Security & Trust
Designed for the person who has to say “yes, it's safe.”
Wardary lives in the policy-enforcement path. Here's exactly how we keep your regulated data out of AI providers — and how we keep ourselves honest about the limits.
Threat model
The boundary we defend
One sentence defines the whole system: sensitive data must never reach a third-party model in raw form.
The egress boundary
Between your user and the provider sits one enforced seam. Redaction runs before it; the audit record is written across it — even on error or blocked paths.
In scope
Stopping PII, secrets, and policy-violating content from leaving through Wardary. Governing which models receive traffic. Producing a complete, immutable record.
Not yet in scope (and we'll say so)
Wardary does not block leakage through personal accounts on unmanaged devices. It is a sanctioned alternative that displaces shadow AI; an endpoint guard is the committed next surface.
Our guarantees
The controls behind the promise
Redaction before egress is absolute
The threat is sensitive data reaching a third-party provider. Redaction and blocking run inline, in-process, before any outbound call. A redacted value never leaves in the prompt; a blocked prompt is never sent — regardless of any audit setting.
Your keys, your provider contracts
Wardary is bring-your-own-key. Traffic runs under your own provider agreements, so your data is governed by the DPA and no-training terms you negotiated. Keys are envelope-encrypted at rest.
Append-only audit, enforced at the database
Every prompt writes exactly one immutable record. Immutability is enforced in Postgres — not Express middleware — so 'append-only' holds up to an auditor. No prompt is ever un-logged.
Hard tenant isolation
A user resolves to exactly one organization, and every query is scoped to it. Cross-tenant isolation is a hard boundary — one org can never see another's chats, usage, policies, or users.
Reversible tokenization, leak-safe by design
Sensitive spans become high-entropy per-request placeholder nonces. The token↔value map is in-memory only and never persisted under a no-retain rule. Restore refuses unknown tokens, closing the hallucinated-token injection vector.
Encrypted at rest, scoped by tenant
Conversation stores and provider credentials are encrypted at rest. Uploaded files in object storage are encrypted and tenant-scoped, and scanned by the redaction pipeline before contents are ever sent.
Data handling
Where your data lives, and for how long
| Data | Where it lives | Retention |
|---|---|---|
| Raw sensitive values (no-retain rules) | Nowhere — never persisted | Request-scoped, in-memory only |
| Redacted (as-sent) prompts | Encrypted audit store, tenant-scoped | Org-configurable window (default 365 days) |
| Conversations & messages | Encrypted at rest, tenant-scoped | Until deleted by the org |
| Provider credentials (BYOK) | Envelope-encrypted | Until rotated or removed |
| Uploaded files | Encrypted object storage, tenant-scoped | Until deleted by the org |
Reading raw-bearing audit fields requires a dedicated entitlement, kept narrow by default.
Provider posture
The allow-list is a legal control, not just a toggle
For a privilege- or HIPAA-bound buyer, which model receives a prompt is a compliance decision. Wardary's allow-list encodes each provider's data-processing and no-training posture, so an admin enables a model knowing its contractual terms — and a disallowed model is rejected server-side, not merely hidden.
Roadmap to certification
We're an early-stage company building toward formal attestations. A hardening pass — encryption-at-rest hardening, row-level security as defense-in-depth, rate-limiting, and real email delivery — lands before our first production customer. We'll tell you exactly where we are on that path, in writing.
How we verify
The “sleep-at-night” tests we hold ourselves to
- Redaction-leak: no raw caught value ever reaches a provider or the audit log
- Cross-tenant isolation: one org can never see another's data
- Audit completeness: every prompt yields exactly one immutable record
- Streaming correctness across OpenAI, Anthropic, and Google
- Enforced-route integrity: an enforce rule can't be bypassed, and no rule routes to a disallowed model