GuardPlane is an enterprise endpoint security product operated by SensiSec Pty Ltd (ABN 88 663 013 063), a company registered in Australia (the “Company,” “we,” “us”). Our corporate site is sensisec.com; the GuardPlane product site is guardplane.ai. For privacy questions, contact privacy@guardplane.ai.
GuardPlane is deployed by your employer. The agent runs on developer endpoints to enforce policy on what AI coding agents (Claude Code, Cursor, GitHub Copilot, OpenClaw, and similar) are allowed to do. We — SensiSec — do not receive your data. Event metadata stays on the device and, where your employer has configured upload, is sent only to your employer’s own GuardPlane server. Local policy events authored by the developer are stamped non-uploadable at the moment of capture and never leave the device.
This policy describes two distinct things:
The agent is sold to and deployed by enterprise customers (your employer). In the privacy of your relationship with us, your employer is the data controller and SensiSec is a data processor acting under their instructions. The website, by contrast, we operate ourselves as controller.
The GuardPlane agent uses operating-system enforcement primitives — Linux BPF_LSM hooks, macOS EndpointSecurity, and Windows native enforcement — to evaluate actions taken by processes on the device against the configured policy. Events evaluated include:
The agent does not read file contents as part of policy enforcement. Decisions are made on path, process identity, and the operation type. The agent does not capture keystrokes, screen contents, browsing history, or network packet payloads.
Audit records are written to a local SQLite database on the device. Where your employer has configured server-side audit, a configurable subset of records is forwarded to your employer’s GuardPlane server over HTTPS using a per-device bearer token (a SHA-256 hash of the token is held by the server; the plaintext token never leaves the device after enrollment).
Local-only events. When the agent is configured to allow developer-authored local policy overlays, events generated by those local rules are stamped non-uploadable at the moment of capture and remain on the device. Toggling the upload flag later does not retroactively reclassify previously captured records — the consent boundary is fixed at capture time.
SensiSec does not operate a multi-tenant cloud that aggregates customer data. Each enterprise customer runs their own GuardPlane server instance. SensiSec does not receive endpoint event data, does not have access to customer servers, and does not sell, share, or use endpoint data for any purpose.
When the agent fetches a software update from your employer’s GuardPlane server, the agent reports update success / failure status along with version identifiers back to that server. This is a small JSON record (status, reason, timestamp, version) used to drive staged rollouts. It contains no personal data and no event data. It is acknowledged by the server and unlinked from the device.
The website is a static page hosted on a content-delivery network. We do not load third-party analytics, advertising trackers, social media pixels, A/B test scripts, or session-replay tools.
You can email privacy@guardplane.ai at any time to ask us to remove your address from the waitlist.
On the endpoint, the agent retains audit records in the local SQLite database for seven days by default, capped at 100,000 rows — whichever bound is reached first triggers a sweep of the oldest records. Both bounds are configurable by your employer and may be shortened. Records that have been acknowledged as uploaded to your employer’s GuardPlane server, and non-uploadable local-only records, are retained under the same window and swept by the same paths.
Server-side retention on your employer’s GuardPlane server is configured by your employer. SensiSec does not operate that server and does not set its retention.
Waitlist email addresses on the website are retained until launch and for a reasonable period thereafter to manage launch communications, or until you ask us to remove them, whichever is sooner.
The agent ships as a code-signed, notarized binary on macOS and as a signed package on Linux and Windows. Updates are verified against publisher identity, package signature, and content hash before installation. The macOS agent runs as a System Extension installed under Apple’s standard user-approval flow; no system approval prompts are bypassed. Communication with your employer’s GuardPlane server uses HTTPS with a per-device bearer token.
Where the agent is deployed by your employer, your employer is the data controller for endpoint event data and is the right party to contact with access, correction, deletion, or objection requests under applicable law (GDPR, the Australian Privacy Act 1988, and similar regimes).
For data we collect through the website (such as a waitlist email), or for general questions about GuardPlane’s data practices, contact us at privacy@guardplane.ai. We will respond within thirty days.
GuardPlane is an enterprise product not directed at children. The website does not knowingly collect information from anyone under 16.
SensiSec is based in Australia. The website CDN and email infrastructure may process data outside Australia. Endpoint event data does not flow to SensiSec; its location is determined by where your employer chooses to host their GuardPlane server.
We may update this policy as the product evolves. The “Last updated” date at the top reflects the most recent change. Material changes will be announced on this page and, where appropriate, by email to waitlist subscribers.
SensiSec Pty Ltd (ABN 88 663 013 063)
Australia
privacy@guardplane.ai