A repo-shaped workspace runtime. DuckDB for compute. Scoped credentials that never enter the model context. Every tool call streamed to your SIEM. Governance enforced by architecture · not by user training. One layer across Claude, ChatGPT, Cursor, Copilot · and the agents your teams build.
If your security depends on “users won't paste sensitive data into ChatGPT,” it has already failed. AI rolls out in days; governance lags by months.
When the agent reads enterprise data, raw rows enter the model context window. The model could memorize them. The next prompt could leak them. There is no architectural perimeter · and no way to take it back.
When credentials live in the model context window, every agent action carries them. Revoking access means chasing tokens across every AI surface, every laptop, every session.
Without per-tool-call logs streamed to your SIEM, you can't show what the agent touched, when, on whose authority. The rollout doesn't clear the AI Council.
A repo-shaped runtime where the agent executes. DuckDB for analytical compute. Python and shell for execution. Scoped credentials encrypted at the workspace boundary. Every action streamed to your audit pipeline as a structured event.
Sandbox is a per-team, per-workflow workspace. The agent gets a runtime to do its work in · query data, materialize joins, compose answers · without raw data ever entering the model context.
Data returned from Connections lives in DuckDB, not in the model window. The model writes SQL and sees only the result.
Encrypted at the workspace boundary. The LLM never sees a token or key. Real-time revocation across every AI surface.
Every query, file touch, and data source hit streams to Splunk, Datadog, or your-own-SIEM as a structured event.
Queries, joins, skills are versioned, diffable, reviewable. Your context is the asset · readable, exportable, yours.
# Example · SIEM event from one workspace query
{
"timestamp": "2026-06-04T16:42:01Z",
"user": "j.smith@example.com",
"workspace": "cs-ops",
"tool": "connection_query",
"system": "salesforce",
"rows_returned": 47,
"tokens": 8240,
"model": "claude-sonnet-4.5",
"credential_scope": "cs_read",
"pii_redacted": "skyflow:v2",
"workspace_action": "join_materialized"
}The workspace is the security perimeter. Governance is a structural property · your IT team can verify it line by line.
SSO and SCIM inheritance. One place to provision, one place to revoke. Cascades from your IdP.
Cut access at the workspace layer instantly. Every AI surface dark in one command.
Every file entering AI workflow logged and attributed by user, timestamp, agent, destination.
Data returns to the workspace, not the model context. Lower exposure, smaller audit scope.
Every query and data source hit streams to your telemetry stack as a structured event.
We operate the software; you own the data plane. Choose the deployment mode that matches your security posture.
Private deployment inside your AWS, GCP, or Azure account. Workloads pinned to the region you specify. One-click marketplace deploy.
VPC peering or PrivateLink. Customer-managed KMS keys. Network egress allow-listing. Penetration test before go-live.
Self-hosted Kubernetes or bare metal. Air-gap option available. Approved-LLM-list aware. IT-scanned binaries before install.
SSO · SCIM · SIEM · Okta · Azure AD · Splunk · Datadog · Day one
One CLI fans out to 50+ enterprise systems. The agent loads one tool. The workspace handles the routing.
Connections →Product 03Token visibility, routing, and cost attribution. See where every dollar goes. Set budgets. Turn the dials.
Cost Plane →PlatformThe runtime, the context layer, the security perimeter. All three products on one architectural foundation.
Platform overview →Three modes · your VPC (AWS, GCP, Azure), a dedicated VPC peer for hardened landing zones, or fully on-premise for air-gap requirements. We operate the software; you own the data plane.
No. Data returned from Connections lives in DuckDB inside the workspace. The model writes queries against it but sees only the synthesized answer. Raw rows, credentials, and tokens never enter the model context window.
Credentials are scoped per identity, encrypted at the workspace boundary, and never enter the model context. Real-time revocation cuts access at the Sandbox layer instantly · across every AI surface the user touches. SSO and SCIM cascade from your IdP.
Every tool call streams to your SIEM as a structured event · user, workspace, tool, system, tokens, model, credential scope, PII redaction status. Splunk, Datadog, or your-own-SIEM. The audit pipeline your security team already operates.
Yes. The same workspace context, queries, joins, and skills back Claude, ChatGPT, Cursor, Copilot, Codex, Slack, and custom apps. Switch surfaces; the workspace stays.
SOC 2 Type I complete. Type II in progress (Q3 2026). ISO 27001 in progress (Q4 2026). HIPAA BAA available on request. Compliant with GDPR and CCPA by architecture. No-train policy is default and contractual.
Yes. Sandbox runs on self-hosted Kubernetes or bare metal. Air-gap option available. The workspace is aware of your approved-LLM list, and we pre-clear binaries for your IT scan workflow before install.
For PII-sensitive deployments, Sandbox integrates with Skyflow's vault · PII is identified and redacted before data enters the workspace runtime, before any agent sees it, before any model touches it. See Trust & Security for details.

CISO one-pager · architecture diagram · controls matrix · sample SIEM events · NDA template. Everything your security team needs.
