Product Partner Overview

Product Partner Overview · Confidential

What twins unlock
on your platform.

For product and partnership leaders considering a partnership with Workfabric AI. Twelve twin use cases, grouped by the kind of platform you build, so you can quickly see what ContextFabric makes possible on top of yours.

Partner overview 12 use cases 4 platform categories Explainer + demo per case

Use cases

Click a card to jump to its full breakdown

No demos match this filter yet. Try another category.

01 · Overview

What is ContextFabric?

ContextFabric is the simulation and context layer for your enterprise. It senses operational context across the apps your people already use, structures that context into living digital twins, and exposes it to any AI agent through MCP.

Delivered as a managed service with a fully isolated, dedicated Data Plane per customer — run on dedicated Workfabric AI resources we manage for you, or in your own cloud (Azure, AWS, GCP). Either way, no shared service plane and no shared inference path.

01 · Sense

AI Twin Runtime

On each user device. Observes how work happens, under your governance and scope.

02 · Structure

Context Library

Workflows, participants, business objects, data sources — all linked back to their origins.

03 · Synthesize

Intelligence layer

Selects, enhances, and ships precise context aligned to each agent request.

04 · Serve

MCP for your agents

Any agent runtime reads context the same way.

02 · The Context

How do digital interactions become context?

The signal lives in the work itself — every step performed, every exception, every off-path decision.

Systems of record

~30%

ERP records, accounting, support tickets, dashboards — structured but partial.

Unstructured work

~70%

Conversations, emails, chat, transcripts, documents, SOPs, contracts.

Observed work

Every
interaction

Every step, every variation, every error and how it was resolved.

What gets captured per workflow

03 · Architecture

How does context flow?

20 billion observed tokens → 100 million refined → 5 thousand precise context tokens per agent request.

01
Model how teams work AI Twin Runtime observes interactions across apps, workflows, docs.
02
Reverse-engineer workflows Turn raw interactions into structured workflows.
03
Build a context library Encode tacit, team-specific knowledge into reusable context.
04
Select precise context Pick the exact slice for the agent’s intent and action.
05
Deliver context to agents Enhance, then ship the resulting context at run-time.

04 · Environment

What’s centralized, what’s isolated?

A single Control Plane manages the platform globally, while every customer's Data Plane — including its storage and compute — stays fully isolated, whether it runs in your VPC or on dedicated Workfabric AI resources we manage for you.

Isolated storage & compute

Whether your cloud or ours, your ContextFabric storage and compute are always isolated to your enterprise.

Your cloud or ours

Run in your own VPC, or on dedicated Workfabric AI resources we manage for you — the same isolated Data Plane either way.

Multi-cloud support

The same Control Plane / Data Plane model deploys consistently across Azure, AWS, and GCP.

Global control & updates

The Operator applies centralized policy and seamless updates across every region — without disrupting your agents.

Network & data security.

ContextFabric is built with strict boundaries between the Workfabric Control Plane and your Data Plane — encrypted in transit, encrypted at rest, no inbound connections, and only the Data Plane initiates a single secure egress channel back to the Control Plane.

End-to-end encryption

All network connections are encrypted in transit with TLS 1.2 or higher.
Mutual authentication enforced for Control Plane and Data Plane traffic.
Services within the Data Plane communicate over encrypted traffic with mutual authentication.

Data at rest

All persisted data is encrypted at rest with keys dedicated to your environment — keys are never shared between customers.
In customer-hosted Data Planes, keys reside in your own cloud key management service, under your control. In Workfabric-hosted deployments, Workfabric AI manages your environment's dedicated keys.

Segregated planes with strong boundaries

Firewall enforced between Control Plane and Data Plane.
No inbound connections permitted to any Data Plane service from outside the Data Plane.

