Data & privacy — what the bot can see

This page is the plain-language version of the privacy policy. If you need legal language, the policy is the source of truth; this is the operational summary.

What Ceven reads

• Slack: only messages where the bot is @-mentioned, plus replies in any thread the bot has already posted in. The bot never reads channels it wasn't invited to.
• Connected providers: only what the OAuth scopes you approved allow. We default to read-only scopes everywhere we can.
• HR / billing data inside Ceven: employees, departments, PTO, integrations, payments — the same data your dashboard shows you, scoped to your org.

What's stored

• Tool dispatch results — temporarily, while the chat session is alive. Truncated and rotated weekly.
• Audit log — every tool call, who triggered it, timestamp, and a redacted summary of inputs / outputs. PII fields are redacted automatically (SSN, DOB, encrypted columns).
• OAuth tokens — encrypted at rest with a per-org KEK (key-encryption-key) wrapped by AWS KMS in production. Never logged in plaintext.

What's never shared

• Cross-tenant data. Every query is scoped by organization_id at the database layer (Postgres row-level security). One org cannot see another org's data, ever.
• Tool inputs across providers. A Stripe call doesn't touch HubSpot context. Each provider gets only the parameters needed for that specific call.
• Training data. Your messages are not used to train any LLM. The model calls happen via OpenAI's API with their no-training commitment for API calls.

Disconnecting / deleting

Disconnect any provider from Settings → Integrations — we revoke the OAuth session within 30 seconds and stop reading. To delete your account entirely, email hello@ceven.io with your tenant ID; we hard-delete within seven days, audit-logged.

Compliance

Ceven is SOC 2 Type II in progress (target: Q3 2026). HSTS preload is submitted; all subdomains are HTTPS-only. See security for the current matrix.