Data Practices

Last updated: April 15, 2026 · Technical overview for security and compliance teams

This document describes how LogionOS processes customer data when you use the compliance API, proxy, SDKs, and related integrations. It complements our Privacy Policy with implementation-level detail. For contractual terms, see our Terms of Service and, where applicable, your Data Processing Agreement (DPA).

1. Data flow overview

When your application sends a request through LogionOS (for example via the REST API, an SDK, middleware, or the hosted proxy), the full query text is used in memory to run the compliance engine and produce a result for your app. Persistent records on LogionOS infrastructure use a one-way fingerprint of the query—not the raw query text—alongside compliance outcomes and audit metadata, as described in Section 3.

Optional paths (such as BYOK AI Judge or opt-in telemetry) only apply when you explicitly enable them.

Your AI App  →  LogionOS Proxy / SDK  →  Compliance Engine  →  Result
                                          │
                                          ▼
                                   Audit Log (hash only)
                                          │
                                          ▼ (opt-in)
                                   Anonymized Telemetry

2. What we receive

For a typical compliance check, we receive and process:

Query text — The prompt or content you submit for analysis (in transit and in volatile memory during evaluation).
Jurisdiction — The legal or policy context you select (for example region or rule pack identifier).
Metadata — Technical fields needed to operate the service, such as API authentication, request timestamps, correlation identifiers, client version, and error diagnostics where applicable.

3. What we store

Our audit and reporting layer is designed to avoid retaining reversible query content. Stored artifacts include:

query_hash — SHA-256 hash of the query; we persist only the first 16 hexadecimal characters as a stable, non-reversible fingerprint for deduplication and audit correlation.
Compliance results — Structured outputs such as matched rules, risk scores, recommended actions, and similar fields returned to your integration.
Audit metadata — Timestamps, account or workspace identifiers, API route, jurisdiction selection, and related operational fields required for compliance reporting and support.

We do not store the full query text in this audit store. Raw query content exists only for the duration needed to compute the result unless a separate optional feature (see Section 4) sends it to your own provider.

4. What we send to LLMs

LogionOS does not route your query to a large language model for the core compliance engine unless you enable BYOK (“bring your own key”) AI Judge or an equivalent customer-configured integration.

When BYOK AI Judge is active, the full query may be sent only to the LLM endpoint you configure (your own API keys and vendor relationship). You remain the data controller for that transmission; LogionOS acts as directed by your configuration. If BYOK is off, query text is not sent to third-party LLM providers by LogionOS for that purpose.

5. Opt-in compliance intelligence

We may offer anonymized telemetry to improve models and rule quality—for example aggregate signal about false positives or coverage gaps. Any use of request-derived signal for model training or product analytics beyond essential service operation is opt-in only, with clear consent in the product or contract. You can withdraw consent according to the controls we provide for your workspace.

6. What we never do

We do not sell customer data or compliance content.
We do not share your compliance queries or results with unrelated third parties for their own purposes.
We do not store raw PII values as part of the compliance audit fingerprint model described above; your applications should avoid sending unnecessary personal data in prompts, and should follow your own minimization policies.

7. Integration modes

Data enters LogionOS through different integration surfaces; the storage and LLM rules in Sections 2–5 apply consistently once a request reaches our compliance engine.

Mode	What typically flows in	Notes
REST API	Query text, jurisdiction, headers (auth), JSON metadata	Direct HTTPS; same audit hash and result storage model.
SDK (Python / JS·TS)	Same payload fields as the API; wrapped by library	Credentials stay on your side except API keys you configure for LogionOS.
Middleware	Intercepted request body or derived prompt text from your stack	Your server forwards to LogionOS; you control logging upstream.
Proxy	Traffic mirrored or forwarded from your AI app through LogionOS edge	Path depends on deployment; TLS terminates per your architecture.

8. Enterprise options

On-premises deployment — Run the compliance stack inside your environment so query text, hashes, and audit data remain under your infrastructure and policies.
Custom DPA — We can align subprocessors, regions, retention, and security exhibits with your procurement and legal requirements. Contact us to execute an enterprise agreement.

For questions about this document or your deployment, email chris@logionos.com.