Security & Data Privacy
Last Updated on August 28th, 2025
Security and data privacy
Conduct is built with security and privacy as core product principles. Our platform enforces your regulatory and brand rules across email, chat, browsers, and LLMs through secure, admin-controlled integrations. We only process what is needed to evaluate a message and return guidance.
The sections below outline our privacy and security policies for all content analyzed or generated by Conduct, including flagged messages, rewrites, policies, and audit logs. You will also find details on permissions, access controls, data retention, and auditability.
FAQs
Do I need to install something?
The Conduct extension and connectors enable real-time compliance for employee communications. A lightweight Chrome extension provides in-draft flagging and rewrites from CLARE across email, chat, browsers, and LLMs.
The extension runs client side. Policies are synced from Scout to the endpoint and analysis calls are made over outbound HTTPS only. No local message data is persisted. Updates are automatic and version pinning is supported.
Typically, IT deploys the Chrome extension through Google Admin as a managed extension with policy controls and silent install. Compliance teams do not install anything. The Control Center and dashboards run in any modern browser.
What does Conduct see?
By default we do not retain message content. The copilot evaluates drafts pre-send and only records metadata, such as count of drafts analyzed, count of violations, rule IDs, severity, channel, and timestamps. No bodies, subjects, or attachments are stored.
In limited cases where an evidence record is required for a clear violation, we store a minimal snapshot of that event. That record is encrypted at rest and in transit with a per-tenant key, access is controlled by RBAC and audit logging, and it remains unreadable to Conduct personnel. Retention follows your tenant policy and can be disabled or time-limited.
What data do you process and for how long?
We store metadata for 30 days to provide snapshot reporting on what was flagged and overall coverage. Violation records are deleted 30 days after an admin acknowledges the message in the Conduct dashboard. Retention windows can be changed on request, but a violation must be acknowledged before Conduct can delete the record.
What encryption is used and who holds the keys?
We use industry-standard SHA-256–based encryption. Data is protected with an organization-scoped encryption key, and a private key is held in the backend for cryptographic operations.
Does Conduct use OpenAI, Claude, or other public LLMs?
No. Conduct runs open-source models on our own GPU infrastructure. All generative processing stays on our network. We do not send customer data to OpenAI, Anthropic (Claude), or any public LLM provider, and your data is not used to train external models.
Do you train any models on our data?
No. Conduct does not use your content to train shared or foundation models.
How your data is used:
Processed only to deliver features like CLARE’s in-draft checks and policy sync
Stored per your retention settings and encrypted in transit and at rest
Aggregated, de-identified telemetry may improve system reliability, not model weights
Options:
Tenant-only tuning is available by explicit written opt-in. Any adapters or prompts remain isolated to your org and can be deleted on request
BYO keys for OpenAI, Azure OpenAI, Anthropic, and Google are supported. We set provider data-use controls to “no training” where offered
Are compliance checks isolated from other customers?
Yes. Checks run in strict tenant isolation. Only your organization’s policies load, processing is stateless in memory, and data paths are scoped to your tenant with per-tenant encryption keys. If you use external LLMs, calls run under your controls with provider training disabled.
Can Conduct run in our VPC or an air gapped network?
Yes, in certain circumstances. Please reach out to info@useconduct.com for more information.
Do you support SSO, SCIM, and role based permissions?
Yes. Please reach out to info@useconduct.com for more information.
Found a bug or vulnerability?
Think you may have found a security bug? We’d be happy to work with you to explore and resolve the issue - and ensure you are fairly rewarded. Rewards will be based on severity, as per the Common Vulnerability Scoring System . Get in touch with us at bugs@useconduct.com to learn more.
Unanswered Questions?
Please don’t hesitate to reach out to us at info@useconduct.com with any questions you have about the information contained on this page.