Cernavo
Request beta access
Data handling

Data handling

Private betaFor invited beta usersDeliberately conservative — not a compliance certification

This page describes how the Cernavo private beta handles datasets you upload, which parties may see them, and the limits of our deletion controls. It does not replace your own due-diligence process.

Where data is processed

  • Cernavo runs as a single-node, founder-hosted deployment for the private beta. Uploads, runs, artifacts, and audit metadata are processed and stored on that one host.
  • There is no customer self-hosted option in the beta, and no multi-region replication.

The beta is not a compliance regime

It is not designed to meet SOC 2, HIPAA, PCI, GDPR enterprise data-residency, or similar formal compliance regimes. Upload only low-sensitivity, sanitized data.

What your uploaded data is used for

  • Uploaded datasets are used solely to run the workflow you request — profiling, planning, and execution against your own data.
  • Uploaded data is not used to train foundation models, and we do not share uploaded datasets with third parties to train their models.
  • Limited operational metadata — artifact descriptors, run timing, command audit entries — may be passed to a model provider when a run step requires it. Raw upload payloads are not sent in conversation messages, events, or checkpoints.

Conversation surface vs workflow truth

The conversation is the product surface — it shows status, proposals, and receipts. It is not the source of truth for the workflow. The canonical run, artifacts, and retention state live on the server. Message bodies do not store raw dataset rows, and proposal or event payloads do not store upload bytes.

Retention and deletion

Default retention
Run-scoped artifacts and the run row are retained for 14 days after the run reaches DONE, unless you request Delete now sooner.
Keep
Signed URLs and downloads continue working for authorized users until the retention window expires.
Delete now
The server tombstones run-scoped artifact references, revokes application access (signed URLs and listings stop returning data), and crypto-erases run-scoped key material at the per-tenant key boundary.
Physical garbage collection
Garbage collection of object-store bytes is asynchronous. Cernavo does not claim instant physical deletion — access revocation and crypto-erase are the immediate controls; physical GC runs out-of-band and is tracked server-side.
Audit metadata
Metadata for the deletion action itself — who confirmed, when, on which run — is retained for operator accountability even after content is tombstoned.

Operator access

  • The founder/operator has administrative access to the single host. Access is limited to running the beta, diagnosing production issues, and supporting invited users.
  • Operator access is not used to mine, repackage, resell, or train models on your data. If we need to look at a specific dataset to help you, we will tell you.
  • Operational credentials and audit logs are managed separately from tenant workflow data and are not part of tenant data exports.

Beta limitations

  • No formal uptime SLA. The beta is hosted on a single node and may be paused for maintenance.
  • No public self-serve signup. Access is invite-only via secure sign-in.
  • No customer-managed encryption keys (BYOK) and no per-tenant self-hosting in this release.
  • Do not store production-critical or compliance-bound data here. Use sanitized, low-sensitivity tabular data per the acceptable-data policy.
Last updated: June 2026