Security & Privacy
Privacy is not an add-on feature in the AI era—it is the foundational bottleneck preventing production deployments. Privane is engineered from day one around absolute context sovereignty.
By decoupling model reasoning from tool execution, we ensure you never have to trade your intellectual property or customer data to achieve system autonomy.
The Core Security Pillars
1. Local Reasoning Isolation
All core LLM reasoning, context retrieval, KV-caching, and prompt construction occur fully within your secure boundary (whether inside your browser tab via WebGPU or inside your isolated server environment via the CLI).
- Zero Leakage: Your prompts, document chunks, personal files, and database queries are never uploaded to the Privane cloud or any external LLM provider.
- No Training: Your context is processed in volatile local memory and is never recorded or used for model training.
2. Encrypted Auth & Gateway Architecture
Our managed gateway (api.privane.dev) acts as a secure connector fabric.
- Zero-Knowledge Auth: OAuth keys and SaaS API credentials are saved using industry-standard AES-GCM encryption.
- Scoped Execution: When your local agent decides to write to Slack or GitHub, the local engine dispatches only the exact parameters required for that specific tool invocation (e.g.
channelandmessage). The gateway decrypts the token, dispatches the request to the SaaS provider, and routes only the raw JSON payload back. - Transient Dispatches: The Privane Gateway never logs tool payloads. All execution context is entirely ephemeral.
3. Permission-Scoped Tool Access
Rather than granting agents wildcard administrative access to your tools, Privane uses strict OAuth scoping:
- Read-Only Scopes: You can lock tools down to specific levels (e.g. allowing an agent to search GitHub issues but strictly prohibiting code modifications or repository deletion).
- User Confirmation Filters: You can easily inject validation interceptors into the
@privane/toolsruntime that require manual human-in-the-loop approvals before executing sensitive cloud or local actions.
4. Sandboxed Local Tool Environments
For tools that run locally (e.g. reading from local folders or running terminal actions):
- Workspace Locking: The
filesystemtool can be restricted to an absolute workspace directory, preventing the LLM from traversing your system root folder. - Process Restrictions: The shell runner limits process executions to pre-approved terminal binaries, eliminating typical prompt-injection exploits where an agent is tricked into running destructive commands.
5. Self-Hosted Execution Gateways (Enterprise)
For enterprise partners requiring absolute data custody:
- You can self-host the entire Privane Tool Gateway within your private VPC (Virtual Private Cloud).
- This routes SaaS integrations, local database adapters, and hosted browsers fully through your own network perimeter, bypassing the
api.privane.devendpoints completely.
Context Sovereignty & Zero-Storage Guarantees
Privane is architected to make data leakage physically impossible. The table below represents the absolute operational boundary of what is permitted to leave your workspace:
| Data Category | Processed Locally | Transmitted to Cloud | Stored on api.privane.dev | Rationale |
|---|---|---|---|---|
| Model Weights & Prompts | YES (100%) | NO | NO | Reasoning computed fully on secure local hardware. |
| Local File Contents | YES (100%) | NO | NO | Local filesystem tools read/write within client-locked boundaries. |
| Local SQLite Schemas/Data | YES (100%) | NO | NO | SQL query parameters execute on-device and are fully local. |
| SaaS OAuth Tokens | YES (Encrypted) | YES (During Auth) | YES (Stateless Cache) | Required to authenticate Slack, GitHub, and Jira cloud dispatches. |
| Tool Execution Parameters | YES | YES (During Call) | NO (Transient) | Ephemeral payload passed only to execute the requested command. |
| Usage Metrics & Logs | YES | YES (Metadata Only) | YES (For billing) | Stores run IDs, token limits, and durations for invoice tracing. |
Strict Ephemeral Processing Mandate
When a managed SaaS connector (e.g. slack.sendMessage) or a Hosted Browser action is triggered:
- The local SDK wraps parameters (like
#channelandtext) inside an encrypted transit envelope. - The payload is sent to
api.privane.dev. - The stateless Gateway API instance decrypts the token, routes the structured request directly to the target platform, and passes back only the raw API response.
- All payload parameters are flushed instantly from memory. No logs of prompt contexts, local file values, or structural payloads are ever committed to a database, hard disk, or cloud trace.