{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["cards","card"]},"type":"markdown"},"seo":{"title":"HiddenLayer’s Product Data Collection and Handling","siteUrl":"https://docs.hiddenlayer.ai","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"hiddenlayers-product-data-collection-and-handling","__idx":0},"children":["HiddenLayer’s Product Data Collection and Handling"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"our-commitment-to-data-transparency-and-protection","__idx":1},"children":["Our Commitment to Data Transparency and Protection"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Your trust matters to us. Our approach to data protection is grounded in transparency, strong security practices, and clearly defined safeguards. This document explains what data is collected, how it is used to support and deliver product functionality, and how it is protected at every stage. We are committed to being open about our data practices so you can make informed decisions, maintain control of your information, and confidently use our products knowing privacy and security are built in from the start."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"our-commitment-to-safeguard-your-data","__idx":2},"children":["Our Commitment to Safeguard Your Data"]},{"$$mdtype":"Tag","name":"Cards","attributes":{"columns":2,"cardMinWidth":240},"children":[{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Data Ownership","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Customers retain full ownership and control of their data at all times."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Defined Retention and Secure Deletion","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Retention periods are clearly defined by product and secure deletion practices are enforced."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Data Minimization and Purpose Limitation","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["We collect only the data necessary to fulfill contractual, legal, and regulatory requirements—minimizing exposure while supporting compliance."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Audits and Oversight","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Regular audits validate retention enforcement, access controls, storage protections, and responsible data classification."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Protection of Personal Information","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["We implement administrative, technical, and organizational safeguards to protect personal information against unauthorized access, alteration, disclosure, or destruction, in line with industry-accepted security practices."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Sub-Processors & Third-Party Providers","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["HiddenLayer engages trusted sub-processors to support delivery of our products and services. Any sub-processor involved in the storage or processing of customer data undergoes security and privacy due diligence and is required to meet our information security standards. A current list of sub-processors is available to customers upon request."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Role-Based Access Control (RBAC)","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Access is managed through centralized RBAC with permissions assigned by role and regularly reviewed to enforce least privilege and segregation of duties."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Rapid Incident Response","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Our incident response process ensures clear communication, timely action, and continuous improvement."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Encryption by Default","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["All data in transit is encrypted using secure industry standards. All data at rest is encrypted using AES-256 or stronger. HiddenLayer uses the secure HTTPS protocol for all data transmission between users, the console, and external integrations over public networks."]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"data-scope-and-boundaries","__idx":3},"children":["Data Scope and Boundaries"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Personal Information"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Personal information is only collected where necessary to support account management, access control, billing, or customer support, and is rarely required for core product functionality."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["We retain personal information only as long as needed to fulfill the purposes for which it was collected, and for a limited period afterward to meet legal, contractual, or audit requirements. De-identified or aggregated data may be retained where permitted. Backup and archival copies may persist for a defined period as part of standard system operations."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What Data is Not Collected"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["HiddenLayer does not collect:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Customer training datasets"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Business logic or proprietary application code"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Persistent copies of model files, including model weights"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Customer data for training or tuning without explicit authorization"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What Data Is Processed and Stored"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["HiddenLayer processes and stores data in secure environments aligned with the selected deployment model. Data location and processing controls are designed to meet security, compliance, and customer requirements."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When deployed in SaaS mode, certain data resides within HiddenLayer’s tenant-isolated infrastructure. In hybrid deployment models, some data may be processed locally within the customer environment while selected results or metadata are transmitted to the SaaS platform."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Platform Operational Data"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Operational data is collected and protected to ensure secure access, maintain platform integrity, support compliance"," ","requirements, and provide auditable oversight of system activity."]},{"$$mdtype":"Tag","name":"Cards","attributes":{"columns":2,"cardMinWidth":240},"children":[{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Identity and Access Management (IAM) Data","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Authentication credentials, user roles, authorization data, and user identifier, including name and e-mail address, used to securely manage access and enable approved third-party integrations."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Product Usage and Configuration Data","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Platform interaction data, configuration settings, and usage patterns used to maintain performance, improve functionality, and support customer operations."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Access Logs and Audit Trails","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Logged records of user and system activity used for security monitoring, compliance reporting, and incident investigation."]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"ai-runtime-security","__idx":4},"children":["AI Runtime Security"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Runtime Security ingests and analyzes structured:"]},{"$$mdtype":"Tag","name":"Cards","attributes":{"columns":2,"cardMinWidth":240},"children":[{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Runtime Interaction Data","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Prompts and system messages, model outputs, tool/function calls and results, session metadata, and multimodal content."]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This data is used to reconstruct sessions, detect adversarial activity and policy violations, and apply runtime actions such as detect, redact, or block. Detection records include the triggering signals, related execution context, and applied policy outcome."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For customer-controlled deployments, monitoring and enforcement can be deployed within the customer environment. Customer data is not used for model training. Any contribution to detection enhancement requires explicit customer approval."