Span Agent Trace Analytics: Security Overview
Last updated: May 21, 2026
Updated: 5/20/2026
Platform Overview
Span Agent Trace Analytics gives engineering leaders visibility into how their teams use AI coding tools. It captures developer–AI interaction events from developer machines, reconstructs agent traces (conversation threads, tool call sequences, code edits), and surfaces insights in the Span analytics dashboard.
The platform has four components: a lightweight client agent on developer machines, a telemetry ingestion endpoint, an AI analysis pipeline, and the Span analytics application.
System Architecture
Secret redaction is applied at two points: on the developer's machine before any data leaves the device, and again at the ingestion layer using TruffleHog before events reach S3. Events are buffered locally on the developer machine and forwarded when connectivity is available. Within the ingestion pipeline, Kafka decouples receipt from inspection, it absorbs peak traffic without backpressure, ensuring every event is fully scanned by TruffleHog before being written to storage, with no data loss. The Span backend can also push org policy updates to the client agent periodically, keeping local policy in sync.
Data Collection
coding-hooks is the client agent component of Span Agent Trace Analytics. It monitors AI coding IDE activity and captures interaction events. Currently supported on macOS; Linux and Windows support is planned.
Events are captured across the following categories:
Category | What is captured |
|---|---|
Prompt interactions | User prompt text, model response metadata, model name |
Tool calls | Tool name, parameters (e.g. file edit, shell command, web search) |
File edit events | File path, diff content |
Conversation lifecycle | Session start/end, timestamps, session ID |
Git metadata | Branch name, commit author, repo root |
What is NOT collected: file contents outside AI-driven edit events, terminal output, browser activity, keystrokes, or anything outside the IDE.
File edit data (diff content) is captured transiently for analysis purposes and is not stored long term. It is processed in the AI analysis pipeline and not retained in the analytics database.
Prompt capture and file content capture can be disabled via org policy (see below).
Secret Redaction
Span applies secret redaction at two independent layers:
On-device (before transmission): Every event is scanned in memory before reaching the local event buffer. Redacted patterns include API keys, authentication tokens, private key blocks, database connection strings, environment variable files, and common credential formats. Additionally, gitignore patterns are respected if present.
At ingestion (server-side): All events received by the Span backend are scanned using TruffleHog before entering the analysis pipeline. This provides a second, independent pass against a comprehensive set of credential patterns, ensuring that any data that escaped client-side redaction is caught before it is stored or processed.
Installation and Network Access
The client agent is deployed as a signed macOS package via MDM. No user interaction is required. No kernel extensions, system extensions, or macOS privacy permissions (TCC/PPPC) are required, the agent will not trigger any system permission prompts on the developer’s machine.
Two outbound HTTPS connections are required:
Purpose | Direction |
|---|---|
Telemetry export | Client → Span telemetry endpoint |
Org policy retrieval | Client → Span registry endpoint |
No other outbound connections are made. The agent does not auto-update or communicate with third-party services.
Removal: a dedicated uninstall tool is planned. Currently removal is performed via MDM.
Org Policy Controls
Policy is managed centrally in Span and propagated to all devices in the org automatically. For environments with strict change control requirements, policy can alternatively be distributed via MDM configuration management.
Control | Description |
|---|---|
Prompt capture | Enable or disable capture of prompt and response content |
Ignore patterns | Glob pattern rules to exclude specific repos, directories, or files |
Global disable | Reduce all events to minimal metadata only |
Infrastructure & Hosting
Span’s backend is hosted on Amazon Web Services (AWS) exclusively in the United States. No data leaves the US by default. This includes the telemetry ingestion layer, AI analysis pipeline, and analytics database.
Data Segregation
Span enforces strict tenant isolation through separate logical data partitions (Postgres schemas) for each customer org, reinforced by application-level access controls that scope all queries by org ID. Agent trace event data is stored in a designated S3 bucket per tenant, so there is complete data isolation. Regular penetration testing and code reviews explicitly target cross-tenant vulnerabilities.
