Skip to main content
This page is the source of truth for what DecimalAI does with your data. For a quick scan, jump to Data we store or How to delete data.

Data we store

For each trace ingested via the SDK or API:
FieldWhat it contains
agent_nameA free-form string you choose in decimalai.init().
user_inputThe text passed into your agent. Stored verbatim.
final_outputThe agent’s response. Stored verbatim.
spansPer-step span tree (tool calls, retrieval, sub-spans).
llm_callsFor each LLM invocation: rendered prompt (all messages), completion text, model name, provider, token counts, tool calls, finish reason.
metadataCost estimate, latency, timestamps, manifest hash, and arbitrary tags you attach.
eval_scoresAny quality or compatibility scores you push or that we compute.
For each manifest registered via the SDK:
FieldWhat it contains
componentsTool names, tool JSON schemas, model names + params, prompt text, skill names + content hashes.
agent_models_jsonThe full model config block from your framework.
graph_topology_hashHash of the multi-agent topology (no graph contents stored).
Prompt and output text is stored in plaintext. If your prompts or agent outputs contain PII, credit card numbers, or other sensitive data, you must scrub it client-side before traces are sent. The SDK does not redact for you — run your own sanitizer between agent execution and decimalai.send().

What we do NOT store

  • Your LLM API keys. Pre-deploy regression checks don’t need them. The Playground stores BYOK keys encrypted at rest, scoped to the workspace, never logged.
  • Your source code. The SDK never reads files outside the SKILL.md auto-discovery paths (.claude/skills/, .agents/skills/).
  • Inbound request bodies to the platform API beyond what’s documented as an endpoint payload.

Encryption

  • At rest. All data in Postgres is encrypted at rest by Cloud SQL (Google-managed AES-256); object storage is Google Cloud Storage, encrypted at rest by default (AES-256).
  • In transit. All API traffic uses TLS 1.2+. HSTS is enabled on api.decimal.ai and app.decimal.ai.
  • Secrets. API keys are stored as bcrypt hashes; only the prefix (dai_sk_..., or dai_pk_... for a public key) is visible after creation. BYOK LLM keys are encrypted with a per-workspace KMS-derived key.

Retention

PlanTrace retentionManifest retentionSkill / dataset retention
Free14 daysForeverForever
Core30 daysForeverForever
Pro90 daysForeverForever
Enterprise365 daysForeverForever
Traces older than your retention period are deleted automatically (rolling, daily). Manifests, skills, and datasets are kept indefinitely so your version history stays intact.

How to delete data

What you want to deleteHow
All traces for an agentSettings → Agents → click agent → Purge traces (admin role)
All traces for your orgDELETE /api/v1/admin/purge/traces (admin role) — purges all traces, spans, LLM calls, and eval scores for the organization
A workspace + everything in itSettings → Workspaces → Delete workspace (workspace admin)
All data for a specific user (GDPR)Email support@decimal.ai — endpoint on the roadmap
Deletions are hard deletes — the row is removed, not soft-flagged. Backups retain deleted data for up to 30 days for disaster recovery; after that the row is unrecoverable.

Compliance

DecimalAI is not currently SOC 2 certified. The certification is in progress (target: late 2026).
ItemStatus
SOC 2 Type IIIn progress (target: late 2026)
Security questionnaire (SIG Lite, CAIQ)Available on request
Architecture diagram + threat modelAvailable on request
Penetration test summaryQ1 2026
DPA / standard contractual clauses (EU)Available on request
For enterprise procurement reviews, we provide:
  • Detailed security questionnaire (SIG Lite, CAIQ)
  • Architecture diagram + threat model
  • Penetration test summary (Q1 2026)
  • DPA / standard contractual clauses for EU data flows
Email security@decimal.ai for the docs package.

Hosting region

Production runs on Google Cloud Platform (Cloud Run + Cloud SQL for PostgreSQL) in region us-central1 (project decimalai-prod). Enterprise customers can request a different GCP region; we’ll spin up an isolated stack and migrate.

Reporting a vulnerability

If you find a security issue, please do not open a public GitHub issue. Email security@decimal.ai — PGP key available on request. We respond to security reports within 24 hours and follow coordinated disclosure practice. We do not currently run a paid bug bounty.