DATA PRACTICES

What RANKIGI stores by default, and what it does not persist as raw payload.

You are the data controller. RANKIGI is the data processor. Here is exactly what that means.

What We Store

For each agent event, RANKIGI retains a canonical event record containing structured metadata (action type, tool invoked, timestamps, policy outcomes, agent identifiers). This canonical record is used to compute and verify the tamper-evident chain hash. It does not contain raw prompt text, model outputs, or sensitive payload content unless the customer’s agent explicitly includes such content in structured metadata fields. The canonical record is stored as pseudonymized data under GDPR Article 4(5). We also store a keyed payload fingerprint (HMAC-SHA-256, derived per tenant). Customers may request verification of this retention constraint under DPA Section 4(a) / GDPR Article 28(3)(h).

On the applicable subscription tier, customers may enable encrypted evidence retention. Under this mode the canonical event record is encrypted with AES-256-GCM before persistence using a per-organisation key derived via HKDF from a master key held in RANKIGI’s key management system. RANKIGI staff cannot access plaintext canonical records under this mode without an explicit customer-authorised reveal operation, which is logged to a tamper-evident, append-only audit trail. Customer-managed keys (BYOK) ship Q3 2026; contact enterprise@rankigi.com.

Data Type	What We Store By Default	Not Persisted As Raw Payload (Default)
Agent events	Keyed fingerprint plus canonical verification form	Separate raw payload field
Decision metadata	Action type, tool, timestamps	Model outputs, reasoning text
Agent identity	Passport metadata, scope	Agent code, model weights
Human accountability	Owner name, role, acceptance date	Passwords, personal data
Certificates	Number, scores, hashes, dates	Nothing additional

Data Retention by Tier

Tier	Retention	After Subscription End
Free	7 days	Deleted
Pro	90 days	Deleted
Enterprise	1 year+	Configurable

Data Residency

Data is currently processed in US East (AWS us-east-1). Regional deployment options are under evaluation. For EU customers, RANKIGI relies on Standard Contractual Clauses (SCCs). Our DPA is available at rankigi.com/dpa.

Breach Notification Protocol

Within 1 hour: incident response activated. Within 4 hours: affected customers notified. Within 24 hours: public incident report. Within 72 hours: full post-mortem (GDPR requirement).

Because RANKIGI does not persist a separate raw payload field by default, a breach of the default-tier store exposes hashes, keyed fingerprints, and the canonical verification record rather than reconstructable raw payloads. Encrypted evidence stored under the applicable subscription tier remains protected by customer-managed keys that RANKIGI does not hold.

Your Rights

As data controller you have rights to: access, deletion, portability (JSON export), correction, and restriction. For the append-only chain, deletion is implemented as cryptographic deletion (nulling any retained payload and rotating the per-tenant HMAC key, with destruction of customer-managed keys for encrypted evidence) rather than physical removal of chain entries; append-only, tamper-evident hashes, timestamps, and minimal metadata remain as integrity tombstones. Email privacy@rankigi.com. We respond within 30 days.

Sub-processors

Supabase	hosted Postgres + auth	United States
Railway	application hosting	United States
Stripe	billing/payments	United States
Resend	transactional email	United States
Upstash	rate-limit Redis	United States
Sigstore Rekor	anchor notarization / transparency log	Public
FreeTSA	RFC 3161 timestamps	Austria

We notify customers of new sub-processor additions 30 days in advance.