Controlled Data Plane egress

The Data Plane can only egress to the Control Plane — never the reverse.
The secure egress channel is used solely for:
- Retrieving configuration updates
- Applying new security and compliance updates
- Reporting minimal telemetry (egress-only, customer-controlled)

05 · Storage & Retention

What’s stored where?

Context data and operational metadata live in three places — your team's user machines, the ContextFabric Data Plane, and the Workfabric Global Control Plane. Each store has its own purpose, encryption, and retention policy. Items in matching dashed colors flow between planes — blue for configuration, orange for operational telemetry.

Team / User Machines

Your environment

Digital interaction data

Encrypted at rest
2-minute maximum retention until transfer

→ Data Plane

AI Twin Runtime configuration

Encrypted configuration file
Local copy of the sensed list
Runtime configuration
Persisted with the Runtime

ContextFabric Data Plane

Your cloud or ours

Context Library

Workflows, business objects, etc.
Encrypted at rest
1 month default retention

Context source data

Digital interactions, documents, etc.
Retention period of the Context Library

Sensed list

Application / domain names
Meta-data on what to collect from
Retained indefinitely with product use

User & agent API keys

Agent and user API keys
Revokable at any time

Log information

Context requests, endpoint health, etc.
30-day retention period

→ Control Plane

Workfabric Global Control Plane

Workfabric's cloud

Data Plane configuration

Configured cloud environment details
Retained as long as you are a customer

← Data Plane

Product upgrades

Container images
Security patches
Cloud service configuration

← Data Plane

Log information

Health of services and endpoints
30-day retention period

← Data Plane

Global portal management information

Ephemeral — only displayed temporarily
Log information
Billing & context token usage tracking
Context units for visibility (configurable)

← Data Plane

Onboarded user account

Details encrypted at rest
User email and name
Retained as long as the user is active

Moving to the Data Plane in Q3 2026

06 · Coexistence

How does it coexist with your AI stack?

ContextFabric sits underneath the AI stack you already run. Nothing ripped, nothing replaced.

Your apps

100+ enterprise apps

Out-of-the-box compatibility across ERP & finance, CRM & CX, HR & workflow, analytics & tools — plus custom and legacy.

SAPSalesforceWorkday ServiceNowSlackOracle

Your agent frameworks

MCP-compatible

Any framework that speaks Model Context Protocol can read ContextFabric. No SDK lock-in.

LangChainAgentforceCopilot Studio Bedrock AgentsCustom MCP

Your models

Model-agnostic

Output works with all leading generative AI models. Swap models without re-integration.

ClaudeGPTGemini LlamaMistral

07 · Runtime

What is the AI Twin Runtime?

A background process on each user's device, with the user's awareness of it running. It captures how work is actually performed — at the edge, on the desktops and applications your teams already use. No interaction required; as people work, their digital twin begins to model them.

Deployed centrally · Windows + macOS

Simple deployment Centralized IT pushes to Windows and Mac, supported with SCCM and Jamf.

AI Twins modeled locally · Windows + macOS

Attention signals

Indicators of focus such as dwell time, switching patterns, and rework.

Digital interactions

Clicks, keystrokes, navigation, field entries, copy/paste, and search.

Application context

Which app, view, or field the interaction took place in.

System metadata

Timestamps, user/session IDs (PII-filtered), and traceability markers.

Lightweight footprint Runs at < 10% CPU with no specialized GPU resources required — the edge models run on a standard workstation.

08 · Trust Center

How is privacy protected?

Every rule lives in the ContextFabric Trust Center. Privacy-protection rules run wherever they're most effective — at the Edge, matching patterns of sensitive information like SSNs and credit cards before anything leaves the device; or at our Server, where advanced semantic rules scrub context as agents request it. We ship 100+ rules out of the box, and you can author custom rules at both the edge and the server.

At the Edge

Pattern matching

Detects and removes well-formed sensitive patterns — SSNs, credit-card numbers, account IDs — on-device, before context is ever transmitted.

At the Server

Semantic rules

Natural-language policies scrub context as agents access it, catching sensitive meaning that simple patterns miss.

