FAQ
What does Robost do?
Section titled “What does Robost do?”Robost is an AI data loss prevention platform. A browser extension intercepts the text employees submit to AI tools — ChatGPT, Claude, Gemini — and classifies it on-device against 25 detection types. When a policy matches, the extension can block the submission, warn the employee, or log the event silently. Security admins review detections and trends in the web dashboard.
Does the extension see every prompt I type?
Section titled “Does the extension see every prompt I type?”The extension only acts at the moment of submission — when an employee presses Send or the Enter key. Classification runs entirely in the browser using ONNX WASM (WebAssembly); no raw prompt text is sent to Robost servers. Only anonymized detection metadata is stored. See extension/entrypoints/offscreen/classifier.ts (ONNX runtime, executionProviders: ["wasm"]) and extension/entrypoints/content/main-world.ts (submit intercept).
How does Robost protect employee privacy?
Section titled “How does Robost protect employee privacy?”The ML model runs locally in the browser — raw prompt content never leaves the device. When a policy fires, only the detection type, confidence score, application domain, and a timestamp are transmitted as an alert payload; the underlying text is not included. If the extension cannot reach the backend, the alert is queued locally and retried on the next flush cycle.
What happens if the extension cannot reach the Robost backend?
Section titled “What happens if the extension cannot reach the Robost backend?”Alerts are queued in browser storage and flushed on a 5-minute alarm cycle (FLUSH_INTERVAL_MINUTES = 5 in extension/entrypoints/background/alert-queue.ts, line 7). If the queue reaches 20 items the extension also triggers an immediate flush (EAGER_FLUSH_THRESHOLD = 20, line 8). Failures are logged and retried on the next cycle — no alerts are silently dropped.
What happens when a policy action is “Block”?
Section titled “What happens when a policy action is “Block”?”A modal overlay is injected into the page. The submission is stopped (e.preventDefault() in extension/entrypoints/content/main-world.ts) and a red “Blocked” dialog is shown with a configurable policy message. The employee cannot proceed with that submission until they edit the prompt. The event is also queued as an alert for admin review.
What happens when a policy action is “Warn”?
Section titled “What happens when a policy action is “Warn”?”A warning dialog is shown with the detection details and the policy message. The employee can choose to cancel the submission or proceed anyway. If they cancel, the event is reported to the backend as warn_cancelled. If they proceed, the submission goes through and an alert is queued. (extension/entrypoints/content/main-world.ts, lines 79–98.)
Can employees see when a policy fires?
Section titled “Can employees see when a policy fires?”Yes. Block and warn interventions show a visible in-page dialog — employees are always notified when Robost stops or flags a submission. Silent monitoring (action: monitor) does not show a dialog; the event is queued as an alert only.
What browsers are supported?
Section titled “What browsers are supported?”Chrome and Chromium-based browsers (including Edge) use the default Manifest V3 build (wxt build). Firefox is supported via a dedicated build target (wxt build --browser firefox, extension/package.json line 9).
How do I roll out the extension to my organization?
Section titled “How do I roll out the extension to my organization?”The extension supports MDM-based enrollment for Chrome Enterprise and compatible management platforms. The enrollment_token and api_base_url values can be pushed as managed storage keys, removing any manual setup for employees. See the Extension Deployment guide for the Chrome policy JSON and step-by-step instructions.
What detection types does Robost cover?
Section titled “What detection types does Robost cover?”Robost ships 25 detection types across categories including Security, PII, Financial Services, Healthcare, Legal, Intellectual Property, Human Resources, and Confidential Business Information (web/src/lib/detectionTypeRegistry.ts). Detection types are defined in the product registry and updated with product releases. Admins can scope policies to specific detection types or apply them to all enabled types; they cannot add custom detection types.
How long do enrollment tokens last?
Section titled “How long do enrollment tokens last?”The default token validity is 365 days (expires_in_days: int = Field(default=365, ...) in src/modules/extension/schemas.py, line 99). Admins can set a different value between 1 and 3650 days when generating a credential. Expired tokens are rejected by the backend with a 403 response.
Does Robost support SSO?
Section titled “Does Robost support SSO?”Not yet. Login uses email and password only (src/modules/auth/routes.py, LoginRequest accepts email and password). SSO is on the roadmap.
Does Robost support SIEM integration?
Section titled “Does Robost support SIEM integration?”Not yet. The interim approach is to poll GET /api/alerts with a valid session cookie. Native SIEM forwarding is on the roadmap. See SIEM for the current polling pattern.
Is there a REST API?
Section titled “Is there a REST API?”Yes. The backend exposes authenticated REST endpoints under /api/ — including /api/alerts, /api/applications, /api/employees, /api/insights, and /api/billing. All endpoints return a consistent ResponseEnvelope wrapper, and session authentication is required.
Where is my data stored?
Section titled “Where is my data stored?”Robost uses PostgreSQL 16 with row-level security to enforce strict tenant isolation — your organization’s data is never visible to other tenants. Deployment region depends on how your instance is hosted. For cloud-hosted accounts, contact support for your specific deployment region. For self-hosted deployments, data resides wherever you deploy the Helm chart.
Can I self-host Robost?
Section titled “Can I self-host Robost?”Yes. Robost ships a Helm chart (deploy/helm/clarity/) for on-premises or private-cloud deployment. Contact support for configuration guidance.
How long is my data retained?
Section titled “How long is my data retained?”Contact support — data retention depends on your subscription tier and any data processing agreement in place. No default retention window is configured in the open application code.