Enterprise · planned

Controlled deployment.
Same cautious core.

Enterprise work should add deployment, support, and data-boundary controls without weakening the individual user’s review or restore path.

Planned capabilities

The controls organizations actually need.

These are roadmap targets for design partners, not currently shipped guarantees.

Managed browser deploymentPlannedDocumented extension allowlisting, version control, and update rollout.
Provider routingPlannedApproved model endpoints, metadata-only enforcement, and zero-retention routing options.
Central closure guardrailsPlannedOrganization defaults that cannot silently downgrade deterministic keep protections.
Hosted receipt retentionPlannedConfigurable retention and deletion with export remaining available.
Identity and accessPlannedSSO and administrative roles only when a hosted team service requires them.
Security assuranceEvidence firstTesting, incident process, and independent review before certification claims.

Questions we expect from security teams.

  • Which browser permissions are required and why?
  • Is page content accessed by default?
  • Which data can leave the device?
  • Can remote analysis be disabled or routed?
  • What exact state is captured in a receipt?
  • What cannot be restored?
  • How are receipt changes detected?

Answers we will not fake.

Pre-release software should not borrow the language of mature controls. The current evidence is the open code, schemas, deterministic guardrails, testable receipt integrity, and documented limitations.

Enterprise availability depends on design-partner validation and the controls above being implemented, tested, and documented.

Receipt first. Close second.

Bring a real workflow and a real threat model.

Design-partner conversations are for validating requirements, not pre-selling imaginary controls.