Data Handling
What Chief sees, what Chief stores, and what leaves your tenant.
Data Flow
You → Slack (your workspace)
→ Chief Socket Mode (TLS)
→ Chief agent host (DigitalOcean droplet, NYC3)
├── Convex (data layer, encrypted at rest)
└── Anthropic / OpenAI / Gemini (your API key)
→ Reply back to SlackThree external surfaces touch your data: Slack (where messages originate), Chief’s agent host (transient processing), and your LLM provider (your API key, your contract).
Where Data Lives
| Data class | Storage | Encryption |
|---|---|---|
| Slack thread context | Convex | At rest (AES-256), in transit (TLS) |
| Generated files | Convex blob storage | At rest (AES-256), in transit (TLS) |
| LLM API keys | Convex (ciphertext only) | AES-256-GCM application-layer + at-rest |
| Integration credentials | Convex (ciphertext only) | AES-256-GCM application-layer + at-rest |
| Usage records | Convex | At rest (AES-256), in transit (TLS) |
| Tool call traces | Convex (no parameter bodies by default) | At rest (AES-256) |
| Audit logs | Convex | At rest (AES-256), append-only |
What’s Sent to LLM Providers
When Chief makes an LLM call, the prompt includes:
- The current Slack thread (recent messages relevant to the request)
- Relevant memories from your tenant
- Your registered tools (names + signatures, not your data inside them)
- The user’s actual ask
The prompt does not include data from other tenants, your provider keys, or system credentials.
Your LLM provider’s data retention policy applies to that prompt traffic — see your Anthropic / OpenAI / Google contract. Chief uses your API key, so this is your contractual relationship, not Chief’s.
What’s Sent to Slack
Chief posts back only:
- Replies to threads addressed to it
- Files generated by tools (PDFs, sheets) when explicitly requested
- Status reactions on user messages
Chief never posts to channels it wasn’t invited to. Chief never DMs users it hasn’t been DMed by, except for one-time install greetings and admin alerts.
Logs
Chief logs:
- Tool call names and durations (no parameter bodies)
- Latency, error codes, retry counts
- Slack message IDs (not content) for debugging routing
Logs are kept for 30 days (Pro) or 1 year (Enterprise). Redacted logs may be inspected by Chief engineers for support and incident response only — never for product analytics.
What Goes Off-Tenant for Chief Engineering
- Aggregate usage stats (no tenant content)
- Error reports including stack traces (no tenant content unless you opt in)
- Diagnostic data from explicit support requests (only what you authorize)
We never use your data to train models. We never sell or share your data with third parties beyond the LLM provider you’ve chosen.