Every rule can act as Redact or Drop. Redact keeps the surrounding context and removes only the sensitive subset in-place. Drop is stricter — if the policy is triggered, the entire surrounding context block is removed for safety.

Rules applied at the Edge Rules applied at the Server Context GroupDefault Context Group ▾

Active Rules 42 Dropping 2 Inactive 23 100+ rules out of the box · custom rules at edge & server

ORIGINAL

The employee's SSN is 482-36-7291 and their salary is $145,000.

REDACT

The employee's SSN is [SSN] and their salary is [SALARY].

DROP

Entire context block removed — contained sensitive data.

Redact masks sensitive values in-place · Drop removes all surrounding context for safety

Remove private information using natural-language rules

Scrubbed on the server when AI agents access context from ContextFabric. Up to 100 policies per context group — 65 active.

Sensitive Personal Attributes 8/12 rules active~20.0% overhead

Identity Documents & PII 5/6 rules active~20.0% overhead

Contact, Family & Personal 1/7 rules active~20.0% overhead

Health & Medical 1/2 rules active~20.0% overhead

Financial & Compensation 5/5 rules active~20.0% overhead

EMPLOYEE_CONTRACT_TERMS BUILT-IN

Employment contract or offer terms for a named employee — compensation, equity, non-compete, or severance stated for a specific individual.

20.0% of tokens impacted

BEFORE

Per Michael's new contract, he will receive a $10,000 relocation allowance and 5,000 RSUs vesting over four years, plus a 12-month non-solicitation clause.

AFTER

Per [EMPLOYEE_CONTRACT_TERMS], [EMPLOYEE_CONTRACT_TERMS], plus [EMPLOYEE_CONTRACT_TERMS].

Redact Drop

PERSONAL_COMPENSATION BUILT-IN

A named person's salary, wage, bonus, equity, commission, or severance — triggers only when a person is named and a dollar amount is stated as their personal pay.

20.0% of tokens impacted

BEFORE

We agreed to offer Priya a $120,000 base salary plus a $15,000 signing bonus to join the engineering team next month.

AFTER

Entire context block removed — contained sensitive data.

Redact Drop

09 · Context Synthesis

How does Context Synthesis work?

Workfabric AI·Technical paper

X-SYNTH

Beyond Retrieval

Enterprise Context Synthesis from Observed Digital Human Attention

ContextFabric is built on a thesis: the context AI agents need in the enterprise is not waiting to be retrieved — it has to be synthesized from how people actually work. The X-SYNTH paper sets out the framework that makes that synthesis tractable, and shows what it produces when you augment a frontier model with it.

Three findings

Digital human attention as ground truth.

Each worker's observed digital human attention is a learnable, discriminative relevance signal, with no external labels required.

ii.

Relevance, per individual.

The same query resolves to different signals for different people, because what looks meaningful depends on how that specific worker actually operates.

iii.

A measurable lift on real work.

On a sales lead identification benchmark drawn from Fortune 500 interaction data, the same model augmented with this framework surfaces 110 additional real leads it had otherwise missed entirely.

Read paper → More on /research

Cite

Raghavan, G., Nychis, G., & Murty, R. (2026). X-SYNTH: Beyond Retrieval. Enterprise Context Synthesis from Observed Digital Human Attention. Workfabric AI.

10 · Governance

How is context governed?

Not every agent should see every team's context. Context Groups are the unit of governance in ContextFabric: a Context Contributor belongs to exactly one group, which defines what work it's OK to model from which applications. AI agents are then explicitly assigned to one or more groups — so an engineering agent is powered by engineering context without ever reaching HR context, even though the HR team's own agents need that same context to do their jobs.

Context Contributors

One group, one boundary

Every contributor belongs to exactly one Context Group. The group governs which applications, URLs, and entities are OK to model — with full visibility into what gets captured and what doesn't.

