How ChiefLab handles your repo, your tenants, and your customers' data.
Plain language. Honest about what's shipped, what's half-wired, and what's on the roadmap. If something here is wrong or unclear, email security@chieflab.io — we'll fix it on this page.
Six pillars
Approval-gated by default
No publish, send, or write-scope connector call fires without explicit human approval. Signed reviewUrl (HMAC, 7-day TTL) is the only approve/reject surface.
Read-first connectors
GA4, Search Console, Zernio, Resend default to read-only. Write scopes require separate enablement and always trigger the approval gate.
Repo context stays scoped
Repo payloads (routes, diffs, README) are used for the single run that produced the launchPack. Never trained on. Never copied across workspaces.
Tenant isolation is the data spine
Every run, asset, action, secret, memory entry scoped by workspace_id + tenant_id. Cross-tenant reads blocked at the query layer (Supabase RLS).
Secrets encrypted at rest
API keys SHA-256 hashed before persistence. Connector OAuth tokens encrypted in chieflab_connector_secrets. Secrets only in Vercel + Supabase env.
Auth is explicit
REST + MCP require Bearer auth. Unauthenticated calls never attribute to a demo user. Sandbox is IP rate-limited and clearly labeled.
Repo context & data handling
The questions every repo-aware caller asks before they pass us their codebase.
What does ChiefLab actually store about my repo?
When your agent calls chieflab_launch_product with repo context (routes, recent commit messages, README, package.json snippets, optionally diffs), we store that payload only on the run row that produced the launchPack — so you can re-render or audit the run later. We do not vector-embed your code into a shared index. We do not train models on it. We do not copy it across workspaces or tenants. Default retention is 90 days; enterprise plans can configure shorter.
Do you send my code to a model?
Only the parts your agent passes in. ChiefLab's drafting briefs include the repo-context fields you supplied — that brief is what your agent's LLM (Sonnet, GPT, Gemini, etc.) renders into final copy. On outputMode: 'context' (the default), no ChiefLab-side LLM call happens at all. On outputMode: 'full' (premium tier), the brief is sent to the configured model with standard provider terms; the model providers' enterprise data policies apply (Anthropic, OpenAI, Google).
What does outputMode mean for privacy?
context (default) — brief returned, your LLM renders it. Zero ChiefLab LLM tokens, no third-party model exposure beyond what your agent already does. draft — small ChiefLab routing model produces a rough draft. full — premium model generates server-side. Each mode is opt-in per call; the default is the most private.
Where does the data live?
Postgres (Supabase, US region by default). API runtime: Vercel (us-east + edge). Object storage for generated images: Cloudflare R2. Connector tokens: Supabase with per-row encryption. Logs: Vercel native (30-day retention) + Supabase audit trail (90-day retention).
Can I delete my data?
Yes. Email hi@chieflab.io with your workspace ID; we hard-delete runs, assets, actions, memory, voice samples, and connector tokens within 7 days and confirm in writing. Self-serve delete in /app/settings is on the roadmap (see /roadmap).
Who can see my approvals?
Anyone holding the signed reviewUrl can see that single run's assets, briefs, and proposed actions — that's the point of the no-login surface (the agent shares the link with the human approver). The link is HMAC-signed with a 7-day TTL and revocable from /app. The workspace Inbox at /app requires authenticated workspace membership.
Connector permissions — what we actually have access to
We will not list a connector as "live" if it is not. The list below tracks the dashboard at /app/connections and the connector reality audit committed to the repo.
