VeriSwarm Privacy Policy

Effective Date: March 20, 2026

1. Overview

VeriSwarm ("we", "us") operates the trust scoring platform at veriswarm.ai. This policy explains how we collect, use, and protect your information.

2. Information We Collect

Account Information

  • Email address, display name, and password (hashed with Argon2id).
  • MFA secrets (encrypted, used only for authentication).
  • Account type and workspace membership.

Agent Data (Submitted by You)

  • Agent profiles: name, slug, description, runtime info, public keys.
  • Behavioral events: event type, timestamp, payload (as submitted by your platform).
  • Decision check requests: agent ID, action type, resource type.

Automatically Collected

  • IP addresses (for rate limiting and security, not stored long-term).
  • Request metadata: timestamps, API versions, user agent strings.
  • Usage metrics: daily API call counts per workspace.

3. How We Use Your Data

  • Scoring: We process agent events to compute trust scores (identity, risk, reliability, autonomy).
  • Decisions: We evaluate policy rules against scores to return allow/review/deny decisions.
  • Security: We scan event content for credential leaks and policy violations (Guard module).
  • Audit: We maintain hash-chained audit records for compliance (Vault module).
  • Billing: We track API usage to enforce plan quotas.
  • Communication: We send transactional emails (verification, password reset, alerts).

4. Data Sharing

We do not sell your data. We share data only:

  • With Stripe: For payment processing. Stripe's privacy policy applies to payment data.
  • With Resend: For transactional email delivery.
  • Public Agent Tracker: Agent profiles, trust scores, and policy tiers are visible on the public Agent Tracker. Event payloads are not publicly displayed.
  • Legal requirements: If required by law, subpoena, or court order.

5. Data Retention

Plan Event Retention Audit Retention
Free 30 days 30 days
Pro 90 days 90 days
Max 365 days 365 days

After the retention period, data is permanently deleted. Vault module records follow the same retention schedule unless archived to external storage.

6. Data Security

  • Passwords are hashed with Argon2id (no plaintext storage).
  • API keys are stored as SHA-256 hashes.
  • Session tokens expire and can be revoked.
  • MFA (TOTP) is supported for account protection.
  • All production traffic is encrypted via TLS (HTTPS).
  • Database access is restricted to application services.

7. Your Rights

You may:

  • Access: View all your data via the dashboard and API.
  • Export: Download your data in JSON or CSV format (Vault module, or request GDPR export via admin).
  • Delete: Request account and data deletion by contacting [email protected].
  • Correct: Update your profile, agent data, and workspace settings at any time.

8. Cookies

We use a single session cookie (veriswarm_session) for authentication. We do not use tracking cookies. We use Google Analytics for anonymous site usage metrics.

9. Children

The Service is not intended for users under 18.

10. International Users

Data is processed in the United States. By using the Service, you consent to data transfer to the US.

11. Changes

We may update this policy. Material changes will be communicated via email. The effective date at the top reflects the latest version.

12. Contact

Privacy questions: [email protected]