Trove Private preview

Trove

Trust-preserving knowledge from work communication.

Trove helps people use their own work context and contribute sanitized team knowledge without turning private emails, files, or conversations into an employee monitoring system.

Join the private preview Review the trust model
Source-owner controlled Personal, team, and blended retrieval
Private sources Personal context stays private Gmail first, Drive next, Microsoft-ready identity
Preview gate See the cleaned version first Before broader ingest or team publication
Sanitized team Derived knowledge, not raw search Entity hiding, traits, evidence, validation
Chat + MCP Explicit retrieval boundary Personal, team, or blended endpoint
Default chat mode

Blended answer with quiet provenance underneath.

Private context Sanitized team Policy proof

The hard part is not search. It is earning permission.

The most valuable knowledge lives in personal work context: account history, implementation lessons, stakeholder nuance, and small discoveries that never become official documentation. Trove makes that knowledge useful without making it broadly inspectable.

For employees

Source owners preview what Trove keeps, what it discards, and what it would publish before opening a source more broadly.

For organizations

Admins get policy evidence, remediation controls, and key options without private-source browsing or productivity dashboards.

One assistant. Three explicit trust boundaries.

The MVP starts with a basic chat interface and matching MCP scopes: personal, team, and blended. Users can ask naturally while Trove keeps retrieval boundaries visible in the product and precise in the policy layer.

User question What can I reuse from similar customers without exposing my account?
Blended answer

Combines the user's private account context with approved team patterns. The normal answer stays conversational; hidden provenance records which scopes were used.

Personal answer

Uses raw private details only for the authenticated source owner. It cannot publish those details back into the team corpus.

Team answer

Uses sanitized artifacts, safe redacted traits, and raw team sources only when the requester is authorized. Follow-up suggestions are collaboration routing, not employee analytics.

Sanitization is a publication gate, not a redaction pass.

Trove publishes derived knowledge artifacts, not cleaned-up copies of private messages. The default source mode is sanitized sharing to the team; raw sharing is always explicit.

01

Connect Gmail

Sign-in stays separate from data-source consent. A user can connect multiple accounts under one Trove identity.

02

Preview a small batch

Owners see original excerpts, sanitized candidates, relevance calls, and entity replacements before broad ingest.

03

Filter for purpose

The clean room keeps business-relevant artifacts and discards personal, transient, embarrassing, or dignity-risk content.

04

Hide entities and traits

Customers, people, domains, titles, and accounts become linked redacted traits instead of raw identifiers.

05

Attack the result

White-hat agents try to re-identify private context in preview, pre-publication, and high-risk answer assembly.

06

Publish current artifacts

Approved artifact versions enter the team index with provenance, policy versions, and remediation paths.

Proof attached to every shared artifact

  • Publication mode and source-owner consent
  • Sanitizer and pipeline profile version
  • Redacted entity and role traits
  • Source evidence reference without raw access
  • Privacy validation and remediation status
  • Immutable provenance for generated answers

What Trove refuses to become

Employee monitoring, manager mailbox search, productivity scoring, raw private-source browsing, or a compliance backdoor into originals.

Clean-room sanitization pipeline diagram
Dual-context retrieval diagram

Trust claims backed by proof artifacts.

Trove is designed so security reviewers, admins, and source owners can verify the promises: sign-in is not data access, admins cannot read private sources, sanitized team knowledge is derived, and answers remain grounded.

Source-owner control

Each source has a per-pipeline policy: no_share, default sanitized_team, or explicit raw_team. Owners can revoke access and remove derived artifacts.

No private admin browse path

Team and org admins manage policy, connectors, validation, and remediation without receiving private-source read access.

Three authenticated MCP endpoints

/personal, /team, and /blended expose explicit retrieval scopes with hidden provenance on every answer.

CMK and private data plane options

Customers can use Trove-managed storage, customer-managed keys, or a future customer-owned data plane for higher-trust deployments.

Secured MCP access diagram Personal and team retrieval diagram

MVP path from whitepaper to pilot.

  1. Identity and consent Google sign-in, multi-account linking, source consent ledger, source ownership, and per-pipeline publication mode.
  2. Gmail preview ingest Recent limited batch, Gmail-style filters, private attachment handling, and source-owner before/after review.
  3. Clean-room sanitizer Relevance, dignity protection, entity hiding, trait extraction, white-hat validation, artifact versioning, and team publication.
  4. Chat, MCP, and transparency Personal/team/blended chat, three MCP endpoints, source-owner dashboard, admin evidence view, and policy proof tests.
  5. Enterprise hardening CMK, audit export, rollback/reprocess, operational trust runbooks, additional connectors, and private data plane support.

Request private preview

Help shape a trust-first assistant that makes work knowledge useful without exposing private source material.