| Connector | Status | Scope | Retention notes |
|---|---|---|---|
| Zernio (social publish) | Live | Write — publishes posts after explicit per-action approval | Post records persist in chieflab_actions; engagement data fetched on demand at 24h post-launch |
| Resend (email send) | Live | Write — sends emails after explicit per-action approval | Send records persist; recipient lists are stored only on the action row |
| Google Analytics 4 (read) | Live | Read-only — analyticsdata.googleapis.com | OAuth refresh token encrypted at rest; analytics responses cached on the post-launch-review run row |
| Search Console (read) | Live | Read-only — webmasters/v3 | Same as GA4 |
| HubSpot | Half-wired | OAuth completes but the snapshot read currently returns mock data — listed under 'Beta' on /roadmap and hidden from /app/connections until the read path ships | — |
| Stripe (billing) | Wired | Portal session creation + subscription webhook handler shipped (invoice.payment_succeeded / customer.subscription.updated / .deleted). Production processes events when STRIPE_WEBHOOK_SECRET is configured on the deployment. | Stripe customer ID + plan tier stored on workspace; no PII beyond email |
| Meta Ads / Google Ads / Buffer / Salesforce / Intercom / Linear / etc. | Mock-only | Surface-shaped snapshots returned via MCP for testing — never claimed as live, hidden from /app/connections | Mock data has no real connector behind it |
Subprocessors
Third parties that touch customer data, listed by purpose. Update with the customer when this list changes — we email workspace owners 30 days ahead of any addition. Canonical list (with data categories, regions, and DPA links) maintained at /legal/subprocessors; the table below is an operational mirror.
| Provider | Purpose |
|---|---|
| Vercel | API runtime + chieflab.io static hosting |
| Cloudflare | DNS, CDN, Pages function (chieflab.io/api proxy), R2 image storage |
| Supabase | Postgres database, auth, encrypted secrets storage |
| Anthropic | Sonnet 4.6 routing + premium-tier full generation (only when caller selects outputMode: 'draft' or 'full') |
| Google (Gemini API) | Image generation when imagesNeeded > 0 (opt-in) |
| OpenAI | Optional — only when caller routes to GPT models for outputMode: 'full' |
| Zernio | Social publish (only on approved publish actions) |
| Resend | Email send (only on approved send actions) |
| Stripe | Billing portal + subscription webhook handler (processes paid-plan upgrades when STRIPE_WEBHOOK_SECRET is configured) |
Compliance primitives — call these for GDPR fulfillment
Five MCP tools cover the GDPR data-subject-rights surface. Implementations live in apps/mcp/src/tools.js; verified end-to-end against production by docs/GDPR_LAYER2_AUDIT_2026-05-12.md (22/22 functional assertions, 0 failures). Audit artifacts are available to customers under NDA because the source repo is private.
| Tool | GDPR article | What it does |
|---|---|---|
chieflab_delete_workspace | Art. 17 (erasure) | Hard-purge across all workspace tables on confirm token; revokes API key. |
chieflab_export_workspace | Art. 15 + 20 (access + portability) | Full JSON dump of workspace data; secrets redacted; 10k rows/table cap with cap-flag on receipt. |
chieflab_export_subject | Art. 15 (third-party access) | Primary exact-match scan + secondary text-contains scan for a named subject (email, handle, name, company). |
chieflab_purge_subject | Art. 17 (third-party erasure) | Two-phase: preview without confirm, surgical delete with confirm: "PURGE-SUBJECT"; logs receipt to audit trail. |
chieflab_audit_log_read | Art. 30 (records of processing) | Workspace-scoped event log with since/until/limit; meta-audited (the read itself logs an event). |
Full legal framing of these primitives at /legal/privacy §8 and /legal/dpa §7.
Reporting a vulnerability
Email security@chieflab.io. We acknowledge within 72h and aim to provide a remediation timeline within 7 days. Standard responsible disclosure — please don't open a public GitHub issue. Full policy in SECURITY.md.
In scope
- chieflab.io/api/* (REST + MCP endpoints)
- chieflab.io/runs/:id (signed run viewer)
- chieflab.io/app (dashboard) and chieflab.io/keys (delivery)
- Public packages —
@chieflab/cli,@chieflab/mcp-server, and@chieflab/sdkare live on npm.
Known limits we'd rather you knew up front
- Vercel cron is once-per-day on the current plan; webhook retry windows can be up to 24h until we move to Pro.
- Sending domain mail.chieflab.io is verified;
onboarding@resend.devis the bootstrap fallback when a workspace has no verified domain. - No formal bug bounty yet — but we'll publicly credit reporters who request it.
Want this in writing for procurement?
DPA, sub-processor list, custom retention windows, SSO, audit-log export — email hi@chieflab.io. We'll quote within 24h.