Security and trust

Where your data goes, and what we have and haven't certified yet

OpenAdapt is built to run where your data already lives. This page states our posture plainly: what is in place today, what is underway, and what is still just planned. If a badge is not here, we do not have it yet.

Local browser execution is availableIn place

Recordings, compiled bundles, and replays remain local by default. Treat every compiled bundle as sensitive: it can contain screenshots, typed values, and literal identity evidence. Remote upload accepts only the manifest-bound sanitized derivative admitted by destination policy.

No AI calls on a normal runIn place

Healthy replay makes zero model calls. Deterministic structure, template, OCR, and geometry evidence runs before any optional model. If a remote model endpoint is configured, relevant screenshots or crops can cross that endpoint boundary; running the model on-premises is possible but must be deployed and verified by the operator.

Audit trail on every runIn place

Every replay writes a step-by-step report. The machine-readable report can contain sensitive parameters and identity evidence, and reports are not cryptographically signed or append-only by default. Treat them as sensitive operational artifacts, not an immutable audit ledger.

Sanitized derivatives for artifact uploadIn place

A local sanitizer inventories and transforms a copy, rescans it, records coverage and unresolved findings, and hashes the result. Policy can require a person to review the derivative locally and approve that exact hash. Unknown or unresolved content is refused. The raw original remains sensitive and local.

Challenge-bound hosted bundle admissionIn place

A runnable hosted bundle also needs an operator attestation over its exact approved recording and bundle hashes, compiler provenance, strict lint, policy certification, derived risk class, and successful matching replay report. Cloud verifies deployment allowlists and consumes a one-time challenge when the exact bundle is accepted.

Open source and auditableIn place

The engine is MIT-licensed. You can read the code, run it yourself, and verify these claims rather than take them on trust.

SOC 2Not held

OpenAdapt does not hold a SOC 2 attestation today. Architecture and source code are not substitutes for an independent report.

BAA (Business Associate Agreement)Not held

We do not run a standing BAA program today. If an enterprise pilot requires a BAA, talk to us and we will scope it as part of the engagement. We would rather tell you this up front than imply a program we have not stood up.

Data boundary

Questions a security review should answer first

Which components see screenshots?
The recorder captures frames; compilation extracts visual evidence; replay captures live frames for resolution and postconditions; run artifacts may preserve evidence. These paths execute locally on the shipped browser backend.
What can transmit them?
Local healthy replay does not transmit screenshots. An explicitly configured remote model can receive relevant screenshots or crops. Hosted upload accepts the sanitized derivative bound to its reviewed manifest hash, not the local original. Runtime screenshots can reintroduce sensitive data and follow the destination policy of the declared trusted execution boundary.
Where are secrets and PHI?
Password and declared secret fields are injected at replay rather than written to the recording. Other screenshots, typed values, identity strings, compiled bundles, and machine-readable reports may contain PHI or PII and require customer-controlled storage and retention. Do not infer that compilation de-identifies a workflow.
What does break reporting send?
report-break parses the local run report, scrubs it fail-closed, and sends a PHI-minimized break descriptor. It does not upload the recording or compiled bundle. If the control plane rejects the descriptor at the PHI boundary, the client retries with harder scrubbing and then falls back to local-only.
What cryptographic guarantees exist?
Bundles and durable checkpoints support optional AES-256-GCM encryption at rest. Hosted validation uses an ingest-token HMAC to detect mutation and bind evidence hashes to a one-time organization/token challenge and exact bundle upload. Individual run reports are not a signed, append-only audit ledger by default; no claim of tamper-proof audit history is made.
Is hosted validation an independent certification?
No. validate-hosted is operator self-attestation: the ingest-token holder signs hashes over local lint, policy, provenance, and replay evidence. Cloud checks exact bindings, freshness, its policy and risk-class allowlists, the deployed compiler-version allowlist, and one-time challenge consumption, but it did not witness the local replay. Independent certification requires a separately controlled evaluator, evidence custody, and signing identity.
Does Cloud independently witness local sanitation review?
No. Cloud accounts for every accepted archive byte and verifies the manifest, exact artifact hash, and submitting ingest token. It does not observe the loopback viewer or rerun OCR/NER. The recorded approval is operator attestation; reviewer identity, separation of duties, and evidence custody remain deployment controls.
Can managed execution reach private-network targets?
No. Managed browser admission requires public DNS names. Literal IPs, special-use names, and wildcards are refused; the runner resolves each admitted name again and refuses private, loopback, link-local, reserved, or otherwise non-global answers before constructing the sandbox egress allowlist.
What is the regulated deployment product?
Regulated workflows run in a declared customer-controlled boundary when their live screens necessarily expose PHI. Sanitized authoring derivatives and minimized control-plane metadata may cross an approved boundary; PHI-bearing runtime frames do not. Deployment scope records the substrate, operators, effect oracle, storage, update, retention, support, and legal controls.

