Data Boundary
What stays local, what is uploaded, and how PolicyStrata limits hosted data exposure.
Principle
Default enterprise mode is metadata-first. The self-hosted runner sees sensitive data; the hosted control plane stores normalized evidence, hashes, release decisions, and redacted summaries.
Security posture
A buyer should be able to adopt the control plane without sending raw customer docs, full traces, private schemas, source credentials, or customer rows to the hosted app.
Data Classification
| Data | Default location | Hosted by default |
|---|---|---|
| Source credentials | Customer environment | No |
| Raw documents | Customer environment | No |
| Full traces | Customer environment | No |
| Database schemas | Customer environment | No |
| Customer rows | Customer environment | No |
| Tool versions | Control plane | Yes |
| Source set names | Control plane | Yes |
| Finding summaries | Control plane | Yes |
| Redacted witnesses | Control plane | Optional |
| Artifact names and hashes | Control plane | Yes |
| Reviewer decisions | Control plane | Yes |
Upload Modes
| Mode | Behavior |
|---|---|
| Metadata-only | Upload summaries, status, finding ids, tool versions, hashes, and decision state. |
| Redacted artifact | Upload sanitized witnesses and selected small artifacts. |
| Customer storage reference | Upload pointers to customer-owned evidence storage. |
Retention Rules
- Keep runner-local artifacts in customer-controlled storage.
- Keep hosted run metadata for release history and audit state.
- Expire waivers unless explicitly renewed.
- Preserve reviewer identity, reason, timestamp, and scope.
- Avoid storing secrets in artifact references, query strings, or filenames.