AI Agents

Explicit, multi-group assignment

Agents are securely assigned to one or more Context Groups. They can only synthesize context from the groups they're attached to — no implicit access, no cross-team leakage.

← Context Groups Last 5 days Search… + Add Context Group

DELIVERY_NA

82^%

of users active in last 5 days

389 Active contributors

477 Total contributors

74 inactive (16%) 7 paused (1%)

71^%

of effort is sensed

3h 50m Avg sensed time/user/day

5h 24m Avg total time/user/day

97^%

of users' context powers agents

463 Users powering agents

477 Total contributors

Top sensed apps

Microsoft Outlook43%

Microsoft Teams30%

Microsoft Excel8%

Category types

Data Sources Business Objects Users +1

DELIVERY_EMEA

81^%

of users active in last 5 days

343 Active contributors

421 Total contributors

67 inactive (16%) 8 paused (2%)

70^%

of effort is sensed

5h 06m Avg sensed time/user/day

7h 20m Avg total time/user/day

94^%

of users' context powers agents

396 Users powering agents

421 Total contributors

Top sensed apps

Microsoft Outlook39%

Microsoft Teams33%

Microsoft Excel18%

Category types

Data Sources Business Objects Users +1

DELIVERY_APJ

92^%

of users active in last 5 days

58 Active contributors

63 Total contributors

5 inactive (8%) 0 paused (0%)

67^%

of effort is sensed

3h 52m Avg sensed time/user/day

5h 46m Avg total time/user/day

98^%

of users' context powers agents

62 Users powering agents

63 Total contributors

Top sensed apps

Microsoft Outlook40%

Microsoft Teams35%

Microsoft Excel10%

Category types

Data Sources Business Objects Users +1

SALES_NA

64^%

of users active in last 5 days

198 Active contributors

312 Total contributors

92 inactive (30%) 18 paused (6%)

42^%

of effort is sensed

2h 24m Avg sensed time/user/day

6h 08m Avg total time/user/day

71^%

of users' context powers agents

222 Users powering agents

312 Total contributors

Top sensed apps

Salesforce36%

Microsoft Outlook28%

Slack14%

Category types

Data Sources Business Objects Users +2

Manage Context Group · SALES_NA ×

Basic Details Applications 32 URLs 87 Users 570 AI Agents 4 Twin Signatures Go to My Agents →

AI Agent	Goal
Account Briefer	Co-pilots account managers — surfaces account context, open initiatives, and recent customer interactions before each call.
Deal Hygiene	Identifies missing fields and inconsistencies on open opportunities so reps can clean them before pipeline reviews.
Forecast Assist	Surfaces early-stage demand signals and pipeline shifts to support sales-leader forecasting.
Opportunity Creator	Identifies and creates new opportunities in the CRM from customer interactions captured by the runtime.

Fine-grained modeling controls — down to the application.

Within each Context Group, admins decide exactly which applications ContextFabric is allowed to model — not just by category, but down to individual apps and URLs. Sources are ranked by the time and effort contributors actually spend in them, so the highest-impact applications surface first. Turn modeling on for the work that matters; leave the rest blocked.

CategoriesExpand all

▾ITSM & Support19% / 22%

ITSM Tools

OffPartialAll On

8 of 40 modeling 14% / 16%

Knowledge Bases

OffPartialAll On

7 of 23 modeling 5% / 6%

▾Communication0% / 18%

Chat

OffPartialAll On

5 of 20 modeling 0% / 11%

OffPartialAll On

4 of 17 modeling 0% / 5%

Video & Meetings

OffPartialAll On

2 of 19 modeling 0% / 1%

▸Search & AI0% / 9%

▸Browsers0% / 8%

▸Productivity & Docs13% / 16%

▸Developer Tools12% / 14%

☐ Show low-context sources247

ITSM & Support

ITSM Tools

8 of 40 modeling · 14% / 16% of workspace activity

Source	Time spent	Activity %	Status
ZendeskAPP zendesk.com · updated Apr 12	30h 40m	7.5%	BlockedModeling
ServiceNowAPP servicenow.com · updated Apr 11	8h 30m	3.6%	BlockedModeling
IntercomAPP intercom.com · updated Apr 09	4h 00m	2.4%	BlockedModeling
support.acme.comURL support.acme.com	18m	0.8%	BlockedModeling

11 · Synthesis API

How is context synthesized on demand?

