What data leaves your environment
A straight answer, surface by surface. Where a control is provider-default or planned rather than platform-enforced, we say so — we would rather under-claim than have you discover a gap.
The short version
On the governed path we tokenize configured identifiers — names from your roster, plus emails, phone numbers, and addresses (and, where enabled, residual person/secret spans) — reversibly, before the model call, and the mapping never leaves the platform. We send those minimized payloads to provider APIs operating under their no-training default policies. We do not resell or train on your data. Provider-enforced zero-retention routing is on our roadmap, not a shipped control — so we describe no-train as a process commitment, not a routing guarantee.
Surface by surface
| Surface | What leaves | To whom | Minimized? | Retained (our side) | No-train status |
|---|---|---|---|---|---|
| Governed extraction (the recommended path) | Text to extract, with roster names + emails/phones/addresses replaced by stable tokens; dates and times are kept intact (the model needs them) | An LLM provider, through our governed gateway (the full governance chain runs) | Yes — reversible; the token→original map stays in-process and is never persisted | Raw input purged on a retention schedule; a content-free metadata anchor and a per-request cost row are kept | Provider-default. Minimized payloads to a provider under its no-training-by-default terms. Not platform-enforced (no routed ZDR). |
| Extraction — coverage limits | Locations, organization names, and dates are deliberately not tokenized; non-US address formats and names the roster/detector miss may pass through | Same | Partial — falls back to roster + regex when the optional NER detector is unavailable | Same | Provider-default |
| Managed runners / your own machine | Whatever the agent task sends to the model. The machine is yours (outbound-only; no inbound ports); the durable agent token is stored hashed, never in plaintext | An LLM provider via the gateway; the runner host is your infrastructure | Depends on the task (not auto-minimized at the runner layer) | Per-session cost (when configured); audit/trace rows | Provider-default. Bring-your-own-machine strengthens execution privacy, not a no-train guarantee. |
| Our own stores | (does not egress) | — | — | Cost rows, captured-request anchors (purged on schedule), content-free events, approvals, and a hash-chained audit trail | — |
Retention & deletion
- Raw inputs (e.g. forwarded email bodies) are purged on a schedule; a content-free metadata anchor remains for idempotency and audit.
- Members can delete their account; the personal data is removed and org-shared and legally-required records are retained per obligation.
- Organizations can request full teardown; a request-driven worker hard-deletes the org’s data while preserving billing, invoices, and audit records required by law, and writes a content-free proof-of-deletion record.
What we will not claim
- We do not claim a routed, provider-enforced zero-retention guarantee — that is roadmap.
- We do not claim tamper-evident signed audit export today — the audit trail is server-side hash-chained; cryptographically signed envelopes are roadmap.
- We do not put internal cross-tenant operations tooling in front of you and call it a feature.
See the Reference Architecture for how these controls fit together, and Security for the broader posture.