External model processing is disabled unless a server operator explicitly configures an AI provider for the relevant feature. Deterministic scanning, scoring, and reports continue when AI is disabled.
AI generation runs only when an AI analysis or guidance feature is explicitly requested and available. It is not required to calculate the Security Score.
For scan analysis, BoringSec sends the domain, score, grade, optional Boring/vibe score, critical/high/total issue counts, and up to 10 findings per affected category with title, severity, and a description capped at 200 characters. For paid MCP guidance, it sends the tool name, report timestamp, provenance/status/headline, finding/severity/confidence/verification counts, analysis profile, engine version, and up to 5 top findings with id, title, severity, confidence, verification status, category, optional location, recommendation, up to 4 evidence strings, and up to 6 evidence-trace kind/message entries; it also sends up to 4 next actions and 4 minimized remediation-plan steps.
The analysis payload does not intentionally include account passwords, scan credentials, cookie values, full page bodies, raw source archives, payment-card data, or full secret values.
If an external provider is enabled later, the minimized request crosses to that provider and its API/business data-handling terms, security controls, abuse-monitoring retention, and transfer safeguards apply. The Privacy Policy and subprocessor disclosure must be updated before that change is enabled in production.