Telemetry & Privacy
We aim to be clear about exactly what telemetry hits Stoplight, how it is consumed, how long it is stored, and private deployment options. For larger organizations considering us, we often configure a complementary, obligation-free private deployment for evaluation purposes.
Processing and retention of hook data
Stoplight collects execution metadata from agent hooks, processes it for guardrail suggestions, and deletes raw telemetry automatically. No telemetry is used for model training.
Hook fires
The agent runtime invokes a tool. Stoplight's hook intercepts the call and extracts the tool name, arguments, path, working directory, and provider context.
Hooks are plain JavaScript you control directly — customize or redact any field before it reaches Stoplight.
Normalized payload sent
The hook sends a normalized payload to the Stoplight API. This contains only execution metadata — not file contents, command output, or downstream response data.
Groq inference
Stoplight processes the payload using Groq (NVIDIA) to identify candidate guardrail rules and policies. No telemetry is used for model training.
In private deployments, inference can be pointed at any provider you choose — you manage models and vendors yourself.
Telemetry deleted
Raw telemetry is scheduled for deletion after processing — typically within 30 minutes, always within a few hours. Only the generated guardrail suggestions persist.
A scheduled cron job purges processed observations after the retention window. Guardrail event history is preserved via nullified foreign keys — raw payloads are removed, audit trail stays intact.
Understanding what Stoplight analyzes
We do not use or have any requirement for tool outputs in guardrail generation – we leverage tool names, arguments, and metadata. However, your agent may, outside our scope, decide to use phrases/pieces of data as arguments for operations like file searching, in which case we will inevitably store this data for anywhere between 30 minutes and a few hours.
Shell command
Agent runs this from /workspace/app using the Bash tool on Claude Code.
git push --force origin main| Field | Value |
|---|---|
| tool | Bash |
| command | git push --force origin main |
| cwd | /workspace/app |
| _kind | command |
- —Repository contents or git history
- —File diffs or commit bodies
- —Output of the command after execution
File read
Agent attempts to read a credentials file using the Read tool on Cursor.
Read → .env.local| Field | Value |
|---|---|
| tool | Read |
| path | /workspace/.env.local |
| _kind | file |
| operation | read |
- —File contents (the body of .env.local)
- —Other files in the directory
- —Environment variable values
MCP tool call
Agent invokes a GitHub MCP server tool to create a PR.
mcp__github__create_pull_request| Field | Value |
|---|---|
| tool | mcp__github__create_pull_request |
| mcp_server | github |
| mcp_tool | create_pull_request |
| args | { "title": "Fix auth bug", "base": "main" } |
| _kind | mcp |
- —PR diff contents or source code
- —GitHub API response payloads
- —Repository file tree