The flight recorder for AI agents

Privacy Policy

How AgentBlackBox processes data when you use the service.

Last updated: draft (not yet effective).

Overview

AgentBlackBox provides a governance and accountability control plane for AI agents. This policy describes the categories of data we process to provide the service and the choices available to customers. AgentBlackBox is typically used by an organization (the "customer"), which is the controller of the data it records; we act as a processor on the customer's behalf.

Data we process

  • Account & organization data: names, email addresses, organization name, roles, and authentication metadata.
  • Customer-recorded content: the agent activity, events, approvals, policies, and audit records that the customer chooses to record in the service.
  • Integration data: data brought in by connectors the customer explicitly enables, and configuration for SSO/SCIM the customer sets up.
  • Operational data: usage metrics, request logs, and diagnostic information used to operate, secure, and support the service.

How we use data

  • To provide, maintain, and secure the service.
  • To produce the tamper-evident audit records and reports the customer requests.
  • To provide support and communicate about the service.

We do not sell personal data.

Service providers

We rely on infrastructure and service providers to operate AgentBlackBox — for example cloud hosting and a managed database — and on optional providers that a customer chooses to enable, such as a payment processor for billing, an email provider for notifications, and identity providers for SSO and connectors. These providers process data only as needed to provide their functions. A current list will be maintained as part of the finalized policy.

Retention & deletion

Customers control retention windows and may place records under legal hold. Audit records are designed to be tamper-evident, so deletion is performed as a redaction that preserves the integrity of the audit chain. Customers can request data-subject export and erasure; destructive actions require explicit administrator authorization.

Your choices & rights

Depending on your role and applicable law, you may request access to, export of, or erasure of personal data. Because the customer organization controls its data, individual requests are generally handled through that organization's administrator and the service's data-subject request tools.

Security

We use technical and organizational measures including tenant isolation, role-based access control, encryption of secrets at rest, and fail-closed defaults. See the Security page.

Contact

Questions about this policy can be sent to SAMTOSAINC@GMAIL.COM.

AgentBlackBox is the governance and accountability control plane for AI agents—approvals, policies, audit evidence, identity lifecycle, and compliance in one system.

© 2026 AgentBlackBox. All rights reserved.