Data & Privacy

This is not a privacy policy. It is an architectural description — what every agent is built from, what each layer can reach, and how far the isolation can go.

The three layers

Every agent, regardless of framework, boils down to three things.

Environment — the machine it runs on. The filesystem, the shell, the network, the processes. This is where the agent lives and where its effects land.

Body — the tools and actions it can take. The physical surface through which it acts on its environment. In Axon this is tools, scripts, and the capsule — running on your hardware, in a subprocess you own, under policy you declare.

Brain — the cognitive loop. Assembles context, drives inference, dispatches actions, decides when the task is done. Most frameworks leave this to you to implement. In Axon this is Cognos — managed infrastructure that operates through the body you gave it, within the environment you defined.

Most agent architectures have all three. Few have named the split cleanly. Naming it matters here because it is where the privacy story lives: the brain can only reach what the body allows.

The capsule is the perimeter

Every action the brain takes — every file read, every shell command, every network call — crosses through the capsule first. The capsule enforces the policy you declared in axon.config.ts before any tool code runs. The brain does not bypass this. There is no mechanism for it to do so.

export default defineAgent({
    policy: {
        fs: {
            read:  ["./src/**"],
            write: ["./output/**"],
            deny:  [".env", "**/secrets/**"],
        },
        network: {
            allow: ["api.github.com"],
        },
    },
})

An agent with this policy cannot read .env. Cannot write outside ./output/. Cannot make network calls to anything except api.github.com. The brain may want to. The body cannot. That is the boundary.

Your privacy posture is a function of your capsule policy. Tighten it to what the agent genuinely needs. That declaration in source is the real perimeter — not a configuration panel, not a setting somewhere. Committed to git, auditable, version-controlled like everything else.

What the brain can reach

Cognos is private infrastructure — the cognitive loop is not open-sourced and will not be. But what it can reach is not a matter of trust. It is a matter of policy.

If you want to know what the brain can access for a given agent, read axon.config.ts. The capsule policy is the complete answer. The brain operates within it. Your machine operates outside it. That declaration is in source, committed to git, auditable like any other file in the agent folder.

Inference and where tokens go

The brain drives inference but does not own it. Engines — Axon(), Ollama(), Codex(), OpenRouter() — are pluggable inference providers. Cognos calls them as part of the loop.

When you use a BYOK provider (OpenRouter, Codex), tokens flow from your machine to your provider. Axon is not in that path. Your provider contract governs that surface — not ours.

When you use Ollama(), inference runs entirely on your hardware. No tokens leave your machine. The brain still runs on Axon infrastructure and drives the loop, but inference is local.

Choose the inference provider that matches your threat model. The body, the environment, and the policy are the same regardless.

The isolation spectrum

Different teams need different levels of separation. The architecture supports increasing isolation incrementally — as a consequence of deployment choices, not configuration toggles.

Local development — agent and capsule on your machine, inference via your chosen provider, Cognos managing the cognitive loop on Axon infrastructure.

Self-hosted — axon build produces a Docker image. Deploy it on your own infrastructure. Your agent connects to Cognos for the cognitive loop. Inference, tool execution, and the environment all run on hardware you control.

Local inference + self-hosted — Ollama() engine on your own server. No tokens leave your infrastructure. The cognitive loop connects to Cognos; everything it acts on is yours.

GPU deployment with local models (coming) — Axon-managed deployments with GPU hardware are on the roadmap. When available: your agent on Axon-provisioned hardware, an open-weight model you own, inference running on that hardware via the Ollama engine. You own the model, the weights, the inference, and the execution environment. The cognitive loop remains on Axon infrastructure — that surface cannot be eliminated while the brain is the brain. But everything the brain acts on is yours.

This is as close to complete isolation as a managed cloud agent can get. For teams with compliance requirements that go further still — zero-data-residency at the cognitive loop boundary — that is on the roadmap.

You define the environment. You define the body. The brain operates within both.