Verdicter
Verdicter

Privacy Policy

Effective date: June 1, 2026

1. Who We Are

Verdicter, Inc. operates the Verdicter platform - a security platform for AI agents. This Policy explains what data we collect, how we use it, and your rights. “Platform” refers to the Verdicter web application, API, and all associated features (Enforce, Observe, Shield, Comply, Sandbox, and Identity).

2. Data We Collect

Account data

Email address, encrypted password (via Supabase Auth). We do not store passwords in plaintext.

Runtime enforcement data

Agent configurations (name, role, environment, permissions), policies (rules and conditions), and tool call logs (action type, payload, decision, risk score, timestamp). This data is stored in your Supabase project database, which is controlled by you.

Observe session data

Session identifiers, agent session metadata (call counts, average risk score, status), and associations between tool calls and sessions.

Shield scan data

An input preview (a truncated excerpt, up to approximately 200 characters of the scanned input), the scan result (clean, suspicious, or blocked), the detected threat type and confidence score, the matched rule pattern names, and the action taken. The full input is not stored. Input previews may contain fragments of agent prompts.

Comply report data

Report name, selected framework, date range, and aggregate statistics derived from your audit log (total evaluations, agent count, policy count, denied/escalated action counts). Individual payloads are not included in reports.

Sandbox data

Scenario names, descriptions, step definitions (action types and JSON payloads you define), and run results (per-step decision, risk score, pass/fail status).

Identity / credential data

Credential names, types, rotation intervals, expiry dates, and a value hint - the last four characters of the credential value, padded with bullet characters. The original secret value is processed transiently at creation time and is never stored in any Verdicter-controlled system. You cannot retrieve the original value through Verdicter.

Usage and analytics data

Standard server logs (IP address, user agent, request path, timestamp). We may use aggregate, anonymized usage statistics to understand how the platform is used.

3. How We Use Your Data

  • To provide, operate, and improve the Verdicter platform.
  • To evaluate agent actions through the policy engine in real time.
  • To generate compliance reports from your audit data.
  • To send transactional emails (account creation, API key creation, billing).
  • To investigate security incidents or Terms of Service violations.

We do not use your agent payload data, prompt content, or Shield scan inputs to train machine learning models.

4. Data Storage and Location

Verdicter is built on Supabase. Your data resides in your own Supabase project, in the region you selected during setup. Verdicter does not have a separate copy of your runtime data outside your project. If you delete your Supabase project, all associated Verdicter data is permanently destroyed.

5. Data Retention

  • Hobby: Tool call audit logs retained for 7 days.
  • Pro: Tool call audit logs retained for 90 days.
  • Enterprise: Configurable. Default unlimited.

Shield scan records, compliance reports, sandbox scenarios/runs, and credential records are retained until you delete them or delete your account.

6. Third-Party Services

We use Supabase for database and authentication services. Supabase may process your data in accordance with its own privacy policy. We do not share your data with other third parties for marketing or analytics purposes.

7. Security

Verdicter enforces row-level security (RLS) so that all data is scoped to your user account. API keys are stored as SHA-256 hashes only. Credential values are never stored. All data in transit is encrypted via TLS. We follow security best practices and conduct periodic reviews.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your account and associated data.
  • Object to or restrict certain processing.
  • Data portability (export of your data in a machine-readable format).

To exercise any of these rights, email privacy@verdicter.dev. We will respond within 30 days.

9. Cookies

Verdicter uses session cookies managed by Supabase Auth for authentication. We do not use third-party advertising or tracking cookies.

10. Children

Verdicter is not directed at individuals under 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We will notify you of material changes to this Policy by email and by posting an in-dashboard notice. The effective date at the top of this page reflects the most recent revision.

12. Contact

Questions or privacy requests: privacy@verdicter.dev