Account Data

Managed by our identity provider (Clerk). We do not store passwords directly.

• Email address
• Name (if provided)
• Organization membership and role (Admin or Member)
• Subscription status and plan tier

Agent System Data

Collected from endpoints running the ET Ducky agent:

• Health Metrics — CPU utilization, memory usage, disk space, network I/O, system uptime (collected every 60 seconds by default)
• Security Posture — Antivirus real-time protection status and definition age, firewall state, disk encryption status, UAC configuration, and Secure Boot state, collected with the agent heartbeat
• System Identity — Hostname, OS version, Linux distribution and kernel identity where applicable, agent version, IP address at time of connection
• Kernel Trace Events — Windows ETW and Linux eBPF kernel and user-mode trace events (process creation, file I/O, network connections, registry activity, service state changes), collected only when event collection is enabled for the agent
• Correlated Event Summaries — Aggregated and filtered event data produced by the agent's local correlation engine before transmission (typically 99%+ reduction from raw events)
• Behavioral Detections — When the behavioral-security monitor flags a high-confidence threat, the detection and the specific events that triggered it are transmitted as evidence
• Procedure Recordings — When an administrator runs the documentation recorder, the captured procedure, the generated knowledge base article, and any screenshots taken with the documentation hotkey are stored. This is off unless a recording is started.
• Privilege Elevation Audit Metadata — For operator-driven privilege elevation on Linux: command summary, operator identity, source IP, and exit code (passwords are never stored or logged)

What We Do NOT Collect

• User credentials or passwords
• File contents or document data
• Browser history, cookies, or keystrokes
• Email, chat messages, or personal communications
• Automatic or covert screenshots and screen recordings (remote desktop frames are relayed in real time and never stored server-side; documentation-recorder screenshots are user-initiated and described above)
• Employee activity or productivity tracking data

How ETW Data Flows

Diagnostic event collection is disabled by default. When enabled from the dashboard, the agent captures kernel trace events locally (ETW on Windows, eBPF on Linux), runs them through a correlation engine that filters and aggregates the data, and transmits only the summarized results to the cloud API.

• Local Processing — Raw ETW events are processed on the endpoint. The correlation engine reduces data volume by approximately 99.95% before any data leaves the device.
• No PII Filtering Required — Because only aggregated summaries (event counts, patterns, timestamps, provider names) are transmitted, personal data is excluded by design.
• Configurable Providers — Administrators choose which ETW providers are active per agent, controlling exactly what categories of system events are monitored.

Always-On Behavioral Security Monitor

Separately from diagnostic event collection, the agent runs a behavioral-security monitor on its own dedicated kernel-trace session. This monitor is active by default so that threats are caught without operator setup. It analyzes events locally and transmits data only when a behavioral rule reaches a high-confidence threshold, at which point it sends the triggering events as evidence. It does not stream raw event data during normal operation.

Health Metrics

Health metrics (CPU, memory, disk, network) are collected regardless of ETW status. These are system-level performance counters and do not contain personal or user-specific data.

How AI Analysis Works

ET Ducky uses the Anthropic Claude API and OpenAI models for AI-powered root cause analysis, Smart Reports, and alert enrichment. Important safeguards:

• Primarily user-initiated — Most AI analysis runs only when a user requests it from the dashboard. Automated alerting and anomaly-triggered diagnostics may also generate AI analysis without a manual request, using the same aggregated-telemetry safeguards described below.
• Aggregated data only — AI prompts contain summarized telemetry: CPU/memory trends, event correlation summaries, error pattern descriptions. No PII, credentials, file contents, or raw user data is included.
• No AI training — Our AI providers do not use API data for model training, per their commercial terms of service.
• Minimal retention by AI provider — Our AI providers do not retain prompt and response data beyond their standard request lifecycle and abuse-monitoring policies.
• Server-side only — All AI requests originate from the ET Ducky cloud API. The agent and browser never communicate directly with AI providers.

Data Protection

• Encryption in Transit — All communications between agents, the dashboard, and the cloud API are encrypted with TLS 1.2 or higher
• Encryption at Rest — Database storage is encrypted with AES-256. Automated backups are also encrypted.
• Agent Authentication — Each agent authenticates with a unique 256-bit cryptographic bearer token. Only the SHA-256 hash is stored server-side; the plaintext token exists only on the agent.
• User Authentication — Dashboard access is authenticated via Clerk with support for MFA, SSO, and configurable session policies
• Organization Isolation — All data is scoped to your organization. Database queries enforce organization-level filtering on every request.

We do not sell, rent, or share your data for advertising or marketing purposes.

We share data only with the following service providers, strictly as necessary for platform operation:

All third-party providers maintain SOC 2 Type II or PCI DSS certification.

Controls Available to You

• Diagnostic Event Collection — Enable or disable diagnostic kernel-event collection per agent from the dashboard. Disabled by default. The behavioral-security monitor runs independently and is described under ETW & Telemetry Data.
• ETW Providers — Choose which categories of Windows events to monitor via remote configuration
• AI Analysis — AI features are always opt-in. You decide when and whether to send data for AI analysis.
• Data Retention — Choose your retention tier (14 to 730 days). Data beyond your window is permanently purged.
• Agent Deactivation — Deactivate or delete agents from the dashboard at any time. Deactivation immediately revokes the agent's API access.
• Account Deletion — Request deletion of your account and all associated data by contacting [email protected]

Retention Policies

• Account data — Retained while your account is active. Deleted upon account closure.
• Agent telemetry & events — Retained according to your chosen retention tier (14 days free, 90/365/730 days with paid add-ons). Purged automatically during the daily maintenance window.
• AI analysis results — Stored as part of your session data and subject to the same retention policy as other telemetry.
• Audit logs — Authentication events, agent connections, and administrative actions are retained for operational security purposes.

Data Deletion

To request deletion of your organization's data, contact [email protected]. We will process deletion requests within 30 days in accordance with applicable privacy regulations (GDPR, CCPA).