1. Data Minimization

Data minimization is the foundation of our security model. Our CLI securely transmits encrypted scan data for real-time anomaly detection, then immediately discards all sensitive content. We only retain:

Timestamps: When interactions occurred
Token metrics: Input, output, and thinking token counts
Cost estimates: Calculated costs based on token usage
Model identifiers: Which AI tools and models were used
Detection results: Anomaly flags with severity and confidence scores

We never store prompts, AI responses, file contents, project structure, directory layouts, or conversation history. This data is processed in memory and immediately discarded.

2. Encryption

In Transit

All data transmitted between the Intentra CLI and our API is encrypted using TLS 1.2 or higher. All web traffic to intentra.sh and api.intentra.sh is served over HTTPS with modern cipher suites enforced by Cloudflare.

At Rest

All stored data is encrypted at rest using AES-256 encryption via AWS. API keys are hashed with bcrypt (12 rounds) before storage and cannot be recovered in plaintext. Secrets and credentials are stored in AWS Secrets Manager with KMS encryption.

3. Infrastructure Security

Cloud Provider: Hosted on AWS (us-east-1) with enterprise-grade security controls
Edge Protection: Cloudflare WAF and DDoS protection for all public endpoints
API Gateway: Request validation and throttling at the gateway level
Serverless Architecture: Lambda-based compute with no persistent servers to compromise
Infrastructure as Code: All infrastructure provisioned and managed via Terraform for auditability and reproducibility
Environment Isolation: Separate production and development environments with independent resources

4. Access Controls

Role-Based Access: Admin and viewer roles with granular permissions per organization
Data Isolation: Organization-level data isolation ensures teams only see their own data
API Authentication: Enterprise API keys with configurable expiration and per-organization scoping
Identity Provider: Auth0-powered authentication with support for multi-factor authentication
Replay Protection: Cryptographic nonces with 10-minute TTL prevent request replay attacks

5. Data Retention

We retain data only as long as necessary. Specific retention periods:

Data Type	Retention Period
Account data	Duration of account + 30 days
Scan metadata	Duration of account
Event payloads (S3)	7 days (auto-deleted)
Message queues (SQS)	24 hours
Application logs	30 days
Authentication nonces	10 minutes

For the complete data retention schedule, see our Privacy Policy.

6. Incident Response

Intentra maintains a dedicated security incident response process:

Detection: Automated monitoring and alerting for anomalous activity
Notification: 72-hour breach notification commitment to affected customers and relevant supervisory authorities
Remediation: Immediate containment, root cause analysis, and corrective action
Review: Post-incident review with documented findings and preventive measures

Contact [email protected] for security concerns.

7. Compliance and Governance

CCPA: Compliant with California Consumer Privacy Act requirements (see Privacy Policy)
GDPR: Ready with Standard Contractual Clauses for EU-US data transfers and full data subject rights support
DPA: Data Processing Agreement available for enterprise customers
Transparency: Public subprocessor list with change notification

8. Responsible Disclosure

We welcome security researchers to report vulnerabilities responsibly. Our Responsible Disclosure Policy outlines how to report security issues, what to expect, and our safe harbor commitments. Our security.txt is also available.

9. Questions

For security inquiries, contact us at [email protected].

Related resources:

Security

Zero-Knowledge Architecture