User Guide Whitepaper
Operator Binary Cloud Operator Operator Terminal
Demos Changelog Pricing
About Careers
Security Governance Constitution
Terms Privacy
DropOps Logo

Privacy Policy

At Lateralus Labs, LLC ("we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, protect, and handle your information when you use DropOps.

DropOps is a Zero Trust AI Execution platform with Just-in-Time Privileges and Local-First Audit Architecture (LFAA) that requires human approval for all operations. By default, your sensitive operational data remains on your Operators and never transits through our cloud infrastructure.

Your Conversations Are Always Private

Your conversations are always private to you - your data is never used for anything else but to improve your personal experience and relationship with your DropOps agent.

We'll have an option soon to opt-in to anonymously contribute to responsible AI research.

Local-First Audit Architecture (LFAA)

By default, command outputs, conversation history, and file mutations are stored locally on your Operators - not in our cloud. Our cloud receives only metadata (hashes, sizes, timestamps) for integrity verification. When the AI needs full data, it retrieves it on-demand via ephemeral transfers that are not persisted in our systems.

The Cloud handles routing. The Operator handles retention.

1. Information We Collect

Account Information (Stored in Cloud)

  • Email address and authentication credentials (via Google OAuth)
  • Name and profile picture (from Google OAuth)
  • Organization details and team memberships
  • Billing and payment information (processed by Stripe - we never see full card numbers)
  • Account preferences and settings
  • Subscription tier and usage limits

Data Stored Locally on Your Operators (LFAA - Default)

  • Audit Vault (SQLite): Full command stdout/stderr, conversation history, AI reasoning, execution logs
  • Ledger Mirror (Git): File mutation history with cryptographic commit hashes for integrity verification
  • Timestamps, execution IDs, and context for all operations
  • This data never leaves your Operator unless explicitly requested by the AI for processing

Operational Metadata (Transmitted to Cloud)

  • Natural language requests you submit (scrubbed by Sentinel before reaching AI)
  • AI-generated responses and operation proposals
  • Your approval or rejection decisions
  • Command metadata: exit codes, execution timestamps, output hashes and sizes (NOT actual output content)
  • System fingerprints and Operator heartbeat metrics (CPU, memory, disk, uptime)
  • Intent permission grants for Cloud Operators

Sentinel: Zero-Trust Data Scrubbing

Before ANY data reaches our cloud AI, it passes through Sentinel, a zero-trust scrubber that removes 30+ categories of sensitive information: IP addresses, credentials, API keys (AWS, GitHub, Slack, Stripe, etc.), private keys, JWTs, emails, SSNs, credit cards, phone numbers, connection strings, and more. Patterns are aligned with AWS Macie and Google Cloud DLP standards.

Audit Records

Because all operations require your manual approval, we maintain complete audit records:

  • On Your Operators (LFAA): Full conversation history, command outputs, file changes with git hashes
  • In Our Cloud: Approval decisions, command metadata (hashes, sizes), timestamps, user identity

Audit records are immutable, timestamped, and include both human instructions and AI reasoning. Local records are encrypted with your API key.

Usage Analytics

  • Feature usage patterns (aggregated)
  • Performance metrics and error logs (PII automatically redacted)
  • Service reliability data
  • System diagnostics

2. How We Use Your Information

Service Delivery

  • Process your requests and provide AI-generated recommendations
  • Execute operations you manually approve
  • Maintain audit trails for compliance and security
  • Authenticate and authorize your access
  • Provide customer support

Your Personal Experience Improvement

  • Improve your personal AI agent's accuracy and helpfulness for your specific needs
  • Learn your preferences and infrastructure patterns
  • Develop features based on aggregated, anonymized usage patterns (not your specific data)
  • Identify and fix bugs in the platform
  • Optimize performance and reliability

Your conversations and operations are used only to improve your personal DropOps agent, not to train models or improve service for other customers.

Safety & Governance

  • Detect and prevent misuse of the platform
  • Ensure compliance with our governance frameworks
  • Investigate security incidents
  • Improve safety controls and approval mechanisms

Legal & Compliance

  • Comply with legal obligations
  • Respond to legal requests and prevent fraud
  • Enforce our Terms of Service
  • Protect rights, property, and safety

3. How We Protect Your Information

Encryption in Transit

All external traffic uses TLS 1.3. Redis connections use TLS (rediss://). Internal service communication uses HTTPS. Operators use mTLS with certificate pinning.

Encryption at Rest

Cloud data uses GCP-managed encryption. Session sensitive fields use AES-256-GCM application-level encryption. Local LFAA storage uses API key-derived envelope encryption with HKDF-SHA256 key derivation.

Access Controls

Strict role-based access controls limit who can access your data. We strongly recommend enabling multi-factor authentication on your Google account used for DropOps access.

Replay Protection

All operator requests include timestamps validated within a 5-minute window. Duplicate nonces are rejected to prevent replay attacks.

Rate Limiting

Per-API-key and per-IP rate limits protect against brute force and denial-of-service attacks across all endpoints.

Audit Logging

All access to your data is logged and monitored. PII is automatically redacted from application logs. Audit records are immutable and timestamped.

Infrastructure Security

Hosted on Google Cloud Platform with Cloud Armor WAF, network isolation, and regular security audits. Operators use outbound-only connections with zero inbound ports.

Vendor Security

Third-party services (Google Cloud, Stripe) are vetted for security and compliance. We use Vertex AI with data processing terms that prevent training on customer data.

Sentinel Data Scrubbing

30+ scrubbing patterns filter sensitive data (credentials, IPs, PII) before cloud transmission. Patterns aligned with AWS Macie and Google Cloud DLP standards.

4. Information Sharing

We do not sell your data. Period.

Your operational data, infrastructure details, and audit records are never sold to third parties.

Your conversations and operations are never shared with other customers or used to improve anyone else's experience. Your data stays yours.

We may share information with:

Service Providers

  • Google Cloud: Infrastructure hosting and AI models
  • Stripe: Payment processing
  • Authentication providers: OAuth and identity verification

All service providers are bound by data processing agreements and are limited to processing data solely for service delivery.

Legal Requirements

We may disclose information if required by law, legal process, or government request, or to protect rights, property, and safety.

Business Transfers

If Lateralus Labs is acquired or merged, your information may be transferred. We will notify you and ensure continued privacy protections.

With Your Consent

We may share information for other purposes with your explicit consent.

5. Data Retention

We retain your information for as long as necessary to provide the service and comply with legal obligations:

Cloud-Stored Data (Our Systems):

  • Account data: Retained while your account is active, plus 90 days after deletion
  • Cloud audit records: Retained for 7 years for compliance and security purposes
  • Session data: 8 hours idle timeout / 24 hours absolute maximum
  • Operational metadata: Retained for 2 years or as needed for service improvement
  • Analytics data: Aggregated and anonymized after 1 year

Locally-Stored Data (Your Operators - LFAA):

  • Audit Vault: Default 90 days retention, max 2GB database size (configurable)
  • Ledger Mirror: Git history retained indefinitely until manually pruned
  • Output truncation: Large outputs (>100KB) are automatically truncated to head/tail
  • You control retention: Local data retention is entirely under your control

Your Responsibility:

Local LFAA data on your Operators is YOUR responsibility. We have no access to data stored locally on your systems. You are responsible for backup, retention policies, and secure disposal of local audit data.

Some cloud data may be retained longer to comply with legal, tax, or regulatory requirements.

5.5. Cloud Operator Data (AWS)

If you use Cloud Operators (AWS), additional data considerations apply:

Data in Your AWS Account:

  • CloudTrail logs of all AWS API calls made by the Cloud Operator
  • IAM role configurations and permission boundaries
  • EC2 instance metadata and CloudWatch metrics
  • All LFAA data stored on the EC2 instance's local storage

Data We Receive:

  • Intent permission grant requests and approvals
  • Operator heartbeat and connection status
  • Command metadata (NOT AWS credentials or resource data)

Zero Access to Your AWS Account:

Lateralus Labs has NO access to your AWS account, credentials, or resources. The Cloud Operator runs entirely within your AWS environment. We cannot see, access, or control your AWS resources. All AWS actions are taken by the Operator Role in YOUR account.

6. Your Rights & Choices

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate or incomplete information
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Export: Download your audit records and operational data
  • Opt-out: Decline non-essential communications
  • Object: Object to certain processing activities

To exercise your rights:

Email privacy@dropops.ai with your request. We will respond within 30 days.

7. Cookies & Tracking

We use cookies and similar technologies for:

  • Authentication: Keep you logged in
  • Preferences: Remember your settings
  • Security: Detect and prevent fraud
  • Analytics: Understand how you use DropOps (anonymized)

You can control cookies through your browser settings. Note that disabling essential cookies may affect service functionality.

8. Third-Party Services

DropOps integrates with the following third-party services:

Service Providers We Use:

Google Cloud Platform

Infrastructure hosting, Firestore database, Redis via Memorystore, Secret Manager, Cloud Armor WAF. Data encrypted at rest and in transit.

Google Vertex AI (Gemini)

AI model provider. We use data processing terms that prevent training on customer data. User messages are scrubbed by Sentinel before transmission.

Stripe

Payment processing. We never see or store your full credit card numbers. Stripe is PCI-DSS compliant.

Slack (Optional)

If you connect DropOps to Slack, we receive message content from channels where the DropOps app is mentioned. Slack requests are verified via HMAC-SHA256 signature.

Services You Connect:

Important:

  • You control what services DropOps can access (AWS, cloud providers, etc.)
  • Cloud Operators run in YOUR AWS account - we have no access to your AWS resources
  • All operations require your manual approval before execution
  • Third-party services have their own privacy policies
  • We are not responsible for third-party privacy practices

9. AI & Machine Learning

Your Conversations Are Always Private

Your conversations are always private to you - your data is never used for anything else but to improve your personal experience and relationship with your DropOps agent.

We'll have an option soon to opt-in to anonymously contribute to responsible AI research.

DropOps uses AI models to generate recommendations. Here's how your data is used:

Request Processing

Your natural language requests are processed by AI models (Google Gemini via Vertex AI) to generate operation proposals. These proposals require your approval. User messages are scrubbed by Sentinel before reaching the AI.

Your Personal Experience Only

Your conversations and operations are used solely to improve your personal DropOps agent - learning your preferences, understanding your infrastructure, and becoming more helpful to you specifically.

No Training on Your Data

We use Google's Vertex AI with data processing terms that prevent training on customer data. Your specific operations and conversations are not used to train public AI models or improve service for other customers.

Ephemeral Data Retrieval

When the AI needs command output stored locally on your Operator (via LFAA), it retrieves data on-demand. This data is processed ephemerally and is NOT stored in our cloud systems.

Future: Optional Research Contribution

We're building an opt-in program where you can choose to anonymously contribute to responsible AI research. This will be entirely voluntary, and you'll have full control over what, if anything, you share.

9.5. Data Sovereignty Transparency

We provide tools for you to verify our data sovereignty claims:

Data Sovereignty Dashboard

Available at /audit, this dashboard provides a visual data flow diagram showing exactly what data stays local vs. what is transmitted to our cloud.

Live Transmission Monitor

Real-time visibility into data flow showing local bytes vs. transmitted bytes for each operation, with content hashes for integrity verification.

Open Source Operator

The DropOps Operator binary allows you to audit exactly how Sentinel and LFAA work. You can verify our data handling claims through code inspection.

Local Audit Vault Inspection

Your local SQLite database at .dropops/data/dropops.db can be queried directly to verify what data is stored on your Operators.

10. Children's Privacy

DropOps is not intended for use by individuals under 18 years of age. We do not knowingly collect information from children. If you believe we have collected information from a child, contact us immediately at privacy@dropops.ai.

11. International Data Transfers

DropOps is operated from the United States. If you access DropOps from outside the U.S., your information will be transferred to, stored, and processed in the United States.

We use standard contractual clauses and other mechanisms approved by regulatory authorities to ensure appropriate safeguards for international data transfers.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect and how it's used
  • Right to delete personal information (subject to exceptions)
  • Right to opt-out of the sale of personal information (we don't sell your data)
  • Right to non-discrimination for exercising your rights

To exercise these rights, contact privacy@dropops.ai or call our toll-free number (available upon request).

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. We will notify you of material changes via email or in-product notification.

Continued use of DropOps after changes constitutes acceptance of the updated Privacy Policy. If you disagree with changes, you may terminate your account.

Contact Us

Questions, concerns, or requests regarding this Privacy Policy?

Privacy Team

Lateralus Labs, LLC

Email: privacy@dropops.ai

Security concerns: security@dropops.ai

Related Resources: