Trust & Security
Exactly what G.A.I.N. collects, what it never touches, and how it works. No ambiguity.
Data flow
On your device
G.A.I.N. detects and redacts risky content locally before a prompt is sent.
Sent to us
Hosted mode sends anonymized event metadata only, such as tool, risk category, timestamp, and action taken.
Never sent
Prompts, files, keystrokes, screenshots, and clipboard contents never leave the device.
What we collect, and what we never touch
What G.A.I.N. collects
- AI tool name (e.g. ChatGPT, Claude)
- Timestamp of the event
- Risk severity (low / medium / high / critical)
- Risk category (e.g. possible API key, source code)
- Department (self-selected during enrollment)
- Action taken (warned / blocked / allowed)
- Content length (character count only, never the content)
What G.A.I.N. never touches
- Prompt content, ever
- Your name, email, or identity
- Any browsing activity outside supported AI tools
- Keystrokes
- Screenshots
- Clipboard contents
Device-level identifiers are recorded and retained for security-incident purposes only. They are never displayed, filterable, searchable, or exportable through the dashboard. The dashboard shows only aggregate and department-level data. Access to device-level data is restricted and logged.
How it works
Detection
100% local, inside your browser. Nothing is scanned on a server. The extension inspects the DOM of supported AI tools only, looking for risk patterns before the prompt is submitted.
Transmission
Only metadata leaves the device, over an encrypted TLS connection. Tool name, timestamp, risk category, and action taken. Prompt content is discarded immediately after local analysis.
Storage
Hosted mode stores anonymized event metadata in our Supabase backend in eu-west-1. Event metadata is retained for 90 days to power dashboards and Trust Reports. After 90 days, data is automatically purged. No backups of individual event data are kept.
Extension permissions
The extension is scoped to supported AI tools and does not request broad browsing, clipboard, screenshot, or keystroke access.
Who can see the data
Your event data is visible only to your company's designated admins through the dashboard. In normal operation, CyberWardion staff do not access individual company event data. Any access for support or security is restricted, logged, and only with your authorization.
Trust questions
Do you store prompts?
No. Prompt content never leaves the device and is not stored by G.A.I.N.
What reaches CyberWardion in hosted mode?
Only anonymized event metadata, such as tool name, risk category, timestamp, action taken, and content length.
What changes in self-hosted mode?
Self-hosting is available for regulated and enterprise customers. In that mode, event metadata stays inside the customer's environment.
Can admins see employee names?
The dashboard is anonymous by default and does not show employee names.
Questions about security?
Talk to our CEO directly.