AI Data Handling and Privacy
Overview
Nanitor offers two AI-powered features: Remediation Insights and Root Cause Analysis (RCA). Both use OpenAI as a subprocessor, accessed through Nanitor Hub, to generate actionable security guidance. This article explains what data is shared, how it flows, and what controls are available.
Nanitor is ISO 27001 certified. AI data processing follows the same security standards and controls that apply across the Nanitor platform.
Feature Summary
| Remediation Insights | Root Cause Analysis (RCA) | |
|---|---|---|
| Purpose | Generate step-by-step remediation instructions for a detected issue | Analyze forensic evidence to identify why an issue exists, classify the vulnerable component, and suggest targeted fixes |
| Supported issue types | All issue types | Vulnerability, misconfiguration, patch, software policy |
| AI provider | OpenAI (via Nanitor Hub) | OpenAI (via Nanitor Hub) |
| Data sent | Issue metadata + OS summary | Issue metadata + device-level forensic evidence |
| Includes device names | No | Yes |
| Includes forensic details | No | Yes (file paths, registry keys, detection patterns) |
| User action required | Yes (click Generate) | Yes (click Analyze with AI) |
| Data retention (Nanitor) | 90 days on Nanitor Hub, then automatically deleted. Results also stored on your Nanitor instance for the lifetime of the issue. | 90 days on Nanitor Hub, then automatically deleted. Results also stored on your Nanitor instance for the lifetime of the issue. |
| Data retention (OpenAI) | Up to 30 days (abuse monitoring only) | Up to 30 days (abuse monitoring only) |
| Used by OpenAI for model training | No | No |
| Used by Nanitor for quality improvement | Yes (see Data Retention) | Yes (see Data Retention) |
| Consent | Single AI consent covers both features | Single AI consent covers both features |
What Data Is Shared
Remediation Insights
When you generate remediation instructions, the following data is sent:
- Issue title - the name of the detected issue
- Issue type - vulnerability, misconfiguration, etc.
- Issue description - technical description of the issue
- Operating systems affected - OS types and the number of assets affected
- Environment & Tool Profile (optional) - user-provided description of management tools, deployment methods, and environment constraints
- One-time context (optional) - free-text environment details provided for a single query
Remediation Insights does not send individual device names, hostnames, or forensic data.
Root Cause Analysis (RCA)
RCA provides deeper analysis than Remediation Insights by examining forensic evidence to identify root causes and classify affected components. For vulnerabilities, this helps clarify which product or component is actually affected when CVE descriptions are ambiguous. RCA is available for vulnerability, misconfiguration, patch, and software policy issues.
The data sent to the AI service corresponds to the information visible on the issue detail page in the Nanitor UI, including the Forensics tab.
When RCA is performed, the following data is sent:
- Issue title, type, and description
- CVE/CWE identifiers - standard vulnerability identifiers, if applicable
- CVSS score and EPSS score - vulnerability severity and exploit probability ratings
- Affected device names - hostnames of affected assets
- Issue priority score - Nanitor's prioritization score for the issue
- Forensic evidence - detection results from affected devices (see below)
- Asset OS type and software context - operating system and relevant software information
What forensic evidence includes
RCA forensic data comes from the detection results collected by Nanitor agents. Only the specific match data relevant to each detection is included. Depending on the issue type, this may contain:
- Vulnerability issues - OVAL test results, matching software versions, file paths
- Misconfiguration issues - benchmark check results, registry keys, configuration values, script outputs
- Patch issues - missing patch details, OS and source information
- Software policy issues - software name, version, publisher, installation path
Forensic evidence may include environment-specific details such as device hostnames, file paths (which can include usernames, e.g. C:\Users\john\...), and installation locations.
Customers are responsible for ensuring that use of AI features aligns with their internal data protection policies and regulatory obligations.
The forensic data sent to the AI service is derived from the same detection results shown on the Forensics tab of the issue detail page, but trimmed down to a subset of matches per device.
Data minimization
Each detection match is scoped to a specific check and contains only the data needed to assess that check. Full configuration files, raw agent output, and credentials are not included. Sensitive data such as password hashes is normalized during device data collection before it reaches the Nanitor instance, so it does not appear in forensic results or in AI requests.
Nanitor applies additional limits to control the volume of data sent for RCA:
- A limited subset of active, non-excluded forensic evidence per affected device
- Up to 20 affected devices per issue
- An overall character limit on the total context, with truncation if exceeded
Nanitor applies ongoing improvements to data minimization controls, including additional redaction of environment-specific identifiers where technically feasible.
