Privacy & Governance
The Personal Assistant operates in a unique position - it is a tenant resource provisioned and funded by the organization, but it serves an individual employee with potentially sensitive personal data. This guide covers the privacy model, admin governance controls, the settings control model, pause/resume mechanics, and deactivation procedures.
Privacy Policy
The PA privacy policy is configured at the tenant level by an administrator. It applies uniformly to all Personal Assistants in the organization and controls what administrators can see about employee PA activity.
Privacy Levels
Private - Employee Privacy First
| Admin Can See | Admin Cannot See |
|---|---|
| PA exists (yes/no) | Goals, projects, and tasks |
| PA status (active, paused, deactivated) | Chat conversations |
| PA name | Activity log details |
| Activation date | Email content |
| Custom instructions | |
| Employee profile data | |
| Tool usage details | |
| Insights and analytics |
Best for: Organizations that prioritize employee autonomy and trust. The admin retains lifecycle control (pause, resume, deactivate) but cannot view any PA content.
Metadata Only - Balanced Approach (Default)
Includes everything visible under Private, plus:
| Admin Can See | Admin Cannot See |
|---|---|
| Total execution count | Goal descriptions and details |
| Total token usage and cost | Project and task descriptions |
| Tool usage statistics (which tools, how often) | Chat message content |
| Goal count and titles (not descriptions) | Email content |
| Task count and completion rate | Custom instructions |
| Last active timestamp | Employee profile answers |
| Wake-up frequency setting | Research outputs |
| Data access permissions granted |
Best for: Organizations that need cost visibility and usage monitoring while preserving employee privacy on content.
Full Visibility - Full Transparency
Includes everything visible under Metadata Only, plus:
| Admin Can See | Still Not Visible |
|---|---|
| Full goal details (titles and descriptions) | Email content in the employee's primary mailbox (Graph API access is user-scoped) |
| Project and task details | Employee's personal device data |
| Activity log with full details | |
| Chat conversation history | |
| Custom instructions | |
| Employee profile data | |
| Insights analytics |
Best for: Regulated industries, high-security environments, or organizations where administrative oversight is expected or required.
Configuring the Privacy Policy
Administrators can set the privacy policy from the PA privacy configuration area in Control Bridge:
- Navigate to the PA configuration section
- Select the desired privacy level (Private, Metadata Only, or Full Visibility)
- Click Save Changes
Changing the privacy policy takes effect immediately for all PAs in your organization. All PA users in the tenant receive an in-app notification informing them of the policy change and the new level. Consider communicating the reasons for any changes to your team proactively.
Settings Control Model
The PA uses a boundary-based control model where administrators set constraints and employees work within them:
Admin-Controlled Settings (Boundaries)
| Setting | Admin Controls | Employee Can Adjust Within Boundaries |
|---|---|---|
| Working Hours | Admin sets the allowed time range | Employee sets wake-up frequency within those hours |
| Daily Execution Limit | Admin sets the maximum | Employee cannot exceed it |
| Available Tools | Admin defines the approved pool | Employee selects from the pool |
| Available Models | Admin defines the approved models | Employee selects their preferred model from the pool |
| Escalation Behavior | Admin sets the default | Employee can adjust within the admin's allowed options |
Employee-Only Settings
These settings are controlled exclusively by the employee. Administrators cannot change them, even with Full Visibility:
- PA name, avatar, and communication style
- Custom instructions
- Data access permissions (primary mailbox, calendar, contacts, files, meetings)
- Goals, projects, and tasks
- Wake-up frequency and weekend work preferences
- Summary frequency and delivery channel
Admin Governance Controls
What Administrators Can Always Do
Regardless of the privacy policy, administrators retain full lifecycle control:
| Action | Effect | Employee Notified |
|---|---|---|
| Pause PA | PA stops all execution immediately | Yes |
| Resume PA | PA resumes execution and calculates next wake-up | Yes |
| Deactivate PA | PA agent soft-deleted; requires full re-setup to reactivate | Yes |
| Add tools to available pool | Employee can assign these new tools | Yes |
| Remove tools from available pool | Tool removed from PA if employee had assigned it | Yes |
| Add LLM models | Employee can select these new models | Yes |
| Remove LLM models | Model removed if currently selected by employee | Yes |
| Change working hours | PA respects new hours on next cycle | Yes |
| Change daily execution limit | New limit enforced immediately | Yes |
| Change privacy policy | Applies to all PAs immediately | Yes (all PA users notified) |
| Remove PA User role | PA deactivated and role removed | Yes |
What Administrators Cannot Do
Even with the Full Visibility privacy policy, administrators cannot:
- Send messages as the PA
- Modify the employee's goals, projects, or tasks
- Change the employee's personalization settings (name, avatar, style, instructions)
- Change the employee's data access permissions (primary mailbox, calendar, contacts, files)
- Access the employee's primary mailbox through the PA
- Impersonate the employee in PA interactions
Admin PA Management Page
Administrators can manage an employee's PA from Manage > Team > Users > select the user > PA Settings tab. This page shows:
- PA status with Pause and Deactivate buttons
- PA name, email, activation date, and last active timestamp
- Usage metrics (visible at Metadata Only and Full Visibility policy levels): execution count, token usage, and estimated cost
- Available tools and models configuration (with edit capability)
- Working hours, daily execution limit, and escalation behavior settings
Pause and Resume
Who Can Pause and Resume
| Actor | Pause | Resume |
|---|---|---|
| Employee | Can pause their own PA | Can resume their own PA (unless admin-paused) |
| Administrator | Can pause any employee's PA | Can resume any PA (including employee-paused) |
If a PA is paused by an administrator, the employee cannot resume it. The employee sees: "Paused by your administrator. Contact them to resume." Only the administrator can resume an admin-paused PA.
