HackerAI is an AI agent for penetration testing and security work. This page describes the data we process, where agent code runs, and the services we rely on to operate.
Depending on how you use HackerAI, the service processes:
Chat requests are routed through OpenRouter to the provider behind the model you select, such as Anthropic, Google, DeepSeek, Moonshot AI, or xAI. Your prompt, relevant conversation context, and tool results are sent to that provider to generate a response.
When the agent searches the web or opens a URL, search queries are processed by Perplexity and page content is retrieved through Jina AI. Message content is screened by OpenAI for content moderation.
Each provider processes data under its own terms. Whether data is used for model training varies by provider, so we don't make a blanket guarantee on this point — refer to the policies of the providers listed below.
By default, terminal and browser actions run in an isolated E2B cloud sandbox tied to your account, separate from our application infrastructure. You can delete your sandboxes at any time from Settings → Data controls.
A local execution mode is also available. It runs commands directly on your machine with your user's privileges and no isolation, so we recommend it only on machines dedicated to testing.
Payments are processed by Stripe; card details never reach our servers. Subscriptions can be managed or canceled through the billing portal in your account settings, and deleting your account cancels any active subscription.
The following services process data on our behalf:
| Provider | Purpose | Data categories |
|---|---|---|
| OpenRouter | Routes chat requests to third-party AI model providers | Prompts, conversation context, file content, tool output |
| OpenAI | Content moderation | Message content |
| Perplexity | Web search performed by the agent | Search queries from agent runs |
| Jina AI | Webpage content retrieval for the agent | URLs and retrieved page content |
| E2B | Cloud sandboxes for terminal and browser execution | Commands, command output, files inside the sandbox |
| Convex | Primary application database | Account data, chats, messages, files, settings |
| Amazon Web Services (S3) | File storage | Uploaded files |
| Upstash / Redis | Rate limiting and response stream resumption | Transient identifiers and streaming state |
| WorkOS | Authentication and account management | Email, name, sessions, MFA enrollment |
| Stripe | Payments and subscription billing | Billing contact and payment details (held by Stripe) |
| PostHog | Product analytics and error tracking | Usage events and diagnostic data |
| Trigger.dev | Background execution of long-running agent tasks | Task payloads including conversation context |
| Vercel | Application hosting | Request data processed by the web application |
Found a security vulnerability in HackerAI? Report it through the help center. We review all good-faith reports. We don't run a paid bug bounty program at this time.
For availability updates and scheduled maintenance, check the public status page. If an incident affects your data, we notify affected users through the service and the help center.
HackerAI is developed in the open. The full application source code is public on GitHub, including every change we ship. You can review how prompts, files, and sandbox sessions are handled directly in the code rather than relying on this page alone.
HackerAI doesn't currently hold SOC 2, ISO 27001, or other third-party certifications. The service is offered in beta, as described in our Privacy Policy and Terms of Service. We'll update this page as our compliance program develops.