Where your data lives
Tenant isolation in Herald is structural, not procedural. Each Product you connect is its own Durable Object on Cloudflare with its own SQLite database. There is no shared tenant database; cross-tenant queries cannot exist.
This page is the operator’s view. For the full legal detail, see the Privacy Policy.
The storage map
Section titled “The storage map”| Data class | Where it lives | Retention |
|---|---|---|
| Tenant state (settings, rollups, feedback clusters, semantics, briefings, watchlists, agent memory) | Durable Object SQLite | While account is active |
| Raw product events | Analytics Engine | 90 days (B2B SaaS default) |
| Large blobs (transcripts, email attachments, chat results) | R2, prefixed by product_id | 1 year for calls, 2 years for conversations |
| Feedback / call / review embeddings | Vectorize, one namespace per Product | While account is active |
| Platform secrets | Cloudflare Secrets Store | Managed by Cloudflare |
| Per-tenant secrets (Stripe OAuth tokens, etc.) | Encrypted with AES-GCM, stored inside the Product’s DO | While connection is active |
Every R2 key starts with your product_id. Every Vectorize write carries it as metadata. Cross-tenant access is impossible, not just disallowed.
What we send to LLMs
Section titled “What we send to LLMs”Your raw customer data never goes to a foundation model. When Herald asks an LLM a question, the prompt contains your schema shape, your semantic annotations, and the specific structured answer the agent just computed — not raw events, not customer records, not email bodies, not call transcripts. The transcripts and emails themselves stay in your R2 prefix; Herald references them by ID.
When the briefing needs to quote a specific piece of feedback, only that one row is sent, with identifiers redacted where possible. Every call routes through Cloudflare AI Gateway, and under our contracts with Cloudflare and Anthropic this traffic is contractually excluded from foundation-model training.
Export a Product
Section titled “Export a Product”Settings → Data → Export. Herald packages your Product into a ZIP — configuration, rollups, feedback, conversations, call transcripts, briefings, chat history — stores it in R2, and returns a pre-signed URL that expires in 24 hours.
Export runs inside the Product’s DO so it reads only your tenant.
Delete a Product
Section titled “Delete a Product”Settings → Data → Delete. One operation on the Product’s Durable Object:
- Every R2 object under the Product’s prefix is deleted.
- The Vectorize namespace is deleted.
- Raw events in Analytics Engine are marked for the retention sweep (Analytics Engine is append-only; residual rows age out under the 90-day retention window).
- Every row in SQLite is dropped.
- The Durable Object self-destructs.
- The Product is removed from dispatch routing.
Deletion is irreversible. Encrypted operational backups may persist up to 30 days for disaster recovery only.
Delete your Account
Section titled “Delete your Account”Deletes every Product you own, closes your Herald account, and revokes every OAuth token Herald holds on your behalf.
GDPR-style end-user deletion
Section titled “GDPR-style end-user deletion”If you’re an end-user of a Product that uses Herald and you want your data removed from that Product, contact the operator of the Product. We honor verified requests forwarded by the operator. See the Privacy Policy for the full process and direct-request path.
See also
Section titled “See also”- Architecture — how the Durable-Object-per-Product isolation is wired end-to-end, with every storage surface labelled.
- Privacy Policy — the legal document behind the operator view on this page.