Try Kodus.Ai
Trust · Data boundary

Keep repos on hardware you trust while intelligence lives where policy allows

Your working tree stays local. You choose what crosses the wire: cloud inference sends the prompt and attachments you authorize; local models keep tokens on your VLAN.

Try Kodus.Ai See it in action
  • Local workspaces · reviewable diffs
  • BYO Ollama / LM Studio routing
  • Classify repos like you classify mail
data-boundary-notes.md - trust output
Workspace“Yellow repo under review”
PromptScoped excerpt + citations
BoundaryCloud vs local endpoint pinned
EvidenceSubprocessors + DPIA appendix
Privacy boundary

From vague “the AI saw everything” anxiety to documented controls buyers can cite

Tie every sensitive workspace to a concrete posture: what may egress, which subprocessors activate, where local inference is mandated, and who signs off.

  • Default to scoped context instead of dumping whole repos
  • Pin regulated trees to LAN-only model endpoints first
  • Treat attachments and screenshots like any SaaS inbox payload
  • Pair with Security controls for deterministic blocking gates
  • Keep routing and budgets predictable as teams scale usage
Try Kodus.Ai View pricing
Active posture: Hybrid
Data class
Inference path
Evidence pack
data-boundary-notes.md
Documenting...
// Workspace:
payments-service (classified: customer data)
Boundary decisions:
- Default model path: Hosted (fast iteration)
- Regulated subtree /ledger: LOCAL ONLY · Ollama 70B
- Subprocessors consulted this sprint:
  • Inference vendor A · EU region pinned
  • Notification webhooks disabled for this cohort

Operational notes:
- Secrets never pasted into hosted prompts (vault refs only)
- Screenshots embargoed unless security approves egress

Sign-off before rollout:
Security lead + Compliance PM + Repo owner
1Classify
2Route
3Log
4Review
5Approve

What compliance actually wants from a privacy story

Egress clarity

Narrate precisely what crosses the WAN per prompt - not hand-wavy promises about mystical vaults.

Hosted vs localPurpose limitation

Operational discipline

Classify repos, ban raw secrets inside prompts, and tie human approvals to merges the way you audit today.

TrainingOwners

Vendor truth

Legal still owns DPIAs - surface subprocessors per workspace posture so questionnaires stop freezing launches.

Evidence packBuyer-ready

High-signal placements

Where Privacy & data boundary earns its keep

Finance, health-adjacent, public sector, and any shop that subtitles AI decks with subprocessors spreadsheets.

Hosted models

Egress DPIA appendix

Local inference

Ollama / LM Studio

Secrets hygiene

Vault refs vs paste

Customer data

Yellow / red classes

Cross-functional

Security + compliance + EM
Ingress control Evidence Buyer trust Audit calm
How it works

Lock the boundary in three moves

Repeatable playbook security and compliance can cite.

Name the repos

Green, yellow, or red - whatever taxonomy already governs source control.

Attach routing defaults

Pin LAN-only stacks to local models; loosen only where DPIA paperwork already exists.

Publish receipts

Export posture notes and subprocessors snapshots into questionnaires or architecture reviews.

Try Kodus.Ai Security controls
FAQ

Privacy & data boundary FAQ

Does Kodus upload my entire repository?

No wholesale upload - you work against the tree you opened. Anything you cite or attach is intentional context; scope prompts accordingly.

Can every teammate default to local inference?

Yes after you provision local endpoints and strip cloud credentials from sanctioned profiles Central IT publishes the pattern.

What happens if someone pastes prod secrets?

Assume they egressed once a hosted model processed them. Teach vault references and pair with scanners in CI.

Do screenshots obey the boundary?

They become multimodal payloads for whichever model replies - treat screenshots like pasted plaintext when customer data appears.

Who owns generated code?

You do under your agreement - OSS and IP hygiene stay your counsel’s domain just like handwritten patches.

Where should teams start?

Pick one customer-data repo, classify it, route risky subtrees locally, capture subprocessors, revisit after one steady sprint.

Pricing

Pricing

Use the same Kodus plans, tokens, and routing controls whichever posture you enforce.

Best to Start

Starter

For individual usage.

$20/mo
  • 10M tokens / month
  • 300 iterations / month
  • Standard model routing
  • Chat history + projects
  • Community support

Team

For small teams.

$100/mo
  • 70M tokens / month
  • 2,500 iterations / month
  • Full routing + Review + Strategy
  • Bring your own local model
  • Teams (up to 2 members)
  • Priority support
  • Audit log access

Scale

For larger organizations.

$200/mo
  • 300M tokens / month
  • 7,500 iterations / month
  • Unlimited team members
  • All models + custom routing
  • Dedicated support channel
  • Early access to beta features
  • No annual contract
  • Tokens reset monthly
  • Switch plans anytime

Have invite code? Get Access Now