Trust & Security

Exactly what G.A.I.N. collects, what it never touches, and how it works. No ambiguity.

0 prompts stored
100% on-device detection
0 vendor access in self-host

Data flow

On your device

G.A.I.N. detects and redacts risky content locally before a prompt is sent.

Sent to us

Hosted mode sends anonymized event metadata only, such as tool, risk category, timestamp, and action taken.

Never sent

Prompts, files, keystrokes, screenshots, and clipboard contents never leave the device.

What we collect, and what we never touch

What G.A.I.N. collects

  • AI tool name (e.g. ChatGPT, Claude)
  • Timestamp of the event
  • Risk severity (low / medium / high / critical)
  • Risk category (e.g. possible API key, source code)
  • Department (self-selected during enrollment)
  • Action taken (warned / blocked / allowed)
  • Content length (character count only, never the content)

What G.A.I.N. never touches

  • Prompt content, ever
  • Your name, email, or identity
  • Any browsing activity outside supported AI tools
  • Keystrokes
  • Screenshots
  • Clipboard contents
Device-level data

Device-level identifiers are recorded and retained for security-incident purposes only. They are never displayed, filterable, searchable, or exportable through the dashboard. The dashboard shows only aggregate and department-level data. Access to device-level data is restricted and logged.

How it works

Detection

100% local, inside your browser. Nothing is scanned on a server. The extension inspects the DOM of supported AI tools only, looking for risk patterns before the prompt is submitted.

Transmission

Only metadata leaves the device, over an encrypted TLS connection. Tool name, timestamp, risk category, and action taken. Prompt content is discarded immediately after local analysis.

Storage

Hosted mode stores anonymized event metadata in our Supabase backend in eu-west-1. Event metadata is retained for 90 days to power dashboards and Trust Reports. After 90 days, data is automatically purged. No backups of individual event data are kept.

Extension permissions

The extension is scoped to supported AI tools and does not request broad browsing, clipboard, screenshot, or keystroke access.

manifest.json
// Runs only on:
["chatgpt.com", "claude.ai", "gemini.google.com", "perplexity.ai", "copilot.microsoft.com"]
// Does NOT request:
["all_websites", "clipboard", "screenshots", "keystrokes"]

Who can see the data

Your event data is visible only to your company's designated admins through the dashboard. In normal operation, CyberWardion staff do not access individual company event data. Any access for support or security is restricted, logged, and only with your authorization.

Trust questions

Do you store prompts?

No. Prompt content never leaves the device and is not stored by G.A.I.N.

What reaches CyberWardion in hosted mode?

Only anonymized event metadata, such as tool name, risk category, timestamp, action taken, and content length.

What changes in self-hosted mode?

Self-hosting is available for regulated and enterprise customers. In that mode, event metadata stays inside the customer's environment.

Can admins see employee names?

The dashboard is anonymous by default and does not show employee names.

Questions about security?

Talk to our CEO directly.

Try it free See what your team shares with AI. 7 days, no card.
Book a call