We don't train on your data
Your prompts and Blueprints are not used to train any model. Anthropic is contractually prohibited from training on your data, and we don't train models ourselves.
Trust
Our security posture, subprocessors, and compliance stance.
Minimal subprocessor footprint
The complete list of third parties that touch your data is short by design. See below.
Signed binaries
Plugin binaries are Authenticode-signed on Windows, Apple-notarized on macOS. Release manifests are Ed25519-signed with keys held offline.
Approval gates
Every mutating tool in your editor asks for explicit approval — default per-call, overridable per-run or per-session.
Append-only audit log
Every mutating request is logged immutably. Exportable on request.
Data residency
US-only or EU-only inference routing available on enterprise plans.
Subprocessors
This is the complete list. We will notify customers in advance if it changes.
| Vendor | Purpose | Data | Region |
|---|---|---|---|
| Anthropic | LLM inference | Prompts + tool metadata (not retained beyond processing) | US / EU |
| Stripe | Payments | Billing email, payment method on file, invoice metadata | Global |
| Cloudflare | Edge, WAF, DNS, R2 storage | IP, user agent, request metadata | Global |
| Fly.io | API compute + managed Postgres | Full application database | US / EU on request |
That is our entire subprocessor list. We do not use Sentry, PostHog, Amplitude, Datadog, Resend, Mixpanel, or any other data-collecting vendor. Error reporting, product analytics, metrics, and status pages are all operated by us.
Compliance
We maintain a self-assessed controls binder aligned with SOC 2 Trust Services Criteria. Evidence is refreshed quarterly via our internal audit script. Formal SOC 2 attestation is available on written request for enterprise customers; delivery timeline is typically 60–90 days after contract signing.
- Self-assessed SOC 2 controls binder — refreshed quarterly.
- GDPR — access, rectify, erase, portability rights honored at the account level.
- EU AI Act — Article 50 transparency notice published.
- Automated security regression tests run on every commit.
- Weekly OWASP ZAP baseline scan against our production API.
Reporting a vulnerability
Email security@blueprintproai.app. We acknowledge within 24 hours and target initial assessment within five business days. See our security.txt.