Data Transparency

We believe security tools should be transparent about how they handle data. Here is exactly what OpenA2A collects, why, and how you control it.

Summary: OpenA2A is opt-in by default. No telemetry is collected unless you explicitly enable it with opena2a config contribute on. When enabled, only anonymized security scan metadata is shared -- never source code, credentials, or personally identifiable information.

1. What We Collect (When Opted In)

When you opt in to community contributions, the following metadata is collected from each scan:

Data	Example	Purpose
Package name	`hackmyagent`	Identify which tools are scanned
Package version	`0.7.2`	Track security across versions
Scan severity counts	`critical: 0, high: 1`	Build community security profiles
Scan status	`passed`, `warnings`	Aggregate security health metrics
Behavioral metrics	`fileCount: 42`	Detect anomalous package behavior
Timestamp	`2026-03-01T12:00:00Z`	Time-series analysis

2. What We Never Collect

Source code or file contents
API keys, tokens, or credentials
Personal information (name, email, IP address)
File paths or directory structures
Environment variables or configuration values
Git history or commit messages

3. How Data Flows

Your Machine

→

↓

opena2a CLI

→

↓

registry.opena2a.org

→

↓

Community Trust Scores

When you run a scan with contributions enabled, the CLI extracts only the metadata listed above and sends it to the OpenA2A Registry. The registry aggregates this data to compute community trust scores. No raw scan data is stored beyond severity counts.

4. Your Controls

Opt in -- Enable telemetry:

opena2a config contribute on

Opt out -- Disable telemetry (this is the default):

opena2a config contribute off

Check status -- See current settings:

opena2a config show

Data deletion -- Request removal of your contributed data:

Email privacy@opena2a.org

Inspect data -- All submitted data is visible in the CLI output:

opena2a scan <package> --verbose

5. Data Storage and Retention

All data is stored on Azure-hosted PostgreSQL (East US 2 region)
Data is encrypted at rest (AES-256) and in transit (TLS 1.3)
Scan metadata is retained for 12 months, then automatically purged
No data is sold, shared with third parties, or used for advertising

6. Open Source Verification

Every line of code that handles telemetry is open source. You can audit exactly what data is collected:

CLI source: github.com/opena2a-org/opena2a
Registry source: github.com/opena2a-org/opena2a-registry
Self-register command: src/commands/self-register.ts

7. Contact

Questions about data transparency or this policy? Reach out:

Email: privacy@opena2a.org
GitHub: Open an issue

Last updated: March 2026. This page is part of the OpenA2A open security platform.