Access Control
Access control in the Span app follows the same RBAC model as the main Span platform. Admins have full org-level access; manager and developer access is scoped by role, with org admins controlling visibility of aggregated values.
Prompts and full trace details are accessible only for the authors of a given trace.
On the developer machine, the telemetry credential is held only by a root-level system daemon. The client agent runs as the logged-in user and never has access to the credential.
Data Retention
Post-redacted agent trace events are retained per the customer org’s configured retention policy which defaults to 90 days, but can be configured to as low as 30 days. The advantage with the default retention policy is to provide increased analysis and attribution completeness. Processed insights and summaries are retained per the same terms as Span’s MSA. Upon termination or expiration, data is deleted from production systems within 30 days and permanently removed from from S3 buckets. Span responds to data deletion requests within two business days.
Encryption
Data at rest is encrypted using AES-256. Data in transit is protected by TLS 1.2 or higher. Cryptographic keys are generated via FIPS 140-2 certified hardware security modules (HSMs) or validated cryptographic libraries, with master keys rotated at least annually.
How Span Uses LLMs
Span’s analysis pipeline uses large language models to reconstruct agent traces and generate insights such as session summaries and work classification. Processed outputs are stored in the analytics database. All data processed by LLMs is subject to the same data handling and retention commitments described in this document.
Provider | Models | Data handling |
|---|---|---|
Azure OpenAI | GPT-4o, GPT-4o-mini, o1, o3-mini, GPT-5 | Zero Data Retention (ZDR) — Microsoft does not store prompts or completions |
AWS Bedrock | Claude (Anthropic) : claude-haiku, claude-sonnet | Zero Data Retention equivalent — Amazon does not store prompts or use them to train foundation models |
Both providers offer Zero Data Retention (ZDR) commitments: prompts and completions are not logged, stored, or used for model training by the provider.
Specific models may evolve over time as providers update their offerings; any such changes will continue to adhere to the same data handling and retention commitments outlined here.
Span will also offer BYOK support.
Planned Improvements
Span is actively working to address the following ahead of general availability:
Area | Current state | Planned |
|---|---|---|
PKG notarization | Apple Notarization | Github Notarization |
Source code | Private repo | Coming soon: Open-source core under Apache 2.0, enables customer security teams to directly audit data handling and redaction. |
MDM guides | Mosyle, IRU, WS1, JAMF | Additional guides available upon request |
Uninstall tooling | Manual (MDM script) | Dedicated uninstall command and MDM-pushable package |
OS support | macOS only | Linux and Windows planned |
Hybrid Deployment
For customers with strict data residency requirements, Span aims to support a customer-hosted data option on AWS. At present, we support customer managed AWS S3 bucket for storage of Agent Trace events. In the future, we plan to add support for hosting the OTel Collector and Redaction part of the data pipeline on the customer’s cloud as well. The former option gives customers data access control and auditability. The latter option ensures that raw telemetry events never cross into Span’s infrastructure. Customers interested in the latter option should contact Span to discuss requirements and availability.
Summary
Property | Detail |
|---|---|
Deployment | MDM-managed package (Jamf, Addigy, Mosyle) |
Supported platforms | macOS (Linux and Windows planned) |
Supported IDEs | AI coding IDEs (currently Cursor and Claude Code) |
Data in transit | TLS 1.2+ HTTPS |
Data at rest | AES-256, AWS US |
Secret redaction | On-device, in memory, before any transmission |
Tenant isolation | Separate Postgres schemas + org-scoped queries |
Access control | RBAC — consistent with Span platform |
Backend AI processing | Azure OpenAI (ZDR) + AWS Bedrock; processed outputs only stored |
Source code | Private, open-source release planned (Apache 2.0) |
Network egress | Two Span endpoints (telemetry + policy) |
Kernel/system extensions | None |
TCC/PPPC permissions | None required |