Security and Data Use

CutAgent is designed as a macOS-first editing assistant with a separation between local desktop operations and hosted account, billing, AI, speech, and verification services.

We use access controls, scoped desktop authorization, transport encryption, least-privilege operational practices, dependency review, release checks, and security headers to reduce risk.

Many DaVinci Resolve operations run locally through the desktop app and bridge. Hosted features may receive prompts, context, transcripts, audio, metadata, command outputs, and verifier results when needed to provide the requested workflow.

Users should avoid sending secrets, unrelated personal data, confidential third-party material, or media they are not authorized to process through hosted features.

CutAgent uses AI to help plan and execute editing workflows, summarize context, generate text, process transcripts, and assist with verification. AI output should be reviewed before production use.

CutAgent does not intentionally use private customer content to train general-purpose AI models. Hosted providers may process requests to provide the configured service and may apply their own retention, abuse-monitoring, or enterprise data controls.

CutAgent uses necessary operational telemetry for cost spikes, provider failures, auth and webhook failures, updater failures, and crash or panic reporting. These signals help detect outages, abuse, security issues, and release regressions before they affect more users.

Incident telemetry is minimized and redacted by default. We avoid collecting prompts, media, project files, API keys, bearer tokens, full local paths, and unrelated user content unless you explicitly include details in a support or security report.

Send security reports to hey@cutagent.ai. Include affected versions, reproduction steps, impact, and relevant logs without exposing third-party secrets or personal data.

Please do not access, modify, delete, or exfiltrate data that is not yours. We appreciate responsible disclosure and will prioritize reports based on severity and exploitability.

We assess security and privacy incidents based on impact, affected data, containment, notification obligations, and remediation. Where GDPR requires supervisory authority notice, reportable personal data breaches are assessed without undue delay and, where feasible, within 72 hours of awareness.

Security practices will evolve as CutAgent grows. Enterprise certifications, formal trust center materials, and additional data processing terms may be added when customer and revenue stage justify them.