Built for the most private material an organization has.
How an organization talks to itself is more sensitive than its financials. Elumen is built from that fact, and the commitments on this page are ones we put in writing for every engagement.
Said plainly, put in writing.
Names never reach Elumen
Names are pseudonymized on the consultancy side before anything reaches Elumen. The re-identification mapping never leaves your team. Asked to name your client's people, we'd have nothing to answer with.
Client material never trains a model
Not ours, and not any provider's: written into every engagement agreement, with model providers bound by commercial terms that prohibit training on customer content.
Every engagement runs in its own silo
No shared indexes, no cross-client learning, no aggregate "benchmarks" built from your clients' words.
Everything is encrypted, everywhere
AES-256 at rest, TLS 1.2+ in transit, isolated per-engagement storage with row-level security.
Deletion runs on your schedule
Retention is set with you, per consulting engagement. Keep the corpus live as long as the work needs, or have it deleted the day the brief lands — either way, deletion is verifiable, with a record you can hand the client.
All processing is logged
Every read of client material by Elumen's processing is logged; your team can request the access record for any engagement. Staff access is break-glass only: logged and disclosed to your team.
Every claim shows its source
Every claim in every brief traces back to its source lines. If a finding is questioned, you can show exactly where it came from — verification is built in, not bolted on.
What happens to the material, start to finish.
A question your clients will ask. The answer, stage by stage.
Nothing beyond the scope comes in
The client shares material under a scope you define together; nothing beyond it is ingested.
Names stay with your team
Names are pseudonymized on the consultancy side; Elumen never holds the mapping.
Nothing leaves the silo
Reading and analysis happen inside the engagement silo, under the access controls above.
The brief reaches your team
Its source links open the underlying messages inside the silo; delivery creates no new copies of the corpus.
Deletion comes with proof
The brief stays yours. Corpus and derived artifacts are deleted on your schedule, with a record for the client.
Where we are, honestly.
Where we are today, stated plainly. This section updates as milestones land.
For the procurement conversation.
Who can see our material?
Only your engagement team. Elumen's systems read the material to produce the brief, and Elumen staff have no standing access — break-glass entry is logged and disclosed to your team. No other client, ever.
Which model providers touch the data and under what terms?
The terms, plainly: no training on customer content, and only transient retention — currently up to 30 days, then deletion. Which providers, in which regions, under which safeguards: published at app.elumen.ai/trust.
Can we run this under our existing consulting NDA?
Yes. Elumen operates as a subprocessor under your engagement terms. Our data-handling terms are a standard exhibit, drafted to attach to the client agreements you already use.
How is the privacy of the messages analyzed treated?
Structurally, not just by policy. Ingestion is bounded by the scope the client sets; identity is pseudonymized before anything reaches Elumen; any employee can be excluded on request. And the diagnosis is of the organization and its groups — never of individuals.
Put our answers in front of your security reviewer.
We'll walk your team — or your client's — through architecture, data flow, and contract terms directly.
Request a demo