Privacy Architecture
MACAW uses a privacy-preserving architecture where your data stays in your environment. The control plane sees only operational metadata — never prompts, parameters, or content.
The Privacy Model
MACAW separates the control plane (policy enforcement, audit, registry) from the data plane (your application, LLMs, tools). Content flows directly between your app and your providers — it never passes through MACAW servers.
┌─────────────────────────────────────────────────────────────┐ │ MACAW CONTROL PLANE │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ Policy │ │ Agent │ │ Audit │ │ │ │ Store │ │ Registry │ │ Logs │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ Identity │ │ Attestation │ │ │ │ Bridge │ │ Service │ │ │ └─────────────┘ └─────────────┘ │ │ │ │ DATA: Policies, agent IDs, audit events, attestations │ │ NOT: Prompts, parameters, responses, content │ └─────────────────────────────────────────────────────────────┘ ↕ Policy decisions & audit events only ↕ ┌─────────────────────────────────────────────────────────────┐ │ YOUR ENVIRONMENT │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ Your App │ │ LLM │ │ Tool │ │ │ │ + SDK │ │ Provider │ │ Server │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ │ DATA: Prompts, responses, tool parameters, content │ │ Enforcement happens here (PEPs embedded in SDK) │ └─────────────────────────────────────────────────────────────┘
Key Insight
The control plane is a metadata layer. It enforces policies and logs decisions, but doesn't see or store the actual content flowing through your tools and LLMs. Policy Enforcement Points (PEPs) run in your environment, inspecting content locally.
What the Control Plane Stores
The control plane stores operational metadata only:
| Category | Examples | Purpose |
|---|---|---|
| Identity mappings | User emails, IdP claims, role assignments | Policy evaluation |
| Agent registry | Agent IDs, public keys, connection status | Cryptographic verification |
| Policies | MAPL policy documents (JSON) | Access control |
| Attestations | Approval decisions, attestation keys, timestamps | Workflow authorization |
| Audit logs | Event type, principal, resource, outcome, policy_id | Compliance & debugging |
// Audit log entry structure (from audit/base.py)
{
"timestamp": "2026-01-15T10:30:00Z",
"operation": "tool_invocation",
"principal_id": "user:alice@company.com",
"resource_id": "tool:calculator/add",
"action": "allow",
"policy_id": "team:engineering",
"invocation_id": "inv-abc123"
}
// Note: No prompt content, no tool parameters, no response dataWhat Stays in Your Environment
User-facing data never leaves your infrastructure:
| Data Type | Flow | MACAW Sees? |
|---|---|---|
| LLM prompts | Your app → LLM provider directly | No |
| LLM responses | LLM provider → Your app directly | No |
| Tool parameters | Your app → Tool server directly | No |
| Tool results | Tool server → Your app directly | No |
| File contents | Stays in your environment | No |
| Database queries | Stays in your environment | No |
Enforcement at Endpoints
Policy Enforcement Points (PEPs) are embedded in the MACAW SDK running in your environment. Content inspection and policy enforcement happen locally — the control plane only receives the decision outcome (allow/deny), not the content that was evaluated.
How Policy Checks Work
Policy enforcement happens without MACAW seeing your content:
Your App MACAW Control Plane LLM Provider
│ │ │
│ │ │
│──── Fetch policies ─────────>│ │
│ (at startup/refresh) │ │
│<─── Policy documents ────────│ │
│ │ │
│ │ │
│ ┌─────────────────────┐ │ │
│ │ PEP evaluates │ │ │
│ │ locally against │ │ │
│ │ policies │ │ │
│ └─────────────────────┘ │ │
│ │ │
│──── Prompt ──────────────────────────────────────────>│
│ (direct connection, MACAW never sees this) │
│<─── Response ────────────────────────────────────────│
│ │ │
│ │ │
│──── Log event ──────────────>│ │
│ (metadata only: │ │
│ model, user, outcome) │ │What MACAW sees for policy
- - Model name (e.g., "gpt-4")
- - User identity (from JWT claims)
- - Tool name being invoked
- - Token count (for rate limiting)
- - Timestamp
What MACAW never sees
- - Actual prompt text
- - LLM response content
- - System prompts
- - Tool parameter values
- - Conversation history
Security Controls
API Key Hashing
API keys are SHA-256 hashed before storage. The original key is never stored — we cannot retrieve it if lost, and a database breach wouldn't expose usable keys.
TLS in Transit
All API communication uses TLS 1.2+. HTTPS is enforced for Console and API endpoints.
Signed Audit Logs
Audit logs support cryptographic signing modes for tamper-evident logging:
- -
signed: Digital signature on each entry - -
crypto: Hash chain + signatures - -
blockchain: Full hash chain with block structure
GDPR & Compliance
MACAW's architecture implements Privacy by Design principles:
Data Minimization
- - Control plane stores metadata only
- - No LLM content passes through
- - Audit logs contain identifiers, not content
Purpose Limitation
- - Data used only for policy enforcement
- - No secondary use or selling of data
- - Clear separation of concerns
Data Subject Rights
- - Export via Console (policies, logs)
- - Deletion available on request
- - SAR support via Console filters
Accountability
- - DPA available on request
- - Audit logging for compliance
- - Clear data processing records
Your Responsibilities
Your application data stays in your environment — you remain the data controller. MACAW acts as a processor for metadata only. For DPA requests or compliance documentation, contact support@macawsecurity.com.
Data Export & Deletion
Export Your Data
- →Policies: Console → Policies → Export (JSON)
- →Audit Logs: Console → Logs → Export (JSON/CSV)
- →Agents: Via API using
list_agents() - →Attestations: Console → Activity → Attestations
Delete Your Data
- ×Workspace: Settings → Delete workspace
- ×Agents:
client.unregister() - ×Team members: Settings → Team → Remove
- ×Full deletion: Contact support
Note: Export includes control plane metadata only. Your application data (prompts, tool results) is already in your environment.