// April 29, 2026

AI Use & Data Policy

Snap2Deploy markets “AI-assisted packaging.” That phrase means very different things at different companies, so this page spells out exactly what AI does in our product, what it does not do, and what data does and does not leave your account.

The short version

  • AI is used only at packaging time, to suggest install/uninstall commands and detection rules. AI is not in the deployment path.
  • Your installer binaries do not go to any AI provider. We send only public, structured installer metadata when AI is consulted at all.
  • Nothing about your data is used to train any AI model. Not by us, not by our providers, not under any circumstance.
  • Every AI suggestion is reviewable and reversible. Snap2Deploy never deploys an AI-generated package without an administrator’s approval, and every command, switch, and detection rule is shown to you before deployment.

Where AI shows up in the product

Silent-install switch detection

When you upload a Windows installer, Snap2Deploy needs to know the command-line switches that make it install silently (e.g. /S, /quiet, /qn, --silent). We resolve those in this priority order:

  1. Vendor manifest, first. If the installer is a known winget-published app, we read the silent-install switches straight from the vendor’s public winget manifest. This is structured, public data — no AI involved, no inference. This covers the majority of common apps.
  2. Heuristic fallback, second. If the manifest doesn’t expose silent switches (or the installer isn’t in winget), we apply a small library of rules-of-thumb based on the installer family (NSIS, Inno Setup, MSI, InstallShield, etc.). Still no LLM.
  3. Default fallback. If neither the manifest nor the heuristics give us a confident answer, we fall back to /S and surface a banner on the package page telling you the switch was guessed and you should verify it.

Uninstall command suggestion

For uninstall commands and detection rules, the same priority order applies. We prefer authoritative public data when it exists and fall back to heuristics. Whatever we suggest is presented to you for review on the package detail page; you can override it with one click.

Human approval is mandatory

No matter how a switch or detection rule was generated — from the manifest, from a heuristic, or from any future AI-assisted suggestion — an administrator must explicitly click Deploy before anything reaches your Intune or Jamf tenant. Snap2Deploy does not silently push packages on your behalf. The Auto-Pilot patch automation, when enabled, is also gated to admin/owner roles and only re-deploys versions of apps you have already approved monitoring for.

What data we send to AI providers

At the time of writing, the runtime packaging path does not call any third-party AI provider with customer-controlled inputs. The flows above run on public manifest data and deterministic heuristics. We retain the option to add LLM-based assistance in the future for harder cases (e.g. exotic installer formats), and if we do, we commit to:

  • Sending only metadata, never binaries. An LLM call would receive structured metadata (e.g. installer file name, declared product name, declared installer type, public winget manifest fields) — not the installer itself, not your tenant identifiers, not your member list, not your deployment history.
  • Using providers with no-training data agreements. We will only use AI providers under terms that prohibit customer-data training (e.g. Anthropic’s API zero-data- retention defaults, OpenAI’s no-training-on-API-data policy, or equivalent). We will name any provider we add to our subprocessor list at /subprocessors before it goes live.
  • Logging the suggestion alongside its source. Every package’s detail view will show whether a switch came from the manifest, a heuristic, or an LLM, so you can always tell what produced what.
  • Updating this page first. Adding any runtime AI dependency requires updating this page in the same code change that introduces the dependency.

What we do not do

  • We do not train models on your installers. Your installer binaries are not used as training data, fine-tuning data, or evaluation data. Period.
  • We do not train models on your tenant data. Your Intune/Jamf metadata, deployment history, audit logs, and configuration are not used as training data for any model.
  • We do not auto-deploy AI suggestions. Every deployment requires explicit administrator approval.
  • We do not use AI to make security decisions. Authorization, RBAC enforcement, and credential validation are deterministic application logic — not LLM-mediated.
  • We do not generate scripts that bypass your endpoint protections. Snap2Deploy generates standard install/uninstall commands and detection rules. If your EDR or AppLocker policies block a generated script, that block is working as intended.

How to opt out

If your organization wants to opt out of any AI-assisted suggestion entirely:

  • Use Snap2Deploy in least-privilege mode (no MDM API access). You upload installers, we package them, you review every command and detection rule yourself, and you deploy via your existing tools.
  • Or contact us at security@snap2deploy.com to request an organization-level toggle that disables manifest auto-fill in your account. We’ll work with you on the configuration.

Hallucination & safety

For any AI-assisted suggestion (today: heuristic; potentially tomorrow: LLM), we apply the same guardrails:

  • The suggestion is shown to a human before it is used. Every field is displayed and editable on the package page.
  • Uncertain suggestions are surfaced with a banner that explicitly says “guessed; please verify.”
  • The deployment system never executes free-form text. Install commands, uninstall commands, and detection rules go through the structured Intune Win32 / Jamf policy schemas, which constrain what can be specified.
  • Deployments are logged in your audit log with actor, action, and target, so you can see exactly who deployed what.

Questions

If you need an answer this page doesn’t cover — for example, your security team needs a written statement that Snap2Deploy will never use a specific data category for training, or you need to know what we’d send to an LLM if a feature you’re using calls one — email security@snap2deploy.com. We will give you a direct, written answer.