers, credentials, configuration, authorization, and billing records are kept for the lifetime of the owning account, tenant, or subscription and are removed through the data-subject erasure flow below (or retained where a legal obligation applies) — they are not subject to a time-based purge.
Data minimisation
We collect the minimum needed to operate the service and avoid building a separate raw-telemetry pipeline:
- No raw user-level activity exports, raw IP/geolocation, browsing history, or session replay.
- No raw device hardware fingerprints beyond the device-trust lifecycle records required for activation and licensing.
- Compatibility analytics store normalised route templates, not raw request paths.
- No token material, secrets, key contents, or customer business payloads are captured as telemetry.
- Operational analytics are derived from records already required for trust and licensing rather than from new endpoint collection.
Aggregate-analytics suppression
Organisation analytics publish bounded aggregates only. A metric whose underlying count is below the configured minimum cohort size (default 5) is suppressed rather than published, so small groups cannot be re-identified from an aggregate. A bounded differential-privacy mode exists as an off-by-default pilot for approved aggregate counts; there is no per-user risk score, raw telemetry lake, or cross-tenant data pooling. See the privacy-preserving analytics guide for the full boundary.
Data-subject access & erasure
A tenant administrator can export and erase the data a tenant controls for a given person — the records tied to that person's memberships in the tenant's organisations, not the person's global account, which may span tenants. Both operations are scoped to the tenant, gated by tenant-administration authorisation, and recorded as audit events.
- Export collects the person's tenant-scoped records into a portable artifact.
- Erase removes the person's tenant-scoped records and reports, per category, what was erased and what was retained.
- Retained by obligation: security and compliance audit events are retained — not erased — and the erasure report states this explicitly with the reason, so an obligation is never silently dropped.
Coverage is provided per category behind a common interface and expands over time; initial automated coverage includes membership profiles (erased) and audit (retained under obligation). Categories without automated coverage are reflected honestly in the erasure report rather than assumed handled.
Where to go next
For deployment, isolation, and readiness posture see the Trust Center; for the legal handling statement see the privacy policy; to report a concern see security & disclosure.