search

Security and Privacy

Calvin is built with security and data privacy as core principles. This document outlines how we handle your data, protect your information, and provide you with control over your assets.

hashtag
LLM Data Privacy

Calvin leverages Large Language Models (LLMs) to power its AI agents. Here's how we ensure your data remains private:

  • No training on your data. Your code, conversations, and business data are never used to train or fine-tune any AI model. This is guaranteed by contract with our LLM providers.

  • Private network access. All LLMs are hosted on AWS and accessed exclusively through private network connections, ensuring your data never traverses the public internet.

  • No data persistence. LLMs do not retain any data from your interactions. Each request is processed in isolation and discarded after the response is generated.

hashtag
Data Storage

hashtag
Default Storage

If no external repository is connected, Calvin stores the minimum data necessary to operate the platform:

  • Source code generated by agents is hosted on Calvin's infrastructure, encrypted at rest on Amazon S3.

  • Chat history and workspace data are stored to maintain session continuity.

All stored data is encrypted at rest and in transit.

hashtag
External Repository Integration

Calvin also allows you to connect your own version control provider so that source code is stored exclusively in your own repository and never on Calvin's infrastructure. Supported providers include:

  • GitHub

  • Bitbucket

  • GitLab

  • Other Git-compatible providers

When an external repository is configured, Calvin does not store any copy of your source code on its infrastructure. All code is pushed directly to your repository, and agents interact with it in real time. In this scenario, Calvin only retains chat history and workspace metadata — not the generated code itself.

hashtag
BYOS (Bring Your Own Storage)

For organizations that require full control over their data, Calvin offers a Bring Your Own Storage mode.

How it works:

1

hashtag
Provide an S3 bucket

You provide your own Amazon S3 bucket.

2

hashtag
Set an encryption password

You set an encryption password that only you know.

3

hashtag
Data stored in your bucket

All data — chats, messages, code (if using Calvin-hosted repos), and workspace state — is stored exclusively in your bucket, encrypted with your password.

4

hashtag
Temporary decryption for sessions

When opening a workspace, you enter your password to temporarily decrypt access to the sandbox connected to your bucket.

5

hashtag
Decrypted access revoked after session

Once the session ends, the decrypted access is revoked.

Key security properties:

  • Zero-knowledge architecture. Calvin never stores your encryption password. It is used only in memory to encrypt and decrypt access to your S3 bucket during active sessions.

  • Full data ownership. All data resides in your AWS account, under your control and your access policies.

  • Data portability. Since the data lives in your bucket, you can audit, back up, or migrate it at any time.

circle-exclamation

Note: BYOS mode may introduce additional latency compared to default storage, as all read/write operations go through your external bucket. This is the tradeoff for complete storage control.

hashtag
Access Controls

Access to Calvin's infrastructure is restricted following the principle of least privilege:

  • Only a limited number of authorized personnel have access to production infrastructure.

  • Access to customer data occurs only when strictly necessary for technical support or platform maintenance, and never for commercial purposes.

  • Infrastructure access is managed through differentiated IAM roles on AWS.

hashtag
Infrastructure & Compliance

Calvin operates entirely on Amazon Web Services (AWS), adhering to AWS security best practices:

  • Network isolation via dedicated VPCs

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)

  • Identity and Access Management with role-based policies

  • Infrastructure monitoring through AWS native services

AWS maintains certifications including SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and GDPR compliance. Calvin's infrastructure inherits these guarantees at the infrastructure level.

hashtag
Data Retention & Deletion

  • Calvin retains your data only for as long as your account is active and the data is needed to provide the service.

  • You can request complete deletion of all your data by contacting our support team.

  • Upon account termination, all associated data is deleted from Calvin's systems.

  • In BYOS mode, data retention is entirely under your control since all data resides in your own bucket.

hashtag
Intellectual Property

All source code, assets, and any other artifacts generated through Calvin are the exclusive intellectual property of the user (or the organization that owns the account). Calvin does not claim any ownership, license, or rights over the output produced by its AI agents. You are free to use, modify, distribute, and commercialize all generated code without any restriction from Calvin.

hashtag
Questions?

chevron-rightHave questions about our security practices or need more details?hashtag

If you have any questions about our security practices or need more details, contact our team at support.

PreviousCalvin vs Figma MakeNextCalvin Usage Guide for VTEX IO

Last updated