Trust

No black boxes.
Ask us anything.

Here's how this all works. Read on.

02 · Scope

What Spotlight sees, and what it doesn't

Spotlight sees what your coding agents do: inside Claude Code and Codex sessions, and nothing else.

Sees

inside those sessions
Files the agent touched
Commands it ran
Domains and APIs it reached
MCP servers, Skills, and subagents it loaded

Doesn't see

anything outside them
Other repos, other terminals, other apps
Your filesystem, email, browser, or calendar
Sessions on AI tools we don't yet support
Files your agent never opened

03 · Data journey

What happens to the data

Sensitive material gets redacted on your machine first: secrets via vendored gitleaks rules, PII in a second pass. You can see what was stripped in your local log. What reaches us is re-scrubbed server-side, then encrypted per-field with keys bound to your org, your session, and the specific event.

Session → encrypted at rest
Your machineOur servers
payload
sess_a7f3c9d2e5b6f7a8jane@acme.io
01
Session ends
Your agent finishes. Nothing has left your machine yet.
02
Local redaction
Secrets stripped via vendored gitleaks rules; PII in a second pass.
03
TLS upload
Only redacted material crosses the wire, encrypted in transit.
04
Server re-scrub
Re-scrubbed server-side. We never trust the client alone.
05
Per-field encryption
Each field encrypted with keys bound to:
org session event

04 · Zero retention by design

Zero retention always on at the LLM layer.

When Spotlight uses an LLM to help with analysis and insights, the provider never keeps what we send.

Every LLM provider we use - Anthropic and OpenAI today - is configured for zero data retention. Your session content goes through the model, the report comes back, and the provider keeps nothing. This is set up contractually at the API tier, not an opt-in toggle per request.

05 · Our commitments to you

Our commitments to you

These are the things we hold ourselves to.

  1. 01

    Spotlight is free. You are not the product.

    We make money when teams choose to pay for control and advanced features.

  2. 02

    We tell you before we change anything.

    For material changes to how we collect, use, or share your data, we’ll let you know first.

  3. 03

    Your data is never for sale.

    We don’t sell what your agents capture, and we don’t share it with advertisers or AI labs.

  4. 04

    Delete it and it’s gone.

    Delete a session, a project, or your account, and the underlying data leaves our systems.

06 · Talk to us

Talk to us

Ask us anything else you'd like to know about how we operate.

Security questions

.

Found a vulnerability?

We consider security researchers friends and kindred spirits. Same address, before public disclosure. We won't sue you for telling us. We appreciate your help.