1
Inventory
Enumerate every file and channel. Symlinks, archives, databases, media, metadata, and unknown types require an explicit handler or the operation stops.
Security and trust
OpenAdapt is built to run where your data already lives. This page states our posture plainly: what is in place today, what is underway, and what is still just planned. If a badge is not here, we do not have it yet.
Recordings, compiled bundles, and replays remain local by default. Treat every compiled bundle as sensitive: it can contain screenshots, typed values, and literal identity evidence. Remote upload accepts only the manifest-bound sanitized derivative admitted by destination policy.
Healthy replay makes zero model calls. Deterministic structure, template, OCR, and geometry evidence runs before any optional model. If a remote model endpoint is configured, relevant screenshots or crops can cross that endpoint boundary; running the model on-premises is possible but must be deployed and verified by the operator.
Every replay writes a step-by-step report. The machine-readable report can contain sensitive parameters and identity evidence, and reports are not cryptographically signed or append-only by default. Treat them as sensitive operational artifacts, not an immutable audit ledger.
A local sanitizer inventories and transforms a copy, rescans it, records coverage and unresolved findings, and hashes the result. Policy can require a person to review the derivative locally and approve that exact hash. Unknown or unresolved content is refused. The raw original remains sensitive and local.
A runnable hosted bundle also needs an operator attestation over its exact approved recording and bundle hashes, compiler provenance, strict lint, policy certification, derived risk class, and successful matching replay report. Cloud verifies deployment allowlists and consumes a one-time challenge when the exact bundle is accepted.
The engine is MIT-licensed. You can read the code, run it yourself, and verify these claims rather than take them on trust.
OpenAdapt does not hold a SOC 2 attestation today. Architecture and source code are not substitutes for an independent report.
We do not run a standing BAA program today. If an enterprise pilot requires a BAA, talk to us and we will scope it as part of the engagement. We would rather tell you this up front than imply a program we have not stood up.
Data boundary
The engine documents its artifact-by-artifact boundary in the public privacy threat model.
PHI sanitation
Scrubbing is not a boolean claim attached to a bundle. It is a local transformation and approval protocol. The raw source never becomes safe merely because a derivative exists, and a sanitized recording does not prevent live PHI from appearing during execution.
Sanitation and runnability are separate gates. Register the approved recording derivative, compile it locally, pass strict lint and policy certification, and produce a successful matching replay report. Then sanitize, review, and approve a bundle whose execution-bearing content is unchanged. If recording sanitation changed execution content, hosted ingest marks it needs_parameterization; parameterize before compilation.
1
Enumerate every file and channel. Symlinks, archives, databases, media, metadata, and unknown types require an explicit handler or the operation stops.
2
Keep the sensitive original local. Redact or parameterize supported text, structured records, screenshots, and metadata in a separate derivative.
3
Scan the derivative again, record tool and policy versions, list unresolved findings, and compute a cryptographic hash over the exact result.
4
When policy requires it, inspect the derivative locally, correct missed or excessive redactions, then approve its hash. Any later modification invalidates approval.
| Review policy | Best fit | Tradeoff |
|---|---|---|
| Automatic | Lowest friction for schema-minimized diagnostics with complete handler coverage. | A detector false negative can cross the boundary. |
| Human required | Adds contextual review for screenshots, free text, and consequential artifacts. | Costs operator time and human approval is not proof of de-identification. |
| Risk-based hybrid | Automatic for narrow diagnostics; review required for recordings and bundles unless an administrator approves a measured policy. | Requires explicit artifact classes, thresholds, and audit configuration. |
The launch default is the risk-based hybrid: minimized diagnostics can be automatic; recordings and bundles require review unless an administrator explicitly adopts an automatic policy with complete type coverage.
Hosted runtime gate
The cross-engine sequence is recording sanitize → review → approve → push; local compile → strict lint → certify → successful replay; bundle sanitize → review → approve; then validate-hosted → attested bundle push → configure → run. The validation envelope binds exact artifact hashes, compiler and parameter-schema provenance, the exact non-PHI HTTPS entry URL, target boundary, and actual replay origin, lint/certification and report hashes, the derived low or consequential risk class, and a fresh one-time challenge. Cloud additionally requires exact policy, risk-class, and deployed compiler-version allowlist membership.
This is operator self-attestation, not third-party certification. It proves that the token holder signed a non-mutated evidence envelope; it does not prove an independent party witnessed the replay or that the workflow is universally safe.
Run the exact hosted validation sequence →If you have found a security issue, please report it privately so we can fix it before it is disclosed. The fastest path is GitHub's private vulnerability reporting on the repository. You can also email us with “Security” in the subject line. Please do not open a public issue for a suspected vulnerability.
We are glad to walk your security team through the architecture and answer the hard questions. Bring your requirements and we will tell you what we can and can't meet today.