Data Handling: We Move Data, We Don't Store It

Chase Agents is a workflow orchestration platform. When your automations run, data flows through the platform on its way from one connected service to another. Understanding how that data is handled, what is stored, and what is never persisted is important for security and compliance planning.

The Core Principle: Transit-Only

Chase Agents moves data between your connected services; it does not store the content of those data payloads permanently. When a step fetches records from your database, processes them, and sends results to Slack, the records themselves are not written to Chase Agents' own storage. They pass through in memory during execution and are then discarded. What is stored is the run metadata: step names, execution timestamps, success or failure status, and error messages, not the actual business data values.

The Credential Vault

Credentials, API keys, and OAuth tokens that you configure for your connections are stored in an encrypted credential vault. These values are encrypted at rest and are never exposed in plain text in the Chase Agents interface, in logs, or in automation step definitions. When a step executes, the platform injects the credential value at runtime from the vault, uses it for the connection, and does not write it to any log.

Template Variables

Template variables are a secure way to reference credential values within automation step configurations without embedding the actual value in the step definition. You define a secret in the credential vault and give it a name. In your automation steps, you reference that secret by name using the dollar-sign curly-brace template syntax. At runtime, Chase Agents resolves each reference to the real value from the vault before executing the step.

This means your automation step definitions, which are visible in the editor and stored in Sanity, never contain your actual API keys or passwords. They contain only the reference names. The actual secret values exist only in the credential vault.

OAuth Token Handling

For connections that use OAuth, Chase Agents stores the access token and refresh token in the credential vault. Tokens are refreshed automatically before they expire using the PKCE flow. The refresh happens transparently: your automations continue to run without interruption when a token is renewed, and you do not need to manually re-authenticate.

Connection Access Scoping

Connections in Chase Agents have an access type that controls which workspace members can use them in their automations and agent sessions. Personal connections are private to the user who created them. WorkspaceWide connections are available to all workspace members. SpecificTeamMembers connections are scoped to a defined subset of users. This scoping ensures that credentials are not inadvertently shared beyond their intended audience.

What Is Logged

Step execution logs capture the shape and structure of data that passed through steps (for debugging purposes) but are designed to avoid logging credential values. If an error message from an external API happens to include a credential value in its response, that value may appear in error logs. It is a good practice to configure your external APIs to return generic error messages rather than echoing back authentication credentials in error responses.

Data Residency

Chase Agents' infrastructure runs on cloud services. For organizations with data residency requirements, the Enterprise plan includes options for geographic data residency controls. Contact the Chase Agents team at charles@chaseagents.com to discuss specific residency requirements before deployment.