How ChiefLab handles your repo, your tenants, and your customers' data.
Plain language. Honest about what's shipped, what's half-wired, and what's on the roadmap. If something here is wrong or unclear, email security@chieflab.io — we'll fix it on this page.
Six pillars
Approval-gated by default
No external action runs without an explicit human approval. Every publish, send, or write-scope connector call stages an Action in 'pending' state. The signed reviewUrl (HMAC, 7-day TTL) is the single approve/reject surface — same backend serves the workspace Inbox at /app. If a caller never visits the link, nothing fires.
Read-first connectors
GA4, Search Console, Zernio, Resend OAuth scopes are minimum-write by default. Read-only modes are the documented path; write scopes (publish, send) require separate enablement and trigger the approval gate every time.
Repo context stays scoped
When a caller passes repo context (routes, recent diffs, README excerpts) to chiefmo_launch_product or chiefmo_gtm_run_start, it is used inside the drafting prompts for that single run. Repo-context payloads are not used to train any model, never copied across workspaces, and persisted only on the run row (or GTM run row) that produced the launchPack. Multi-agent GTM runs scope the same payload across all 8 agents — every agent reads the same workspace+tenant boundary, never crosses it.
Multi-agent runs share one audit boundary
P10 GTM runs spawn up to 8 agents under one parent run. Every handoff between agents persists in chieflab_gtm_handoffs (workspace+tenant scoped). Every memory write is append-only to chieflab_gtm_memory_log with the agent id and run id that wrote it — full lineage for any decision an agent made on prior context. Agents never call each other directly; the orchestrator routes.
Tenant isolation is the data spine
Every run, asset, action, secret, and memory entry is scoped by workspace_id + tenant_id. Cross-tenant reads are blocked at the query layer (Supabase RLS + per-row workspace filter). Recent regression fixes (commits 3f18a2d and aac5da4) tightened this — see the public commit log.
Secrets are encrypted at rest
API keys are SHA-256 hashed before persistence (clp_live_/clp_dev_/clp_test_ prefixes). Connector OAuth tokens are encrypted in chieflab_connector_secrets. .env files are never committed; secrets live only in Vercel + Supabase environment variables.
Auth is explicit
REST endpoints and MCP calls require Bearer auth. Unauthenticated calls do not silently attribute to a demo or fallback user (this was tightened in commit 3f18a2d after a smoke test caught the regression). Sandbox endpoints are rate-limited per IP and clearly labeled.
Repo context & data handling
The questions every repo-aware caller asks before they pass us their codebase.
What does ChiefLab actually store about my repo?
When your agent calls chiefmo_launch_product with repo context (routes, recent commit messages, README, package.json snippets, optionally diffs), we store that payload only on the run row that produced the launchPack — so you can re-render or audit the run later. We do not vector-embed your code into a shared index. We do not train models on it. We do not copy it across workspaces or tenants. Default retention is 90 days; enterprise plans can configure shorter.
Do you send my code to a model?
Only the parts your agent passes in. ChiefLab's drafting briefs include the repo-context fields you supplied — that brief is what your agent's LLM (Sonnet, GPT, Gemini, etc.) renders into final copy. On outputMode: 'context' (the default), no ChiefLab-side LLM call happens at all. On outputMode: 'full' (premium tier), the brief is sent to the configured model with standard provider terms; the model providers' enterprise data policies apply (Anthropic, OpenAI, Google).
What does outputMode mean for privacy?
context (default) — brief returned, your LLM renders it. Zero ChiefLab LLM tokens, no third-party model exposure beyond what your agent already does. draft — small ChiefLab routing model produces a rough draft. full — premium model generates server-side. Each mode is opt-in per call; the default is the most private.
Where does the data live?
Postgres (Supabase, US region by default). API runtime: Vercel (us-east + edge). Object storage for generated images: Cloudflare R2. Connector tokens: Supabase with per-row encryption. Logs: Vercel native (30-day retention) + Supabase audit trail (90-day retention).
Can I delete my data?
Yes. Email hi@chieflab.io with your workspace ID; we hard-delete runs, assets, actions, memory, voice samples, and connector tokens within 7 days and confirm in writing. Self-serve delete in /app/settings is on the roadmap (see /roadmap).
Who can see my approvals?
Anyone holding the signed reviewUrl can see that single run's assets, briefs, and proposed actions — that's the point of the no-login surface (the agent shares the link with the human approver). The link is HMAC-signed with a 7-day TTL and revocable from /app. The workspace Inbox at /app requires authenticated workspace membership.
Connector permissions — what we actually have access to
We will not list a connector as "live" if it is not. The list below tracks the dashboard at /app/connections and the connector reality audit committed to the repo.
| Connector | Status | Scope | Retention notes |
|---|---|---|---|
| Zernio (social publish) | Live | Write — publishes posts after explicit per-action approval | Post records persist in chieflab_actions; engagement data fetched on demand at 24h post-launch |
| Resend (email send) | Live | Write — sends emails after explicit per-action approval | Send records persist; recipient lists are stored only on the action row |
| Google Analytics 4 (read) | Live | Read-only — analyticsdata.googleapis.com | OAuth refresh token encrypted at rest; analytics responses cached on the post-launch-review run row |
| Search Console (read) | Live | Read-only — webmasters/v3 | Same as GA4 |
| HubSpot | Half-wired | OAuth completes but the snapshot read currently returns mock data — listed under 'Beta' on /roadmap and hidden from /app/connections until the read path ships | — |
| Stripe (billing) | Half-wired | Portal session creation only — no subscription webhook handler yet, so plan stays 'free' for everyone today | Stripe customer ID is stored on workspace; no PII beyond email |
| Meta Ads / Google Ads / Buffer / Salesforce / Intercom / Linear / etc. | Mock-only | Surface-shaped snapshots returned via MCP for testing — never claimed as live, hidden from /app/connections | Mock data has no real connector behind it |
Subprocessors
Third parties that touch customer data, listed by purpose. Update with the customer when this list changes (we'll email workspace owners 30 days ahead of any addition).
| Provider | Purpose |
|---|---|
| Vercel | API runtime + chieflab.io static hosting |
| Cloudflare | DNS, CDN, Pages function (chieflab.io/api proxy), R2 image storage |
| Supabase | Postgres database, auth, encrypted secrets storage |
| Anthropic | Sonnet 4.6 routing + premium-tier full generation (only when caller selects outputMode: 'draft' or 'full') |
| Google (Gemini API) | Image generation when imagesNeeded > 0 (opt-in) |
| OpenAI | Optional — only when caller routes to GPT models for outputMode: 'full' |
| Zernio | Social publish (only on approved publish actions) |
| Resend | Email send (only on approved send actions) |
| Stripe | Billing portal (no charges happen today; webhook is on roadmap) |
Reporting a vulnerability
Email security@chieflab.io. We acknowledge within 72h and aim to provide a remediation timeline within 7 days. Standard responsible disclosure — please don't open a public GitHub issue. Full policy in SECURITY.md.
In scope
- chieflab.io/api/* (REST + MCP endpoints)
- chieflab.io/runs/:id (signed run viewer)
- chieflab.io/app (dashboard) and chieflab.io/keys (delivery)
- Public packages —
@chieflab/cli,@chieflab/mcp-server, and@chieflab/sdkare live on npm.
Known limits we'd rather you knew up front
- Vercel cron is once-per-day on the current plan; webhook retry windows can be up to 24h until we move to Pro.
- Sending domain mail.chieflab.io is verified;
onboarding@resend.devis the bootstrap fallback when a workspace has no verified domain. - No formal bug bounty yet — but we'll publicly credit reporters who request it.
Want this in writing for procurement?
DPA, sub-processor list, custom retention windows, SSO, audit-log export — email hi@chieflab.io. We'll quote within 24h.