checkrd
security & trust

Prompts never leave your machine.

Last reviewed 2026-05-11

Checkrd runs as a library inside your application. Prompts, completions, and request bodies never enter our network. The control plane receives signed operational metadata only, and air-gap deployments don’t use it at all.

What we storeContact our security team
compliance

Compliance posture.

Where we stand on each framework. We’ll only claim what we can show.

In progress

SOC 2 Type II

Audit window opens Q3 2026. Letter on request.

Aligned

HIPAA

Architecture supports BAA. Contact sales to execute.

By design

GDPR

We never process bodies, prompts, or completions.

By design

PCI-DSS

Card data structurally cannot reach the control plane.

In progress

ISO 27001

On the roadmap once SOC 2 ships.

Need our latest audit letter, BAA, or DPA? Request our security packet.

data handling

What stays local. What leaves.

The telemetry schema is enforced in code. A compile-time test fails CI if anyone adds a field that would carry sensitive content.

Stays on your machine

Never sent to Checkrd. Never sent to any external service by the proxy.

  • Request bodies (prompts, completions, user input)
  • Response bodies
  • Request and response headers
  • API keys and Authorization tokens
  • URL path segments matching PII heuristics, replaced with {id} client-side before any network call

Leaves as signed metadata

Only in cloud and self-hosted tiers. Zero network egress in the air-gap tier.

  • Timestamp
  • Agent ID
  • Host (e.g. api.openai.com)
  • HTTP method
  • Parameterized URL path (/v1/chat/completions, never /v1/users/jane@example.com)
  • Response status code
  • Response latency
  • Policy decision (allow / deny / rate-limit / halt) and the matched rule name
  • Ed25519 signature metadata (keyid, signature base, created, expires, nonce)

Every field in the telemetry schema carries a /// PII: SAFE classification enforced at compile time. Adding a new field without explicit classification fails CI.

architecture

One proxy. In-process. Only metadata leaves.

The engine is a small WebAssembly module loaded into your application. Policy evaluation, rate limiting, signing, and the kill switch all run locally. No sidecar. No external proxy in the request path.

Your Python process
agent code · openai · anthropic · httpx
checkrd engine · WASM, in-process
policy · rate limit · kill switch · Ed25519 sign
External API
OpenAI · Anthropic · Stripe · anywhere · bodies intact
signed metadata →
Control plane · SaaS, your VPC, or nothing (air-gap)

Ed25519 + RFC 9421 + RFC 9530 + DSSE · content never included · batch-signed with a 5-minute validity window

chain of custody

Cryptographic chain of custody.

Telemetry batches are Ed25519-signed before they leave the SDK, and policy bundles are signed before loading. The RFC 9421 §B.2.6 worked example runs on every pull request. The 150-vector Project Wycheproof Ed25519 suite runs on each release build via cargo test --features security_audit. Source and tests are linked below.

access control

Access control.

Every change is logged. Permission checks read against the live database. Organization-wide rules cannot be overridden by an individual team.

sso and api keys

SSO and API keys

Dashboard sign-in via WorkOS (SAML, OIDC) with short-lived sessions. Agent access via API keys with revoke-on-demand. Sessions and keys can be invalidated immediately.

roles and guardrails

Roles and guardrails

Four roles (owner / admin / member / viewer) re-checked against the database on every change. Organization-wide policy rules apply top-down so a single team can't loosen them by accident.

audit log

Audit log

Every change is logged with actor, action, resource, IP, and timestamp. Searchable by resource, actor, or date range from the dashboard or API.

deployment

Deployment options.

Three options that match different compliance boundaries. None of them make Checkrd a data processor for your agent traffic.

cloud saas

Cloud SaaS

Default. Fastest to set up.

Control plane
Checkrd-managed AWS (us-east-1)
Network egress
Signed metadata to api.checkrd.io over TLS 1.2+
Data processor?
No, we do not process bodies or prompts
Policy distribution
DSSE-signed policy bundles over HTTPS
Kill switch
SSE + polling fallback
Telemetry destination
Checkrd ClickHouse Cloud (encrypted at rest)
self-hosted control plane

Self-hosted control plane

Your VPC. Your compliance boundary.

Control plane
Your AWS account or on-prem cluster
Network egress
Signed metadata to your own endpoint
Data processor?
No
Policy distribution
DSSE-signed policy bundles over your HTTPS
Kill switch
SSE + polling fallback
Telemetry destination
Your ClickHouse or Postgres
air-gapped

Air-gapped

Zero network calls. Sensitive environments.

Control plane
None
Network egress
Zero
Data processor?
No
Policy distribution
File-system only (mtime-polled)
Kill switch
Sentinel file (file-watcher)
Telemetry destination
Local JSON sinks
verification

Verification.

Every claim on this page can be checked against the open-source code. The relevant files are linked below.

WASM core source

Rust, wasm32-wasip1 target. Pure computation, zero I/O. 9 modules, 13 extern "C" exports.

Open in GitHub

Python SDK source

The SDK, transports, sinks, hooks, seven vendor instrumentors.

Open in GitHub

PII allowlist tests

Compile-time enforcement: a new telemetry field without a /// PII: SAFE classification fails CI.

Open in GitHub

Ed25519 Wycheproof vectors

All 150 Project Wycheproof vectors pass on every release build via `cargo test --features security_audit`: malleable signatures, invalid curve points, small-order keys, zero signatures.

Open in GitHub

RFC 9421 §B.2.6 conformance

Byte-for-byte conformance to the RFC 9421 worked example: signature base construction, canonicalization, Ed25519 signing.

Open in GitHub

Build reproducibility

Distributed .wasm artifacts ship with SHA-256 hashes. The Python SDK verifies the embedded .wasm at init.

Open in GitHub
subprocessors

Subprocessors.

Every external service that processes account-related data. None of them see prompts, completions, or request bodies. That data never leaves your machine.

Amazon Web Services

Compute, storage, primary database

Region
us-east-1
Data category
Operational metadata, customer org records

ClickHouse Cloud

Telemetry analytics database

Region
us-east-1
Data category
Operational metadata only, no prompts, completions, or PII

WorkOS

Authentication, SSO, SCIM

Region
United States
Data category
Email addresses, session tokens

Stripe

Subscription billing

Region
United States
Data category
Billing contact, payment metadata (Stripe holds card data)

Vercel

Dashboard + marketing site hosting

Region
Global edge
Data category
Static assets, browser sessions for the dashboard

Sentry

Frontend error monitoring (dashboard / website)

Region
United States
Data category
Error events from the dashboard UI, no telemetry payloads

Grafana Cloud

Backend tracing + logs (Mimir / Tempo / Loki)

Region
United States
Data category
Operational metrics from Checkrd services, no customer events

AWS SES

Transactional and alert email

Region
us-east-1
Data category
Email addresses, alert subject/body

We notify enterprise customers in advance of any addition. Self-hosted and air-gap deployments use only the subprocessors you choose to integrate.

responsible disclosure

Report a vulnerability.

Responsible disclosure is welcome. We aim to respond within 48 hours and triage within 7 days. Reporters are acknowledged publicly with their permission.

security@checkrd.ioPublished advisories

Please don’t include proof-of-concept payloads in the initial email. We’ll respond with a secure channel for submission.