Security

How Blacksight protects your organization's data.

Last updated: May 4, 2026

Our approach

Blacksight is built around one principle: your sensitive data never leaves your control.

All DLP scanning runs locally on your machines — prompt content is never sent to our servers.
Only metadata (verdicts, timestamps, destinations) reaches our platform to power dashboards and reports.
We do not use third-party AI services to process your data.

Infrastructure

Dedicated infrastructure managed by our team
All traffic encrypted in transit (TLS 1.2+)
Data encrypted at rest
WAF protection against common attack vectors
Nightly encrypted backups
Internal services are not publicly exposed

Access control

Multi-factor authentication
Role-based access control with organization-level data isolation
Passwords are salted and hashed using industry-standard algorithms
Brute-force and credential-stuffing protections

Data we store

Category	Examples	Retention
Account data	Name, email, org name	Until account deletion
Scan metadata	Verdict, destination, detector, timestamp	90 days (configurable)
Audit logs	Login events, policy changes	1 year

Data we never store

The content of prompts sent to AI tools
Screenshots, keystrokes, or clipboard contents
Browsing history unrelated to AI tool usage

Compliance

GDPR-ready — data minimization by design, right to erasure supported
CCPA-ready — we do not sell personal information
SOC 2 Type II — in progress

Data deletion

Request complete data deletion at any time by contacting [email protected]. We process requests within 7 business days.

Incident response

If a security incident affects customer data, we notify affected organizations within 72 hours and provide a full incident report within 14 days.

Responsible disclosure

If you discover a vulnerability, email [email protected]. We acknowledge reports within 2 business days and will not pursue legal action against good-faith researchers.

Contact

For security questions or compliance documentation: