DomainGuard Monitor — Privacy Policy

Effective: 2026-05-22

Applies to: the DomainGuard Monitor browser extension (v1.9.9), native agent (v1.9.9), and dashboard backend (v1.9.9).

DomainGuard Monitor is an enterprise endpoint visibility tool distributed by your organization's IT or security team. It is not a consumer product. This policy describes what the software collects from your browser, where that data goes, and how long it is kept.

If you are an end user reading this because the extension is installed on your work browser: your employer (the "Organization") operates the backend and the dashboard. The Organization is the data controller. Anthropic is not involved.

1. What we collect

The extension reports the following to the backend operated by your Organization:

Per-event (recorded as you browse)

• URL visited — full URL of pages you navigate to in the main frame
• Domain — derived from the URL
• Page title — first 250 characters
• Timestamp of the event
• Dwell time — how long the page was the active tab, in seconds
• Event type — one of: visit, clipboard_paste, file_upload
• Automation flag — whether the page exhibits Selenium / Puppeteer / Playwright signals
• Policy enforcement context — if a configured policy blocked, warned, or logged the event

Clipboard paste events (DLP)

When you paste text of 8 characters or more into a web page, the extension scans the pasted text in your browser for known-pattern secrets and PII. It then reports:

• Length of the pasted text
• Preview — at most the first 300 characters, used by the server to re-scan for sensitivity
• Sensitivity verdict — class names that matched, severity level (low / medium / high / critical), and a short redacted sample of the match. The detector recognises 15 pattern families as of v1.9.0: AWS access keys, OpenAI / Anthropic / Google / Slack API tokens, GitHub PATs, Stripe live keys, JWTs, PEM private keys, US SSNs, Luhn-validated credit card numbers, dump-style email lists, database connection strings, and high-entropy strings consistent with secret material.

We do not send the full pasted text. The full text is only scanned locally in your browser and discarded.

File upload events (DLP)

When you select files for upload to a web page, the extension reports:

• File names (truncated)
• File sizes and MIME types
• The target site URL and domain

We do not read, upload, or transmit file contents.

Per-heartbeat (every ~2 minutes)

• Machine ID — a stable identifier provided by the native agent if installed, otherwise a random UUID generated on first run
• Hostname of your computer
• Operating system name and version
• Browser name (Chrome / Edge) and version
• Extension version and agent version

What we explicitly do NOT collect

• Cookies, session tokens, or stored passwords
• Form-field contents (other than the clipboard paste preview described above)
• File contents from uploads
• Keystrokes, mouse movements, or screen contents
• Browsing inside Incognito / Private windows (the extension does not run there unless an admin explicitly enables it)
• Any data from pages whose URL begins with chrome://, chrome-extension://, edge://, about:, file://, data:, javascript:, or blob:

Optional agent-side AI tool visibility (v1.9.0+)

If your Organization has installed the optional native agent and your group's ai_monitor feature flag is enabled, the agent reports discovered AI development tools running on the same machine (process name, install path, vendor, last-seen timestamp). Examples: Cursor, Claude Desktop, Cline, Continue.dev, Aider, GitHub Copilot, OpenAI Codex CLI, Anthropic Claude Code CLI. Discovery does not read prompts, code, or any data inside those tools. It only identifies that they exist. If your group's proxy_enabled flag is additionally enabled, the agent inspects outbound HTTPS to known AI providers (OpenAI / Anthropic / Google AI etc.) on the same loopback proxy and applies the same DLP detector described above to outbound prompt bodies — the same data types listed in "Clipboard paste events (DLP)" apply. Detect-only is the default for both flags on new groups; nothing is enforced or blocked until your admin explicitly turns enforcement on.

2. How it is transmitted

• All data travels over HTTPS/TLS between the extension and the backend.
• The extension authenticates to the backend with a tenant-scoped API key issued by the Organization's admin. The key is stored in chrome.storage and is not visible to web pages.
• The extension also talks to a local helper agent on 127.0.0.1:27182 (loopback only — no external network) to fetch the machine's stable hostname. No browsing data is sent to the local agent.

3. Where it is stored

• All event data is stored in a database operated by your Organization. The default deployment stores data in a self-hosted SQLite database; your Organization may host this on Railway (default), AWS, on-premises, or any other infrastructure of its choice.
• The Organization's admin can configure the region in which data is stored.

Anthropic does not receive, see, or store any DomainGuard event data.

4. How long it is kept

• The backend enforces a configurable retention window controlled by the DATA_RETENTION_DAYS setting. The default is 90 days. Events older than the configured retention are deleted by an internal sweeper.
• Your Organization may shorten or extend this period. Check with your IT/security team for the policy in effect.

5. Who has access

• Organization administrators — users authenticated to the DomainGuard dashboard can see events from machines in their tenant. They cannot see events from other organizations.
• Webhook subscribers — if your Organization configures webhooks, summarized event metadata may be delivered to external systems (e.g. a SIEM). Webhook payloads are HMAC-signed.
• No third parties — DomainGuard does not share, sell, or rent collected data to anyone. There are no advertising trackers, analytics SDKs, or marketing pixels in the extension.

6. Your rights

If you are an end user, contact your Organization's IT or security team to:

• See what data has been collected from your machine
• Request correction or deletion
• Understand what policies are being enforced on your browser
• Object to processing

DomainGuard does not have a direct relationship with end users; your rights are administered by the Organization that deployed the software.

Compliance evidence packages (v1.8.0+)

Your Organization can generate signed compliance evidence bundles (tar.gz archives) from the DomainGuard dashboard. These bundles include audit-log segments, policy snapshots, machine inventory, sensitivity-detection summaries, and per-framework coverage assessments for SOC 2, CMMC L2, ISO 27001, NIST CSF 2.0, NIST 800-53 Rev. 5, OWASP LLM Top 10, OWASP Agentic AI Top 15, MITRE ATLAS, and EU AI Act. Bundles are Ed25519-signed; the public verification key is published at /api/compliance/pubkey/:tenantId so external auditors can verify offline. Bundle contents may include event records that reference your activity (URLs, sensitivity verdicts, machine identity). Your Organization controls who can generate, download, and share these bundles.

Tamper-evident audit log (v1.7.0+)

Every administrator action against your tenant (policy changes, user invites, token rotations, bundle generations) is recorded in a SHA-256 hash-chained audit log. This means your Organization (and any auditor your Organization shares evidence with) can verify that the historical record of administrative activity has not been altered after the fact. The chain cannot be tampered with without breaking verification.

7. Security

• TLS in transit
• Per-tenant API keys, rotatable from the dashboard
• Bcrypt-hashed admin passwords, JWT-based session auth for dashboard users
• Rate limiting on auth and ingest endpoints
• Per-tenant data isolation enforced at the SQL layer
• The local helper agent listens only on loopback (127.0.0.1) and does not accept external connections

8. Consent & disclosure

On first activation, the extension shows a one-time disclosure summarizing what it monitors. Monitoring does not begin until the disclosure is acknowledged. If your Organization deploys the extension via managed install (GPO / Intune / Google Admin Console), the deployment itself is the disclosure pathway — your Organization is responsible for notifying employees that endpoint monitoring is in effect.

9. Changes

We may update this policy. The Effective date at the top of this document reflects the most recent revision. Material changes will be announced via the dashboard's release notes.

10. Contact

Questions about how your Organization uses DomainGuard: contact your Organization's IT or security team.

Questions about DomainGuard itself (the software): open an issue on the project repository.