What we do, and don't do, with your data.

Ravenhill ingests signals from the tools your team already uses. Today, that means Slack and Google Meet. You connect each workspace explicitly, and nothing is ingested before that connection is made.

From Slack: messages in channels you authorize, thread replies, and basic metadata (author, channel, timestamp). We do not read private DMs, and we skip organization-noise channels (general, random, announcements) from expertise signal by default.

From Google Meet: meeting transcripts your team explicitly sends to Ravenhill. We do not join meetings without an invitation.

Every ingested signal is stored with a unique source identifier and a content hash, so duplicates are dropped at the edge and any tampering would be detectable.

Signals are used for two things: (1) to give your personal agent a sense of the work you're doing, and (2) to build an organization-wide map of who-knows-what.

The map is a graph of people, teams, and topics. Edges between them carry a weight that updates over time based on sustained activity — not a single message. The graph is derived signal; it does not expose raw message content to other users' agents.

When another person's agent needs your expertise, it sees that you're a likely source — not the underlying messages. Raw content only leaves your agent's context when you explicitly approve it.

Every signal in Ravenhill carries what we call a trust envelope: a classification (public / internal / restricted / confidential), a scope (which people or teams it's addressed to), a maximum forwarding depth, and a source confidence.

The trust envelope can only be narrowed as the signal moves through the system — never widened. A confidential signal stays confidential; an internal one can't be promoted to public without human action.

Access is enforced structurally, not in an LLM prompt.

Any cross-agent action that would share a file, transfer data, or touch something owned by another person pauses and asks that person's human owner to approve.

Approvals are not a convenience layer — they are the enforcement point. If the owner does not approve, the action does not happen. There is no "silent" pathway.

Every question, every routing decision, every agent-to-agent message, and every approval is written to a persistent activity log. Each entry carries an actor, a target, a timestamp, and a trace identifier that ties the whole chain together.

The log is queryable in-app. In the product today, it powers the Activity and Audit surfaces. You don't have to ask us for it — you see it.

Ravenhill runs today on PostgreSQL, in a single region, hosted on managed infrastructure. Data is encrypted in transit and at rest by the hosting layer.

Language model calls are made to third-party model providers (Anthropic, and optionally Groq or Google Gemini as fallbacks). Which provider is active depends on configuration. We can also run in a local-only "mock mode" with no external model calls — this is what we use for demos and internal testing.

No model provider is given access to your graph. Only the specific context needed to answer a specific question is passed, per call.

We're going to be specific here, because honesty is cheaper than rework:

• SOC 2 is not yet in progress. We will begin when we have a small number of design partners and the scope is stable.
• SAML / enterprise SSO is not yet supported. Today we sign in via the in-app flow; Google OAuth is the next step.
• Self-hosted / bring-your-own-cloud deployments are not available.
• Customer-configurable data residency is not available — single region today.
• No ISO 27001, no HIPAA, no FedRAMP. These aren't on the near roadmap.
• No dedicated customer VPC or tenant isolation beyond row-level org scoping.

If one of these is a blocker for you, we'd rather know before you're onboarded than after.

Security questions, data-handling questions, anything on this page you want to push on — email us at security@raven-hill.org. A founder will answer.