Security and trust
Where your data goes, and what we have and haven't certified yet
OpenAdapt is built to run where your data already lives. This page states our posture plainly: what is in place today, what is underway, and what is still just planned. If a badge is not here, we do not have it yet.
Recordings, scripts, and replays live on your own machines. In an on-premises deployment, the AI model runs on your hardware too, so your data stays inside your network.
Healthy replay makes zero model calls, so nothing about the run leaves your machine. Compilation is deterministic and model-free by default. When the screen changes, deterministic fallbacks (template, OCR, geometry) handle many UI changes; an optional model can assist unresolved changes. Any such model, like everything else, can run on your own hardware inside your network, so your data never goes to a third party.
Every replay writes a step-by-step run report: what ran, what it saw, and what it repaired. You can check each action against the task you recorded.
Scrubbing tooling is included for teams that need to sanitize captured data before anyone, human or model, sees it.
The engine is MIT-licensed. You can read the code, run it yourself, and verify these claims rather than take them on trust.
We do not hold a SOC 2 attestation today. The on-prem architecture is built to meet SOC 2 requirements and formal attestation is in progress. We will not claim otherwise until a report exists.
We do not run a standing BAA program today. If an enterprise pilot requires a BAA, talk to us and we will scope it as part of the engagement. We would rather tell you this up front than imply a program we have not stood up.
Report a vulnerability
If you have found a security issue, please report it privately so we can fix it before it is disclosed. The fastest path is GitHub's private vulnerability reporting on the repository. You can also email us with “Security” in the subject line. Please do not open a public issue for a suspected vulnerability.
Reviewing OpenAdapt for a regulated deployment?
We are glad to walk your security team through the architecture and answer the hard questions. Bring your requirements and we will tell you what we can and can't meet today.