How it works

Three stages: type, sanitise, send.

Your team chat.trinito.local
Draft an offer letter for Sarah Patel for the 3-bed flat at 14 Cromwell Road, SW7 4XL. Her solicitor is at Henderson & Co.
4 findings · ready to approve
Trinito Gateway
ChatGPT · Claude · Gemini outbound
Draft an offer letter for [PERSON_1] for the 3-bed flat at [ADDRESS_1], [POSTCODE_1]. Her solicitor is at [ORG_1].
sanitised · sent
Flagged entity Placeholder token

The three stages

Stage 01

Type

Someone on your team writes a prompt in the Trinito chat — the same conversational interface they already use with public AI tools, but running on the appliance in your office.

They do not learn a new tool. The Gateway sits in the path and only steps in when it needs to.

Stage 02

Sanitise

The Gateway reads the prompt on the appliance in your office. It finds names, addresses, account numbers, and UK identifiers using regex and local NER; then swaps them for safe placeholders.

The person sees the cleaned version, can edit it, and approves with one click before anything leaves the building.

Stage 03

Send

Only the sanitised prompt goes to the LLM you chose: ChatGPT, Claude, Gemini, or a model running on the box.

The answer comes back through the Gateway. Placeholders are put back so the person reads normal text. The public AI never saw the real names or numbers.

Where the data goes

Sanitisation stays in your office. Only placeholders leave your premises

Original prompts and audit logs never leave the appliance. What crosses your firewall is sanitised text, and only if you approve it.

Stays hereOriginal prompt, findings, audit log all on the appliance.
Crosses outSanitised prompt only — tokens like [PERSON_1], not real PII.
ReturnsLLM response to the Gateway, rehydrated before the user sees it.
You chooseRoute to EU endpoints, US endpoints, or local models on the box.
UK → EU routing OpenAI and Anthropic offer EU data residency on eligible plans. Sanitised prompts can stay in the EEA if your admin selects EU endpoints — useful for GDPR-focused buyers.
UK → US routing Some models and tiers process in the United States. The Gateway still ensures UK personal identifiers and contextual business references never leave your office in the clear — only placeholder text crosses the link.
Document library

Adding documents to the appliance

Two paths — organisation library via admin, conversation files via chat. Both run locally; both pass through classification and sanitiser review before they are used in prompts.

Org library upload workflow

  1. Upload (admin)

    An admin drags a file onto the Documents page. The appliance extracts text with Apache Tika on the box (Tesseract for images and scanned PDF pages) — nothing is sent to a cloud extraction service.

  2. Classification detection

    If the document already carries a marking — INTERNAL USE ONLY, CONFIDENTIAL, UK Government protective markings, NATO classifications — the appliance detects it and proposes the matching sensitivity level. If markings conflict, you choose. If none are found, the default is Internal and you can override.

  3. Sanitiser review

    The sanitiser scans for PII. You see every detected name, organisation, identifier, and contact detail as a chip. By default they are redacted before any cloud retrieval. Click any chip to release it when the name is intentional context. Each release is recorded in the audit log.

  4. Indexed and live

    The document is chunked, embedded, and added to the search index. From then on, chat can retrieve from it when relevant — no extra step to "turn it on" after review completes.

Using the library in conversations

When someone asks a question, the appliance retrieves the most relevant chunks from documents they can access — organisation library plus any file attached to the current conversation. Retrieved chunks are added to the prompt as context.

Our standard PTO accrual is 1.67 days per month, capped at 25 days per year. This applies to all full-time staff after the 90-day probation period.

Sources: Employee Handbook 2026 (policy, internal); PTO Policy v3 (policy, internal).

The citation line shows the document, its content type, and its classification. For chat attachments, the same chip-review flow runs at upload time; shorter files can stay inline in the prompt, longer ones can be indexed for retrieval in that conversation only. Technical detail on the AI Gateway page.

What the user sees

Two surfaces. One workflow.

The in-office chat with sanitised preview, and the admin audit log — same approve-and-send model throughout.

Trinito chatSanitised prompt with placeholder chips, original alongside, one click to approve and send.
Admin audit logHash-chained entries, filter by user, export on demand for compliance.

Send this page to whoever signs it off.

If the flow makes sense here, browse the curated examples on the showcase.