Pause State Model
The PA uses a single status field with a last-write-wins model. This means:
- If the employee pauses and then the admin also pauses, the status becomes
paused_by_admin - When the admin resumes, the PA goes back to
activeregardless of the employee's prior pause - The employee can re-pause if desired after the admin resumes
This approach keeps the state model simple and avoids compound pause states.
What Happens When Paused
When a PA is paused, regardless of who initiated the pause:
- Scheduled wake-ups stop - The timer skips this PA
- Email triggers stop - Incoming emails to the PA's shared mailbox are not processed
- Chat is disabled - The employee sees "Your PA is currently paused" in the chat interface
- PA Hub becomes read-only - The employee can view history but cannot trigger actions
- "Wake Up Now" button is disabled - Shows the paused state
- Goals, projects, and tasks are preserved - No data is lost
- Next wake-up is cleared - The scheduled next wake-up time is removed
What Happens When Resumed
When a PA is resumed:
- The next wake-up time is calculated based on the current time and frequency
- Email triggers are re-enabled
- Chat becomes available again
- The PA Hub is fully interactive
- A "PA resumed" activity entry is logged
Providing a Reason
Both employees and administrators can optionally provide a reason when pausing. The reason is logged in the activity trail for audit purposes.
Deactivation
Admin Deactivation
Administrators can deactivate an employee's PA from Manage > Team > Users > select the user > PA Settings tab.
A confirmation dialog is displayed: "Are you sure you want to deactivate this employee's Personal Assistant? This will stop all PA activity and the employee will need to re-complete setup to reactivate."
Deactivation triggers the following:
- PA status is set to
deactivated - The PA agent is soft-deleted
- The email subscription (Graph API webhook) is removed
- The employee receives an in-app notification and email explaining the deactivation
- The action is logged in the audit trail
Deactivation is a significant action. The employee will lose access to their PA and will need to go through the full two-phase setup process (admin + employee) to get a new PA. Previous goals, projects, tasks, and chat history are preserved but linked to the old agent and not migrated to the new PA.
Employee Deactivation Request
Employees cannot directly deactivate their PA. Instead, they can:
- Navigate to PA Hub > Settings > Danger Zone
- Click Request Deactivation
- This sends a notification to the administrator
- The administrator must approve and perform the deactivation
Re-Provisioning After Deactivation
To re-provision a PA after deactivation:
- The administrator must complete the Admin Setup Wizard again
- The employee must complete the Employee Setup Wizard again
- A new PA agent is created with fresh configuration
- Previous data (goals, projects, tasks, chat history) is preserved but linked to the old agent and not carried over
Role Removal
If an administrator removes the PA User role from an employee:
- If the PA is active, it is deactivated first (following the deactivation flow above)
- The role is removed from the user
- The employee loses access to the PA Hub
- PA data is preserved in the database for audit purposes
- The employee receives a notification
Audit Trail
All governance actions are logged automatically to the activity log:
| Activity Type | Description |
|---|---|
admin_pause | Administrator paused the PA |
admin_resume | Administrator resumed the PA |
admin_deactivate | Administrator deactivated the PA |
admin_tool_change | Administrator modified available tools |
admin_model_change | Administrator modified available models |
admin_settings_change | Administrator modified settings (hours, limits, escalation) |
employee_pause | Employee paused their PA |
employee_resume | Employee resumed their PA |
employee_tool_change | Employee changed tool assignments |
employee_config_change | Employee changed personalization or settings |
Data Retention
- PA data follows the same retention policies as other Outermind Inc. data
- When an employee leaves the organization (user deleted), PA data follows the GDPR deletion flow
- Deactivated PA data is retained until the user record is deleted
- Activity logs follow the standard audit log retention policy
Related Topics
- PA Overview - Introduction to the Personal Assistant
- Admin Setup Wizard - How to provision a PA
- PA Hub Guide - Navigating the PA Hub
- AICOS Overview - The organizational AI executive that the PA architecture builds on