Privacy architecture

Prompt content stays inside the endpoint.

Redirective AI is designed around a precise privacy boundary: inspect sensitive content locally, enforce policy before transmission, and send only the security metadata administrators need.

Zero Prompt Content

We do not need a copy of the blocked content to record that policy worked.

Redirective processes necessary tenant, device, user, policy, health, and event metadata. “Zero Prompt Content” describes what the SaaS control plane is designed not to receive—not an inaccurate claim that the service knows nothing.

CONTENT BOUNDARYDESIGN INTENT
Sensitive contentInspected and enforced locally
Security metadataTravels to the dashboard

The metadata path never needs prompt text, matched values, screenshots, or document contents.

Designed not to transmit Content

  • Prompt text or prompt snippets
  • Password or API-key values
  • Access tokens or private keys
  • Source code or trade-secret text
  • Uploaded document contents
  • Screenshots or keystrokes
  • General screen contents
  • General browser-page contents
Technical guardrails

Privacy is a system property, not a preference toggle.

01 / MINIMIZATION

Event schemas exclude prompt fields

Metadata events are purpose-built around enforcement action, category, rule, device, application, versions, and support reference.

02 / LOCALITY

Detection values remain local

The local policy engine uses the content required to make a decision. The SaaS event does not need the detected value to explain the outcome.

03 / HONEST SCOPE

Operational metadata still exists

Tenant and device identity, health, versions, timestamps, and actions are necessary to operate and troubleshoot an enterprise security platform.

Validate the data path

Bring your privacy questions to the architecture review.