Agents pull context from ContextFabric with a single MCP-compatible call. They tell ContextFabric why they're working (intent) and what's in front of them right now (action). The service synthesizes a precise slice of the Context Library and returns it as agent-ready context — built from interaction signals captured at the edge as your team works.

Example 1 Completing a Business Deal in CloudSales Suite

A sales rep is stuck on a Business Deal — searches for an initiative are returning no records. The agent asks ContextFabric what the rep has already tried so it can suggest the right next step.

Request POST /retrieve-context/v1/context

import os, requests

resp = requests.post(
    "https://acme.context.workfabric.com/retrieve-context/v1/context",
    headers={
        "Content-Type": "application/json",
        "X-Api-Key": os.environ["WORKFABRIC_API_KEY"],
    },
    json={
        "agent_id": "agt_sales_dealbuilder",
        "intent": (
            "You are an AI assistant for sales reps building Business Deals in "
            "CloudSales Suite. Surface the account context, the initiatives the "
            "rep has searched, and any contract references that still need to be "
            "linked so the deal can be completed."
        ),
        "action": (
            "On the New Business Deal screen for Orion Global Solutions Ltd. "
            "(Business Deal 2000587643), what initiatives has the rep searched "
            "for, and what was the result?"
        ),
    },
)

context = resp.json()["context_shipped"]
# ContextFabric synthesizes `context` from interaction signals captured at the
# edge as your team works. One such signal is shown below.

Response captured at the edge · structured by ContextFabric

{
  "user_uuid": "9f3a71c4-8b92-4d5f-a6e1-2c7b9e41d210",
  "timestamp": "2025-12-04 17:59:31",
  "application": "orgfarm-7ef58e5a10-dev-ed.develop.lightning.force.com",
  "embedding_sentence": "\n    A user is search a Business Deal with the\n    attributes {Customer Customer Account Name: Orion Global Solutions Ltd., Header: Sales Deal, Label: Select Initiatives to include in your Business Deal, Status: No Records Found, entity_identifier: 2000587643} using orgfarm-7ef58e5a10-dev-ed.develop.lightning.force.com application on screen 'New Business Deal | CloudSales Suite' with\n    intent : \"The user aims to find and include a specific project in their sales business deal, ensuring it has an associated contract reference ID for visibility.\"\n    ",
  "meta_data": {
    "screen_fields": [
      {
        "screen": "New Business Deal | CloudSales Suite",
        "interacted_fields": [
          "If your Delivery Initiative pursuit is for an existing initiative then your delivery initiative must have an associated contract reference ID in ContractSphere to show in the below.\n",
          "Search Initiative Name Initiative ID",
          "Search",
          "Your Delivery Initiative pursuit is for an existing initiative then your delivery initiative must have an associated contract reference ID in ContractSphere to show in the below\n"
        ]
      }
    ],
    "absolute_url": "https://orgfarm-7ef58e5a10-dev-ed.develop.lightning.force.com/lightning/o/Business_Deal/new"
  },
  "entity": "Business Deal",
  "intent": "The user aims to find and include a specific project in their sales business deal, ensuring it has an associated contract reference ID for visibility.",
  "date": "2025-12-04",
  "entity_identifier": "2000587643",
  "action": "search",
  "attributes": {
    "Label": "Select Initiatives to include in your Business Deal",
    "Header": "Sales Deal",
    "Status": "No Records Found",
    "Account Name": "Orion Global Solutions Ltd.",
    "entity_identifier": "2000587643"
  },
  "knowledge": "The user is searching for an existing delivery initiative related to a business deal by entering an initiative ID.",
  "effort": 5.0
}

