Security & Privacy

Privacy by architecture. Not bolted on after.

Unlike platforms that capture and store screenshots, TNDRL captures the structure of work — application patterns, decision logic, timing, and workflow variants — not the underlying business data. PII, financial data, and health records never leave your perimeter.

Data Architecture

Three tiers. You control what moves.

Tier 3

Object References

Admin-policy-gated

Tier 2

Field Metadata

Configurable

Tier 1

Metadata

Default-on

Tier 1 — Metadata Only (default-on)

What TNDRL analyzes

Application names, field names, timing, decision logic, workflow variants. No PII. No screenshots. Field values never leave your environment. This is the structural signal that powers automation readiness scoring and drift detection. Syncs continuously to cloud for real-time analysis. On by default for every deployment.

Tier 2 — Field Metadata (configurable)

Optional enrichment

Field names, field types, normalized steps, smart-masked temporal patterns. Field values are not captured. Created by the semantic proxy packager before transmission. Syncs on schedule — you control the frequency and which workflows it runs against. Available for organizations that need deeper behavioral analysis without expanding what crosses the perimeter.

Tier 3 — Business Object References (admin-policy-gated)

Highest-trust deployments

Tenant-scoped business object references — claim IDs, invoice numbers, ticket IDs — enriched with PII masking. Captured only when an admin policy explicitly enables it for a specified workflow scope, gated by per-deployment legal review (SC-3). Available either on-premise or in tenant-isolated cloud, depending on the security posture you require. Never on by default. Never enabled without explicit per-workflow admin policy.

Privacy Guarantees

What TNDRL does NOT capture

Our architecture excludes sensitive data by design, not as an afterthought.

No Screenshots

We capture what you did (the application, the step, the outcome) — not what was on screen. No vision processing. No full-resolution captures.

No Keystroke Logging

We don't record or transmit raw keyboard input. Field names and metadata flow through our pipeline — not the text people typed.

No Raw PII Transmission

Sensitive data is classified and masked at the collection point. Only the structural signal travels to the cloud. Masking rules are configurable.

No Financial Data Egress

Credit card patterns, account numbers, and transaction amounts are detected and redacted at the source. Cloud never sees payment card data.

No Health Records Storage

PHI is never stored in the cloud by default. HIPAA-adjacent workflows are observable through anonymized behavioral patterns only.

No Personal Data Hoarding

We capture work execution patterns, not personal details. Data retention policies are granular and configurable per tier.

Architecture

Collection happens at the source

Fiber (desktop app + Chrome extension) runs on the processor's machine. Classification, masking, and tiered packaging happen at the source — before any data leaves the machine. The cloud only receives what your policy allows.

Desktop
Browser

→

Fiber
(classify
+ mask)

→

Tier 1/2
egress

→

Cloud
Analytics

Tier 3 stays local

Masking is applied before transmission. Every field type (credit card, SSN, email, phone, date of birth, medical record number) has a detection and redaction rule. Custom patterns are supported for organization-specific sensitive data. All masking happens on the collection machine — cloud never sees the original value.

Encryption in transit. All data transmitted from Fiber to cloud is encrypted with TLS 1.3. Collection can be configured to use a customer-managed encryption key for further control.

Collection is centrally governed. Processors don't control what gets collected. Collection behavior is managed from the web app — schedules, data tiers, masking rules, retention policies all come from central configuration distributed to the fleet.

Compliance

Architected for regulated environments

HIPAA

Designed for PHI-adjacent environments. Behavioral metadata collection avoids PHI capture by design. No screenshots means no embedded medical data. Architecture minimizes PHI exposure by observing behavioral structure rather than health record content. Formal BAA availability on the certification roadmap.

PCI DSS

No cardholder data captured or stored. Smart masking detects and redacts credit card patterns at the source using Luhn algorithm validation. Architecture minimizes PCI exposure by avoiding cardholder data capture and applying source-side detection. Formal attestation on the certification roadmap.

SOC 2

Audit trail for all data access, collection policy changes, and enforcement decisions. Immutable logging of who accessed what and when. SOC 2 Type II attestation on the certification roadmap — architecture designed around SOC 2 trust service criteria.

GDPR / CCPA

Data minimization by architecture. Collection captures operational structure, not personal data. Right to deletion supported — purge individual behavioral records on request. Data residency options available (EU, US, or on-premise).

Flexibility

Deploy on your terms

Cloud Analytics

Fiber collects on-premise. Tier 1 + Tier 2 sync to TNDRL cloud for analysis and governance. Real-time workflow modeling, scoring, and drift detection. Most customers start here.

Hybrid

Collection and processing on-premise. Only aggregated insights and policy decisions sync to cloud. For organizations with strict egress policies or data residency requirements.

Full On-Premise

Everything runs within your perimeter — collection, analysis, governance, enforcement. For highly regulated environments (financial services, government, healthcare) requiring complete data sovereignty.

Comparison

Security comparison: TNDRL vs. screenshot platforms

Dimension	TNDRL	Screenshot Platforms
Data Captured	Behavioral metadata	Full screenshots
PII Exposure Risk	None by design	High — screenshots contain visible PII
Compliance Friction	Low — no sensitive data leaves perimeter	High — screenshot storage creates audit burden
CISO Review Burden	Lower — metadata-first, source-side masking	Higher — screenshot storage creates audit scope
Data Retention	Configurable per tier; metadata-only by default	Centralized storage of all captures
On-Premise Option	Yes — full stack available	Limited or not available
HIPAA Architecture	Designed to avoid PHI capture — no screenshots, no health data egress	Screenshots capture everything visible, including PHI
PCI DSS Architecture	No cardholder data captured — Luhn detection and masking at source	Screenshots may contain visible payment card data

Ready to review TNDRL's security architecture?

We provide a security review packet covering architecture, data flows, deployment models, encryption, access controls, and collection governance. Available for your CISO or security team upon request.

Request Security Review Packet Schedule Architecture Review