Today · Roll out · Governed AI execution

Sandbox. Unblock every team. Security signs off.

A repo-shaped workspace runtime. DuckDB for compute. Scoped credentials that never enter the model context. Every tool call streamed to your SIEM. Governance enforced by architecture · not by user training. One layer across Claude, ChatGPT, Cursor, Copilot · and the agents your teams build.

ClaudeChatGPTCursorGitHub CopilotMCP-compatible client
Trusted byDuploCloudSybillFresh KDSFrore SystemsSkyflowTheom
The problem

Governing AI by user training doesn't scale.

If your security depends on “users won't paste sensitive data into ChatGPT,” it has already failed. AI rolls out in days; governance lags by months.

Raw records in model context

When the agent reads enterprise data, raw rows enter the model context window. The model could memorize them. The next prompt could leak them. There is no architectural perimeter · and no way to take it back.

Credentials in context

When credentials live in the model context window, every agent action carries them. Revoking access means chasing tokens across every AI surface, every laptop, every session.

No audit trail

Without per-tool-call logs streamed to your SIEM, you can't show what the agent touched, when, on whose authority. The rollout doesn't clear the AI Council.

How Sandbox works

The workspace is the perimeter.

A repo-shaped runtime where the agent executes. DuckDB for analytical compute. Python and shell for execution. Scoped credentials encrypted at the workspace boundary. Every action streamed to your audit pipeline as a structured event.

The runtime

Sandbox is a per-team, per-workflow workspace. The agent gets a runtime to do its work in · query data, materialize joins, compose answers · without raw data ever entering the model context.

Compute in DuckDB

Data returned from Connections lives in DuckDB, not in the model window. The model writes SQL and sees only the result.

Scoped credentials

Encrypted at the workspace boundary. The LLM never sees a token or key. Real-time revocation across every AI surface.

Per-tool-call SIEM events

Every query, file touch, and data source hit streams to Splunk, Datadog, or your-own-SIEM as a structured event.

Repo-shaped artifacts

Queries, joins, skills are versioned, diffable, reviewable. Your context is the asset · readable, exportable, yours.

Trust & security →
# Example · SIEM event from one workspace query
{
  "timestamp": "2026-06-04T16:42:01Z",
  "user": "j.smith@example.com",
  "workspace": "cs-ops",
  "tool": "connection_query",
  "system": "salesforce",
  "rows_returned": 47,
  "tokens": 8240,
  "model": "claude-sonnet-4.5",
  "credential_scope": "cs_read",
  "pii_redacted": "skyflow:v2",
  "workspace_action": "join_materialized"
}
Five control points

Enforced by structure. Not by training.

The workspace is the security perimeter. Governance is a structural property · your IT team can verify it line by line.

Control 01

Centralized identity

SSO and SCIM inheritance. One place to provision, one place to revoke. Cascades from your IdP.

Control 02

Real-time revocation

Cut access at the workspace layer instantly. Every AI surface dark in one command.

Control 03

Auditable file uploads

Every file entering AI workflow logged and attributed by user, timestamp, agent, destination.

Control 04

CLI shrinks the surface

Data returns to the workspace, not the model context. Lower exposure, smaller audit scope.

Control 05

Per-tool-call SIEM

Every query and data source hit streams to your telemetry stack as a structured event.

Deployment

Three modes. Your data never leaves your environment.

We operate the software; you own the data plane. Choose the deployment mode that matches your security posture.

01

Cloud · VPC

Private deployment inside your AWS, GCP, or Azure account. Workloads pinned to the region you specify. One-click marketplace deploy.

02

Dedicated VPC peer

VPC peering or PrivateLink. Customer-managed KMS keys. Network egress allow-listing. Penetration test before go-live.

03

On-premise

Self-hosted Kubernetes or bare metal. Air-gap option available. Approved-LLM-list aware. IT-scanned binaries before install.

SSO · SCIM · SIEM · Okta · Azure AD · Splunk · Datadog · Day one

FAQ

Common questions about Sandbox.

Where does Sandbox deploy?

Three modes · your VPC (AWS, GCP, Azure), a dedicated VPC peer for hardened landing zones, or fully on-premise for air-gap requirements. We operate the software; you own the data plane.

Does the LLM ever see raw enterprise data?

No. Data returned from Connections lives in DuckDB inside the workspace. The model writes queries against it but sees only the synthesized answer. Raw rows, credentials, and tokens never enter the model context window.

How are credentials handled?

Credentials are scoped per identity, encrypted at the workspace boundary, and never enter the model context. Real-time revocation cuts access at the Sandbox layer instantly · across every AI surface the user touches. SSO and SCIM cascade from your IdP.

What does the audit trail look like?

Every tool call streams to your SIEM as a structured event · user, workspace, tool, system, tokens, model, credential scope, PII redaction status. Splunk, Datadog, or your-own-SIEM. The audit pipeline your security team already operates.

Is the workspace portable between AI surfaces?

Yes. The same workspace context, queries, joins, and skills back Claude, ChatGPT, Cursor, Copilot, Codex, Slack, and custom apps. Switch surfaces; the workspace stays.

What's your compliance posture?

SOC 2 Type I complete. Type II in progress (Q3 2026). ISO 27001 in progress (Q4 2026). HIPAA BAA available on request. Compliant with GDPR and CCPA by architecture. No-train policy is default and contractual.

Can I deploy on-premise / air-gap?

Yes. Sandbox runs on self-hosted Kubernetes or bare metal. Air-gap option available. The workspace is aware of your approved-LLM list, and we pre-clear binaries for your IT scan workflow before install.

How does this work with Skyflow for PII?

For PII-sensitive deployments, Sandbox integrates with Skyflow's vault · PII is identified and redacted before data enters the workspace runtime, before any agent sees it, before any model touches it. See Trust & Security for details.

Sandboxed by default

Scoped credentials. SIEM stream. Architecture, not policy.

Bring it to your security review.

CISO one-pager · architecture diagram · controls matrix · sample SIEM events · NDA template. Everything your security team needs.