Data Handling and Privacy

This page explains what data leaves your machine during red team testing and how to control it.

Data Flow Overview

Red team testing involves three distinct operations, each with different data requirements:

Your target model is always evaluated locally. Promptfoo never receives your target's responses unless you're using remote grading.

Default Behavior (No API Key)

Without an OPENAI_API_KEY or a usable Codex/ChatGPT login, Promptfoo uses hosted inference for test generation and grading. The following data is sent to api.promptfoo.app:

For test generation:

• Application purpose (from your config's purpose field)
• Plugin configuration and settings
• Your email (for usage tracking)

For grading:

• The prompt sent to your target
• Your target's response
• Grading criteria

Never sent:

• API keys or credentials
• Your promptfooconfig.yaml file
• Model weights or training data
• Files from your filesystem (unless explicitly configured in prompts)

With Your Own API Key

Setting OPENAI_API_KEY routes generation and grading through your OpenAI account instead of promptfoo servers:

export OPENAI_API_KEY=sk-...

Or configure a different provider for grading:

redteam:
  provider: anthropic:messages:claude-sonnet-4-20250514

With this configuration, promptfoo servers receive only telemetry.

With Your ChatGPT Subscription

If Codex is installed and signed in with ChatGPT, Promptfoo can use openai:codex-sdk locally for default text generation and grading when no higher-priority API credentials are configured. Remote-only plugins still use hosted inference, and embedding/moderation assertions still require a provider override with API credentials.

Remote-Only Plugins

Some plugins require promptfoo's hosted inference and cannot run locally. These are marked with 🌐 in the plugin documentation.

Remote-only plugins include:

• Harmful content plugins (harmful:*)
• Bias plugins
• Domain-specific plugins (medical, financial, insurance, pharmacy, ecommerce)
• Security plugins: ssrf, bola, bfla, indirect-prompt-injection, ascii-smuggling
• Others: competitors, hijacking, off-topic, system-prompt-override

Remote-only strategies include: audio, citation, gcg, goat, jailbreak:composite, jailbreak:hydra, jailbreak:likert, jailbreak:meta

Disabling Remote Generation

To run entirely locally:

export PROMPTFOO_DISABLE_REMOTE_GENERATION=true

This disables all remote-only plugins and strategies. You must provide your own OPENAI_API_KEY or configure a local model for generation and grading.

For red-team-specific control (keeps SimulatedUser remote generation enabled):

export PROMPTFOO_DISABLE_REDTEAM_REMOTE_GENERATION=true

See Configuring Inference for detailed setup.

Telemetry

Promptfoo collects anonymous usage telemetry:

• Commands run (redteam generate, redteam run, etc.)
• Plugin and strategy types used (not content)
• Assertion types

No prompt content, responses, or personally identifiable information is included.

To disable:

export PROMPTFOO_DISABLE_TELEMETRY=1

See Telemetry Configuration for details.

Network Requirements

When using remote generation, promptfoo requires access to:

If blocked by your firewall, see Remote Generation Troubleshooting.

Enterprise Deployment

For organizations requiring complete network isolation:

Promptfoo Enterprise On-Prem provides:

• Dedicated runner within your network perimeter
• Full air-gapped operation
• Self-hosted inference for all plugins
• No data transmission to external servers

See the Enterprise Overview for deployment options.

Configuration Summary

Related Documentation

• Privacy Policy
• Telemetry Configuration
• Remote Generation Configuration
• Configuring Inference
• Self-Hosting