AMARI Data Processing Description
For IT and Security Teams Evaluating the AMARI Connector
Wisdom Agent Inc. · getamari.ai/security
What AMARI Does
AMARI is a document verification service. When a lawyer invokes AMARI from within Claude, AMARI checks the document for errors — fabricated citations, inconsistent defined terms, missing provisions, computational mistakes — and returns corrections and a quality assessment. AMARI does not generate documents.
Data Flow
1. LAWYER invokes amari_verify in Claude
│
▼
2. CLAUDE sends the document text to AMARI's MCP server
(encrypted in transit via TLS 1.2+)
│
▼
3. AMARI SERVER loads the document into working memory
(no disk write, no database, no file system)
│
▼
4. AMARI SERVER sends the document to the ANTHROPIC API
for verification analysis
(encrypted in transit via TLS 1.2+)
│
▼
5. ANTHROPIC API processes and returns analysis
(not retained by Anthropic under our commercial terms;
not used for model training)
│
▼
6. AMARI SERVER assembles verification results in memory
│
▼
7. AMARI SERVER returns results to Claude
(corrections, flagged items, quality score, audit trail)
│
▼
8. IN-MEMORY DATA IS DISCARDED
(server restart destroys all document data)
What We Store
| Data | Stored? | Where | Duration |
|---|---|---|---|
| Document text | No | In-memory only during the run | Discarded on run completion |
| Source documents | No | In-memory only during the run | Discarded on run completion |
| Verification results | No | Returned to caller, not retained | Not stored after delivery |
| Account info (email, org name) | Yes | Encrypted database | While account is active |
| Usage metadata (timestamps, page counts, scores) | Yes | Encrypted database | For billing and analytics |
| OAuth tokens | Yes | Encrypted at rest | Revoked on disconnect |
| Document content in logs | No | Never logged | — |
What We Do NOT Do
- No persistent storage of document content — not on disk, not in a database, not in a log file, not anywhere
- No model training on your documents — ever, under any circumstances
- No sharing of document content with any party other than Anthropic for verification processing
- No logging of document text — usage logs contain metadata only (timestamps, page counts, quality scores)
- No cross-user data access — each verification run is isolated; one user's documents are never accessible to another
Third-Party Processors
| Processor | Role | Document Content Exposure |
|---|---|---|
| Anthropic | LLM API — powers the verification analysis | Document text transmitted during the run. Not retained by Anthropic. Not used for training. Governed by our commercial API agreement. |
| Hetzner Cloud | Server hosting | Infrastructure only. Document data exists in-memory on the server. Hetzner does not access server memory. |
| Stripe | Payment processing | No document data. Billing information only. |
| Auth0 / Okta | Authentication | Email address and login credentials only. No document data. |
Security Controls
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ on all connections (client ↔ AMARI, AMARI ↔ Anthropic) |
| Encryption at rest | Not applicable — no document data is stored at rest |
| Authentication | OAuth 2.0 (Claude connector); account IDs (REST API) |
| Access control | Employee/contractor access to systems limited on need-to-know basis |
| Incident response | 72-hour breach notification to affected customers |
Connector Permissions
When you add AMARI as a connector in Claude, the connector:
- Can receive document text that the user explicitly sends for verification via the
amari_verifytool - Cannot access Claude conversations, chat history, memory, or files not explicitly submitted for verification
- Cannot access other connectors' data or other users' sessions
- Cannot take actions in other systems (read-only verification; no write access to any external service)
Compliance
| Regulation | Status |
|---|---|
| GDPR | Document processing on basis of contractual necessity. No persistent storage of personal data within documents. DPA available on request. |
| CCPA/CPRA | No sale of personal information. Deletion requests honored within 30 days. |
| HIPAA | Not HIPAA-certified. Do not submit PHI without a BAA in place. Contact security@getamari.ai for BAA discussions. |
Data Processing Addendum: Our DPA is available at getamari.ai/dpa.
Contact
Security questions: security@getamari.ai Privacy questions: privacy@getamari.ai Full privacy policy: getamari.ai/privacy Terms of service: getamari.ai/terms
Wisdom Agent Inc. · getamari.ai · © 2026 Wisdom Agent Inc. All rights reserved.