Start free trial
Trust & transparency

Transparent by default.
Auditable by design.

One shared AI workspace without giving up control: your subscriptions and keys stay yours, each person’s memory stays scoped to them, and every run is metered and recorded — so you always know what ran, what it cost, and who approved it.

See transparent pricing → Enterprise controls
Principles

Security built into the core

Not an afterthought — these apply to every plan, on every run.

BYOK / BYOA

Bring your own keys or your own subscriptions. You hold the provider relationship; PrivateForge orchestrates around it.

Credentials stay scoped

Keys are KMS-encrypted and never shown to anyone after you save them. Shared connections grant usage — never the key itself — and are revocable in one click.

A ledger you can read

Plan fees, credit usage, and your own provider spend are tracked and shown separately — no hidden line items, no surprise bills.

Append-only audit trail

Every routing decision, share, and tool call is recorded for review — and the log can’t be quietly edited after the fact.

Plan-mode transparency

See how a task was decomposed and where each step will route before it runs — no black-box automation.

Boundaries that hold

Memory never crosses workspaces or tenants. Approval-first workflows gate plugins, connectors, and shares on every plan.

Data handling

You stay in control
of your data

PrivateForge is bring-your-own by design. Inference runs under your credentials, histories stay scoped to their owners, and approval-first controls govern what connectors and plugins can ever run.

  • Approval-first plugin & connector workflow
  • Per-user and per-kid caps with a pause-first credit gate
  • Enterprise BYOK-only inference on your own keys
On the roadmap
  • SSO / SAML + SCIM for Enterprise
  • DLP redaction & SIEM audit export
  • Expanded data-residency regions

Roadmap items are planned and subject to change — sales can share current status for Enterprise deployments.

Straight answers

What runs where

Privacy claims should be checkable. Here is exactly where your data lives — including when your own machine runs the model.

Stays on your machine

  • Your provider sign-ins for local CLIs — kept in your OS keychain by the local connector. PrivateForge never sees your provider passwords.
  • The model run itself, when you pair a machine and use your own subscription — your account, your hardware, your provider relationship.

Runs through PrivateForge Cloud

  • Your chats, attachments, artifacts, and memory — processed and stored (over TLS, encrypted at rest) so history, sharing, and family or workspace features work on every device.
  • Routing, safety gates, and metering for every run — including runs your own machine executes, which route through PrivateForge.
  • Bring-your-own keys, encrypted with KMS, decrypted only at request time — never shown to anyone after you save them, including people you share with.

Your data does pass through our servers — that’s what makes a shared, multi-device workspace possible, and we’d rather say it plainly than imply otherwise. What stays yours: your provider relationship, your sign-ins, and your keys.

Security you can actually verify

Scoped credentials, a readable cost ledger, and an append-only audit trail on every run.

Start free trial → Enterprise & governance