How Data Flows
flowchart LR
A["Nanitor Instance"] -->|Encrypted HTTPS| B["Nanitor Hub"]
B -->|Encrypted HTTPS| C["OpenAI API"]
C -->|Response| B
B -->|Response| AAll AI requests are routed through Nanitor Hub, which acts as the orchestration layer between Nanitor instances and the AI provider. Nanitor instances never communicate directly with OpenAI. All communication occurs over encrypted HTTPS connections.
This architecture allows Nanitor to centrally manage API keys, enforce usage limits, and maintain oversight of all AI interactions without exposing credentials or direct API access to individual Nanitor instances.
Data Retention
| Data | Stored on | Retention |
|---|---|---|
| AI request and response data (both features) | Nanitor Hub | 90 days, then automatically deleted. Nanitor uses this data along with user feedback (thumbs up/down) to review output quality and improve prompts. This data is not used to train AI models. |
| AI results (both features) | Your Nanitor instance | Stored with the issue record and remains available after issue closure. Issue records are not currently user-deletable. |
| AI usage metrics (token counts, latency) | Nanitor Hub | 12 months. Monthly aggregates retained for usage reporting. |
| Environment & Tool Profiles | Your Nanitor instance | User-managed. Create, update, or delete at any time. |
| API inputs and outputs | OpenAI | Up to 30 days for abuse monitoring, then deleted. Not used for training. |
Under the OpenAI Services Agreement, API data is not used to train or improve models. For details on OpenAI's data processing obligations, see their Data Processing Addendum.
This review process is limited to authorized Nanitor personnel under confidentiality obligations.
International Data Transfers
Nanitor uses OpenAI as a subprocessor for AI features through Nanitor Hub. Data is transmitted over encrypted HTTPS. Nanitor does not intentionally submit personal data to AI services, but forensic context may incidentally include identifiers (for example hostnames or usernames in file paths). Where such data is transferred outside the EEA, transfer safeguards are defined in OpenAI's Data Processing Addendum, including Standard Contractual Clauses (SCCs).
User Consent and Controls
AI features are opt-in and require action at multiple levels before any data is sent to external services.
Per-User Consent
Each user must individually accept the AI data processing consent before using any AI feature for the first time. A single consent covers both Remediation Insights and Root Cause Analysis. The consent dialog explains what data will be shared.
To manage your consent:
- Click your profile icon and go to Personal Settings
- Select Privacy & Consents
- Under AI Remediation Insights terms, view when you accepted or click Revoke to disable
Note: The consent label currently references "AI Remediation Insights" but the single consent applies to all AI features, including Root Cause Analysis.
Revoking consent disables all AI features for your account. Previously generated results remain accessible but no new AI requests can be made.
System-Wide AI Toggle
System administrators can enable or disable all AI features across the entire Nanitor instance from System Management. When disabled at the system level, no data is sent to external AI services regardless of per-organization or per-user settings.
Per-Organization AI Toggle
Organization administrators can enable or disable AI features for their specific organization from Organization Management. This setting requires the system-wide toggle to be enabled. It is inheritable, so disabling AI on a parent organization cascades to all sub-organizations.
Control hierarchy
The most restrictive setting always applies:
- System-wide toggle OFF - AI disabled for entire instance
- Organization toggle OFF - AI disabled for that organization
- User consent not granted - AI disabled for that user
FAQ
Is my data used to train AI models?
No. Under the OpenAI Services Agreement, API data is not used to train or improve models. Inputs and outputs may be retained by OpenAI for up to 30 days for abuse monitoring only, after which they are deleted. Nanitor retains request and response data on Nanitor Hub for up to 90 days for quality control, including reviewing AI output and incorporating user feedback to improve prompts. This data is not used to train AI models.
Can I disable AI features entirely?
Yes. AI features can be disabled at the system level, the organization level, or by individual users revoking their consent. When disabled at the system level, no AI-related data leaves the Nanitor instance.
What happens when I revoke consent?
AI generation is disabled for your account. You can no longer generate new remediation instructions or trigger RCA, but AI results remain visible to users with permission to view the issue, including newly generated results created by other users.
Does RCA send device hostnames?
Yes. RCA includes device names and forensic evidence from affected devices to enable accurate root cause analysis. Remediation Insights does not include device-level data.
Which issue types support RCA?
RCA is available for vulnerability, misconfiguration, patch, and software policy issues.
Is Nanitor ISO 27001 certified?
Yes. Nanitor maintains ISO 27001 certification. See nanitor.com/trust for details.