Your accounts.
Your control.
Cevran works inside your perimeter, not around it. Three commitments shape every run: review-first for irreversible work, scoped access for every connector, and zero credentials in the conversation layer.
Defaults. Not upsells.
Sending mail, moving money, deleting records, deploying code, escalating tickets — anything irreversible is drafted and queued. Approve to release.
DEFAULT · TUNE PER TOOLEvery connector requests the narrowest OAuth scope it needs. Your workspace context is the perimeter — no cross-tenant reads, no above-seat access.
OAUTH · WORKSPACE-BOUNDCredentials live in the connector layer. The model sees a function name and a result; never the key behind it. Manual keys are vaulted and rotated.
VAULTED · ROTATED · AUDITEDWhere the model sits.
And where it doesn't.
The conversation is one surface. Your connectors are another. They communicate through a typed function-call interface — never through raw credentials.
From sentence
to side-effect.
Six steps between you typing and a thing happening in the world. Every step is logged, every credential is sealed.
We optimize for the path that's hardest to abuse: the model proposes a typed call; the runtime verifies, scopes, and rate-limits it; the world only changes after you (or your policy) signs off.
You write a sentence.
Your message hits the conversation layer alongside workspace context — never your stored credentials.
The model proposes a typed call.
Output is a structured intent: gmail.compose({to, subject, body, review:true}). No tokens. No URLs to your accounts.
The runtime checks scope & policy.
Does this seat have gmail.compose? Is the recipient inside the allowed domain? Is the call under the per-tool quota?
If sensitive: queue for review.
Anything irreversible (send, pay, delete) pauses here. You see a diff of exactly what will happen — and approve, edit, or reject.
The connector executes.
The runtime injects the vaulted token, hits the upstream API, and captures the response. The token never leaves the runtime.
Result returns to chat — redacted.
PII and secrets are stripped before the result enters the model context. The audit log keeps the unredacted version, gated by role.
Audited where it matters.
Reports are available under NDA. Trust center, sub-processor list, and current status live at trust.cevran.com.
What we store. What we don't.
A plain-English summary. The full DPA is the source of truth.
Encrypted at rest with AES-256, scoped to your workspace, retained for the period you set (default: 90 days). Workspace owners can purge any time.
Every function call, with arguments, result codes, and approver. Kept for the audit retention you choose. Exportable to your warehouse on Team.
In a KMS-backed secret store, never in plaintext, never in our logs. Connectors fetch by reference at execution time; tokens never touch the model.
Approval thresholds, allow-lists, custom voices. The smallest amount needed to run your account.
Your prompts, content, and tool results are not used to train shared models. Period. BYOK customers can route to their own model endpoints entirely.
Each workspace is a hard tenant boundary. Cross-tenant access is technically impossible from the application layer.
Even our engineers can't read your OAuth tokens or API keys. The KMS gates everything; access is logged and reviewed.
You pick the model provider per workspace. Default is in-region inference; cross-border routing is an explicit setting.