The objection we hear from IT
Teams often assume “AI connected to Microsoft 365 or Google Workspace” means unsafe exfiltration through a vendor cloud. With Sovereign, mail and documents are accessed only under your identity provider’s rules, with tokens kept on the owner’s machine. Centurion Limited never sits in the middle of that traffic.
Security benefits of this model
Owned hardware, owned data
The Sovereign lives on customer-owned hardware. Private chat, documents, and mission work stay with the owner — not in a multi-tenant AI product.
Crypto Chat on your network
The iPhone companion talks to the Sovereign through Crypto Chat: end-to-end encrypted on the owner’s network. Public chatbots have no equivalent.
Fully offline when policy requires
When nothing may leave the room, Sovereign can operate without the public internet. Connectivity is a choice, not a dependency.
No stranger skill store
Sovereign does not install skills from unknown vendors. It builds what the owner needs locally, so third-party skills cannot quietly leak mail or documents.
Human approval for consequential steps
Serious actions stay under human authority. The machine works at machine speed; the owner decides when something leaves their control.
We do not train on your content
Centurion Limited does not receive private Sovereign inference data to train shared models. Your mail and documents are not our product fuel.
Trust boundary
Connecting company email — best practice
When a principal needs mail assistance, IT should approve the same patterns used for any trusted desktop client: OAuth under your tenant, least privilege, revocable consent, and no third-party mail relay.
Microsoft 365 / Exchange Online
Prefer Microsoft Graph with Entra ID (Azure AD) app registration — not shared passwords or unmanaged IMAP.
- Register an application in Entra ID under your tenant
- Choose delegated access for a named user, or application permissions only if IT policy requires it
- Request least-privilege Graph scopes for mail (read and/or send only as needed)
- Require admin consent for organisational policy
- Store refresh tokens only on the Sovereign — never in Centurion Limited systems
- Revoke or rotate access from Entra at any time
- Do not route mail through a Centurion cloud gateway
Google Workspace
Prefer Google OAuth with a Workspace-admin–controlled client — not password-based access.
- Create an OAuth client in Google Cloud under your organisation
- Allowlist the client in Google Workspace Admin as required
- Request least-privilege Gmail scopes only
- Store tokens only on the Sovereign
- Revoke access from Workspace Admin or the user’s Google account
- Do not route mail through a Centurion cloud gateway
Rules that apply to both
- Mail content is processed on the Sovereign under the owner’s roof
- Centurion Limited does not proxy, store, or train on company mail
- IT retains control through the identity provider
- If policy requires air-gap, leave mail disconnected — Sovereign still works offline
- Document the approved scopes and consent path in your change record
What we do not claim
We do not claim FedRAMP, SOC 2, IL ratings, or military authorisations. Our position is architectural: owner-controlled hardware, encrypted private chat on your network, optional offline operation, and IdP-governed connectors. For a private security questionnaire or architecture review, contact us.
Share this brief with IT
Forward this page to your security team, or ask us for a written response to your questionnaire.
hello@1human1ai.com