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the SaaS deployment model, detection data is retained for a rolling 30-day window. Following contract termination, all data is securely deleted within 60 days."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"ai-supply-chain-security","__idx":5},"children":["AI Supply Chain Security"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Supply chain data is processed and protected to assess model integrity, provenance, licensing exposure, and deployment risk before models enter production environments without expanding intellectual property exposure. We intentionally work with structured metadata and security attributes that do not allow reconstruction of the model. This enables vulnerability detection, license transparency, provenance validation, and informed, risk-based deployment decisions while maintaining strict protection of proprietary model assets."]},{"$$mdtype":"Tag","name":"Cards","attributes":{"columns":2,"cardMinWidth":240},"children":[{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Model Inventory and Discovery Metadata","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Structured records of identified models within your environment, including reference attributes used for governance and oversight."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Model Lineage and Supplier Information","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Genealogy data mapping upstream dependencies, publisher sources, and supplier relationships."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"File Hashes and Structural Metadata","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Cryptographic hashes and file-level attributes used to validate integrity and detect tampering or known vulnerabilities."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Model Intelligence Data","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Includes license used to evaluate commercial use rights and compliance obligations, as well as geographic footprint and country of origin used to assess jurisdictional and geopolitical risk."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Vulnerability Scan Results","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Detection findings identifying security weaknesses, embedded risks, or unsafe components within model artifacts."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"AI Bill of Materials (AIBOM) Data","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Component-level transparency detailing model composition and dependencies to support audit and governance requirements."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"License Metadata","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Structured licensing information used to evaluate commercial use rights and compliance obligations."]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Raw model files are temporarily stored solely for processing and automatically deleted within 24 hours."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Model weights are not inspected, retained, or reused."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"ai-discovery","__idx":6},"children":["AI Discovery"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["AI Discovery data is processed and protected to provide visibility into AI-related assets across cloud environments, supporting governance, supply chain, inventory management, and risk oversight without expanding customer data exposure. We focus on asset-level metadata and configuration attributes necessary to identify and classify AI systems within your environment."]},{"$$mdtype":"Tag","name":"Cards","attributes":{"columns":2,"cardMinWidth":240},"children":[{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Customer Identity & Access (IAM) Data","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Authentication credentials, roles, and authorization data used to securely access and enumerate AI-related assets."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Cloud Provider Asset Metadata","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Cloud environment metadata identifying AI models, services, endpoints, and associated configurations."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Product-Generated Asset Intelligence","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Structured discovery records generated by the platform to support centralized AI inventory and oversight."]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Source asset data is retained for the life of the customer relationship to support discovery visibility, continuous governance, and asset management."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"ai-attack-simulation","__idx":7},"children":["AI Attack Simulation"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["AI Attack Simulation data is processed and protected to evaluate system prompt resilience, identify security gaps, and strengthen AI system defenses prior to deployment. Processing is limited to authorized testing inputs, structured analysis outputs, and product-generated security enhancements."]},{"$$mdtype":"Tag","name":"Cards","attributes":{"columns":2,"cardMinWidth":240},"children":[{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Original System Prompts (Customer IP)","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["User-submitted system prompts analyzed for security weaknesses and vulnerability exposure."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Targeted Question Responses","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["User-provided responses used to refine analysis and strengthen prompt resilience."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Enhanced System Prompts (Product-Generated)","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Security-hardened prompts generated by HiddenLayer to improve defensive posture."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Security Updates & Explanations","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Structured updates and improvement summaries detailing remediation and hardening actions."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Red Teaming Configuration & Prompt Sets","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Testing objectives, evaluation parameters, pre-configured or generated prompts, and associated model responses used to simulate adversarial behavior."]}]},{"$$mdtype":"Tag","name":"Card","attributes":{"title":"Red Teaming Evaluation Results","imagePosition":"start","iconPosition":"auto","layout":"vertical","align":"start","variant":"filled"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Structured findings including tactics, techniques, success rates, and assessment summaries used to validate security posture."]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["All AI Attack Simulation data is retained for 90 days unless otherwise contractually required. System prompts"," ","and associated artifacts are processed solely for analysis and defense improvement purposes."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"summary-of-our-approach","__idx":8},"children":["Summary of Our Approach"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["AI security requires visibility, and that visibility must be handled responsibly. HiddenLayer is designed to provide the insight necessary to detect threats and assess model risk while maintaining clear data boundaries, defined retention practices, and strong access controls. Our approach is intended to give you the clarity, control, and confidence needed to manage AI risk within your own governance and compliance frameworks."]}]},"headings":[{"value":"HiddenLayer’s Product Data Collection and Handling","id":"hiddenlayers-product-data-collection-and-handling","depth":1},{"value":"Our Commitment to Data Transparency and Protection","id":"our-commitment-to-data-transparency-and-protection","depth":2},{"value":"Our Commitment to Safeguard Your Data","id":"our-commitment-to-safeguard-your-data","depth":2},{"value":"Data Scope and Boundaries","id":"data-scope-and-boundaries","depth":2},{"value":"AI Runtime Security","id":"ai-runtime-security","depth":2},{"value":"AI Supply Chain Security","id":"ai-supply-chain-security","depth":2},{"value":"AI Discovery","id":"ai-discovery","depth":2},{"value":"AI Attack Simulation","id":"ai-attack-simulation","depth":2},{"value":"Summary of Our Approach","id":"summary-of-our-approach","depth":2}],"frontmatter":{"seo":{"title":"HiddenLayer’s Product Data Collection and Handling"}},"lastModified":"2026-05-05T16:49:40.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/docs/resources/data_privacy/product_data_collection_and_handling","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}