Security & Data Handling

Straight answers to the questions every team asks before connecting agentwach.

Hijack-proofing in place

  • · Content-Security-Policy (anti-XSS)
  • · Strict-Transport-Security (forced HTTPS, 2-year)
  • · frame-ancestors 'none' (anti-clickjacking)
  • · Cross-Origin-Opener-Policy (anti tab-napping)
  • · Referrer-Policy: strict-origin
  • · Permissions-Policy (camera/mic/geo denied)
  • · Leaked-password check (HIBP) at signup
  • · Row-level security on every user-data table

Can agentwach see my prompts?

No, not by default. The browser extension transmits domain, token estimates, and model name. Prompt and completion bodies stay in your browser unless you explicitly enable full-content capture per source. The Ingest SDK only stores what your code posts.

Are my API keys encrypted?

Yes. Provider API keys you paste into Integrations are encrypted at rest using AES-256 and decrypted only inside the polling worker. They are never returned to the browser after save and never logged.

Can I delete my data?

Yes. Workspace owners can wipe events, sources, and tokens from the Admin panel, or email admin@agentwach.com for a full account deletion.

Who can access my workspace?

Only members you invite. Roles are scoped (owner, admin, member) and enforced server-side via row-level security — including for our support staff, who cannot read workspace contents without an explicit, time-bound grant from an owner.

Does the Chrome extension collect browser content?

The extension reads only the active AI chat tab (ChatGPT, Claude, Gemini) and extracts token estimates locally. Browsing history, cookies, and other tabs are never accessed. Source is auditable on request.

Are logs stored forever?

No. Retention is bounded by your plan: 14 days on Free, 30 days on Hobby, 90 days on Pro, and 1 year on Team. Events older than your window are deleted automatically every night.

Where is data hosted?

Primary infrastructure runs on managed cloud providers in the US and EU. Enterprise customers can request a region pin or private deployment.

Reporting a vulnerability

Email admin@agentwach.com. We respond within one business day and credit responsible disclosures.