5 min read
Data Handling
What StateAnchor stores, how long, and why.
What we store
StateAnchor stores five classes of data, each scoped to the minimum required to deliver the product:
- Your spec file -- the
stateanchor.yamlcontent from each commit that triggered a sync. Stored content-addressed by SHA-256 so identical content maps to a single blob. - Sync run records -- the gate decision, score, finding list, timestamps for each stage, and the commit SHA the decision was made against.
- Artifact checksums -- the SHA-256 of every generated artifact (TypeScript / Python / Go SDKs, MCP servers, OpenAPI schemas). The artifact body itself lives in content-addressed storage; the checksum is what ties a project reference to a blob.
- Gate events -- the append-only audit log of every gate decision. Each leaf hashes the commit SHA, IR hash, topology signature, lane, score, and decision timestamp.
- Account data -- your email address, signup date, and billing state. Billing details (payment cards, invoices, tax identifiers) live in Stripe.
We do not store source code, environment variables, secrets, payment card numbers, the content of any file other thanstateanchor.yaml, or the content of any team communication.
Retention
Sync run records are retained for 90 days on the hot tier. Older records are archived and available on request for paid plans. Artifacts are content-addressed -- an artifact persists as long as at least one project reference points to it, and is garbage-collected after the last reference is dropped.
Gate events (the Merkle log) are retained indefinitely. This is the tamper-evident audit trail that makes independent verification possible; it cannot be pruned without breaking the inclusion proofs that downstream verifiers rely on. Account data is retained until account deletion.
Data deletion
Users can delete their account via Settings → Delete account. This deletes all sync runs, projects, gate decisions, artifact references, and personally identifiable account data from the StateAnchor database. Deletion is permanent and irreversible.
The public Merkle log entry -- the hash, not the content -- cannot be deleted. The log is append-only by design, and removing a leaf would invalidate every inclusion proof that points past it. The leaf contains no personally identifiable information; it is a hash of public structural metadata.
A GDPR data export is available before deletion via Settings → Export my data. The export includes all data we hold on you in machine-readable JSON: sync run records, project metadata, and account data.
Encryption
All data is encrypted at rest by Supabase using AES-256. All data in transit is encrypted with TLS 1.2 or higher, including connections to the Anthropic API, Stripe, GitHub, Resend, and any S3-compatible artifact storage target. No data is stored unencrypted at any layer of the stack.
Location
Data is stored in Supabase’s infrastructure, which runs on AWS in the US-East-1 region by default. Vercel edge functions may process requests in other regions for latency reasons, but no persistent state is written outside Supabase. Enterprise customers can request data residency in specific regions on request.
Supabase Storage output
If you configure Supabase Storage as an artifact output target, generated SDKs are stored in your own Supabase project -- not in StateAnchor’s infrastructure. You retain full ownership and control over those files, including access policies and retention rules.