Last updated: June 4, 2026

AI Transparency

AI is woven into Scitor in places where it saves time without taking decisions away from your team. This page explains exactly what runs, what data it touches, what we never do, and how to turn it off.

In short

  • We never train on your data. No customer message, ticket, or reply is used to train, fine-tune, or evaluate any AI model — ours or our providers'.
  • AI is optional. All AI features are off-by-default on the Free plan and can be disabled on any plan via your scitor.yaml.
  • AI is paid. AI features (triage on inbound, drafting in the dashboard, quick adjustments, KB search) require the Pro or Enterprise plan.
  • Data minimization. Each AI call sends the smallest amount of context that gets the job done — typically the ticket title, the most recent message, and a handful of knowledge-base excerpts. Bounded by hard token caps on every request.
  • Edge inference. All AI runs on Cloudflare Workers AI in the same region as your data. We do not call OpenAI, Anthropic, or any third party for the AI features described below.

What we use AI for

AI features fall into two buckets — automated triage that runs on inbound tickets, and assistive features in the agent dashboard. Both are paid-plan features.

1. Inbound triage (automatic)

When a new email or form submission arrives, Scitor runs a single AI pass to produce four short labels and a one-sentence summary:

  • Sentiment — positive / neutral / negative
  • Category — bug-report, feature-request, billing, question, account, other
  • Priority — urgent / high / medium / low (overridable by routing rules)
  • Spam score — clean / medium / high (combined with rate limits + block lists)
  • One-sentence summary — a brief recap of the customer's ask, posted as a hidden comment for the agent

What's sent: the email subject + body (truncated to ~2 KB) and any plain-text attachments. What's never sent: previous ticket history, contact data, or anything from other tickets.

2. Dashboard drafting & quick adjustments (agent-triggered)

In app.scitor.io, agents can ask AI to draft a reply or refine the current draft. Triggered explicitly via the "AI draft" button, the slash menu, or one of the quick-action presets (more concise, more formal, fix grammar, longer, shorter, summarize the ticket).

What's sent per request:

  • The ticket title and body (truncated to ~2 KB)
  • The agent's current draft, if any (truncated to ~2 KB)
  • The agent's instruction (capped at 500 characters)
  • Up to four knowledge-base excerpts retrieved via vector search over your docs only
  • The agent's GitHub display name — used so the AI signs the draft correctly

What's never sent: other customers' tickets, billing/account data, contents of repos Scitor isn't installed on, and anything from other tenants.

Output is capped at ~500 tokens (~375 words). When the model doesn't know a value (the customer's name, an order ID, …) it uses {{customer_name}} placeholders the agent fills in before sending — so the AI never invents facts about a specific customer.

3. Knowledge-base search (agent-triggered)

The /search ai command and the knowledge-base citations in dashboard drafts use semantic search over your repo's docs/ folder. Embeddings for your articles are stored in Cloudflare AutoRAG within your installation's region. Customer messages are not embedded.

What we never do

  • No training. Your tickets, replies, contacts, and knowledge-base articles are never used to train, fine-tune, or evaluate any model — ours or our providers'. Our agreement with Cloudflare Workers AI specifies the same.
  • No cross-tenant context. Each AI request includes only data from the current installation. We don't aggregate tickets across customers to build "smarter" models.
  • No silent data sharing. The list of providers below is exhaustive. We don't forward AI requests to third parties beyond Cloudflare Workers AI.
  • No AI-only decisions on sensitive actions. Sending a reply, closing a ticket, refunding a charge — these always require a human click. AI proposes; agents dispose.
  • No retention beyond the request. AI request/response bodies are not logged. Cloudflare Workers AI processes the request in-memory and discards it.

Models & sub-processors

The AI features described above use the following models, all served by Cloudflare Workers AI:

Used for Model Provider
Inbound triage + dashboard drafting + quick adjustments @cf/meta/llama-3.1-8b-instruct-fp8 Cloudflare Workers AI
Knowledge-base semantic search & citations AutoRAG (managed RAG pipeline) Cloudflare AutoRAG

Models can change as Cloudflare releases newer/better options. We update this page whenever the model changes. Your existing data stays in place; you don't need to re-index or re-configure anything.

Your controls

  • Turn off inbound triage: add ai: { enabled: false } to your .github/scitor.yaml. Tickets will continue to be created, but no AI labels, summary, or sentiment will be applied.
  • Turn off dashboard drafting: downgrade to the Free plan, or remove the Pro/Enterprise entitlement. The AI buttons and slash items in the dashboard disappear; everything else continues to work.
  • Per-request opt-out: dashboard AI features are agent-triggered, so the simplest opt-out is "don't click them". Inbound triage runs server-side, so the YAML setting is the way to disable it.
  • Rate & budget limits: dashboard AI is rate-limited per installation per day (50 on Pro, 500 on Enterprise) so a runaway loop can't burn through your budget. Each request has hard caps on input and output token size.
  • Data export & deletion: AI does not create new records — outputs are written into the same GitHub Issues / comments your team controls. Deleting a ticket on GitHub deletes its AI-generated labels and summary with it. Uninstalling the GitHub App removes Scitor's access; we retain only the minimal billing records described in our Privacy Policy.

Changes & audit

Material changes to this page are listed below. When we change something that affects what data is sent to AI providers, we'll announce it on the blog and via a banner in the dashboard at least 14 days before the change takes effect.

  • June 4, 2026 — initial publication.

Questions

Send anything we haven't covered to support@scitor.io and we'll get back to you. We're happy to discuss specifics for security reviews or vendor assessments.