The engine documents its artifact-by-artifact boundary in the public privacy threat model.

PHI sanitation

Scrubbing creates a reviewable derivative

Scrubbing is not a boolean claim attached to a bundle. It is a local transformation and approval protocol. The raw source never becomes safe merely because a derivative exists, and a sanitized recording does not prevent live PHI from appearing during execution.

Sanitation and runnability are separate gates. Register the approved recording derivative, compile it locally, pass strict lint and policy certification, and produce a successful matching replay report. Then sanitize, review, and approve a bundle whose execution-bearing content is unchanged. If recording sanitation changed execution content, hosted ingest marks it needs_parameterization; parameterize before compilation.

1

Inventory

Enumerate every file and channel. Symlinks, archives, databases, media, metadata, and unknown types require an explicit handler or the operation stops.

2

Transform a copy

Keep the sensitive original local. Redact or parameterize supported text, structured records, screenshots, and metadata in a separate derivative.

3

Rescan and manifest

Scan the derivative again, record tool and policy versions, list unresolved findings, and compute a cryptographic hash over the exact result.

4

Review and approve

When policy requires it, inspect the derivative locally, correct missed or excessive redactions, then approve its hash. Any later modification invalidates approval.

Review policyBest fitTradeoff
AutomaticLowest friction for schema-minimized diagnostics with complete handler coverage.A detector false negative can cross the boundary.
Human requiredAdds contextual review for screenshots, free text, and consequential artifacts.Costs operator time and human approval is not proof of de-identification.
Risk-based hybridAutomatic for narrow diagnostics; review required for recordings and bundles unless an administrator approves a measured policy.Requires explicit artifact classes, thresholds, and audit configuration.

The launch default is the risk-based hybrid: minimized diagnostics can be automatic; recordings and bundles require review unless an administrator explicitly adopts an automatic policy with complete type coverage.

Hosted runtime gate

Approval, validation, and certification are different

The cross-engine sequence is recording sanitize → review → approve → push; local compile → strict lint → certify → successful replay; bundle sanitize → review → approve; then validate-hosted → attested bundle push → configure → run. The validation envelope binds exact artifact hashes, compiler and parameter-schema provenance, the exact non-PHI HTTPS entry URL, target boundary, and actual replay origin, lint/certification and report hashes, the derived low or consequential risk class, and a fresh one-time challenge. Cloud additionally requires exact policy, risk-class, and deployed compiler-version allowlist membership.

This is operator self-attestation, not third-party certification. It proves that the token holder signed a non-mutated evidence envelope; it does not prove an independent party witnessed the replay or that the workflow is universally safe.

Run the exact hosted validation sequence →

Report a vulnerability

If you have found a security issue, please report it privately so we can fix it before it is disclosed. The fastest path is GitHub's private vulnerability reporting on the repository. You can also email us with “Security” in the subject line. Please do not open a public issue for a suspected vulnerability.

Reviewing OpenAdapt for a regulated deployment?

We are glad to walk your security team through the architecture and answer the hard questions. Bring your requirements and we will tell you what we can and can't meet today.