Steps performed

What the rep actually did

Each field, search, and button the rep touched on the screen — modeled from the team's digital interactions, not self-reported.

meta_data.screen_fields.interacted_fields

Intelligent intent

Why the steps were taken

ContextFabric infers a plain-English intent — and a short summary of what the rep knows — from the behavior itself. Nothing typed by the user.

intent · knowledge

Where it happened

The work's full provenance

The application, the screen, and the exact record URL — so the agent (and any auditor) can trace the signal back to the SaaS surface it came from.

application · meta_data.absolute_url

Context at the time

What additional context was available

The other attributes available when the rep acted — account, status, identifiers, labels — the operational context that gives the action meaning.

attributes

Example 2 Briefing an account manager before a customer renewal call

An account manager has a renewal call tomorrow. The agent asks ContextFabric to summarize where the deal stands — what the customer has raised, what pricing options are on the table, and what alternatives they're weighing — so it can propose the right opening and next steps.

Request POST /retrieve-context/v1/context

import os, requests

resp = requests.post(
    "https://acme.context.workfabric.com/retrieve-context/v1/context",
    headers={
        "Content-Type": "application/json",
        "X-Api-Key": os.environ["WORKFABRIC_API_KEY"],
    },
    json={
        "agent_id": "agt_account_briefer",
        "intent": (
            "You are an AI co-pilot for account managers preparing customer "
            "renewal conversations. Summarize the current state of the deal "
            "— open concerns, pricing options on the table, the customer's "
            "stated alternatives — and recommend the strongest next steps "
            "and talking points for the upcoming call."
        ),
        "action": (
            "Brief me on the Meridian Trust Bank account for tomorrow's call: "
            "where do we stand on the renewal and cost negotiation, what "
            "concerns has the customer raised, what alternatives are they "
            "considering, and how should the rep open the conversation?"
        ),
    },
)

briefing = resp.json()["context_shipped"]
# The synthesized briefing returned by ContextFabric is shown below —
# the agent can append it to its prompt to compose talking points and
# a recommended opening for the call.

Synthesized context context_shipped · returned to the agent

Here's a concise summary of recent context on the Meridian Trust Bank account (as of 2026-05-25):

Recent context from the team was focused on:
- Negotiating directly with the analytics-platform vendor to reduce annual costs.
- Presenting multiple pricing options (onsite, offshore, hybrid) for implementation and support.
- Considering reduced support costs if vendor negotiations are successful.
- Meridian's interest in replacing the current search platform with an open-source alternative, and the related infrastructure cost implications.
- Coordinating responses to Meridian's concerns and preparing clarifications.
The account team was actively drafting clarifications and referencing ongoing discussions with contractors and subject-matter experts.

Suggested next steps and talking points for tomorrow's call:

Open by acknowledging Meridian's cost pressure and confirm the progress made with the vendor on annual-cost reductions before discussing internal pricing.
Lead with the strongest pricing path — likely the hybrid model — and walk through the trade-offs vs. onsite-only and offshore-only so Meridian can compare side by side.
Address the open-source alternative head-on: outline the infrastructure cost implications they flagged, plus the migration effort and operational overhead they would absorb on their side.
Close with a concrete next checkpoint — the timeline for confirming reduced support pricing, contingent on the vendor outcome — and the owner on our side.

01 · Encryption

What protects data in transit and at rest?

All network connections are encrypted in transit with mutual authentication. All persisted data is encrypted at rest with keys dedicated to your environment — keys are never shared between customers. ContextFabric runs as a global Control Plane operated by Workfabric AI and a dedicated, isolated Data Plane per customer; context is stored only in the Data Plane (see Isolation & Tenancy below).

In transit

All network connections are encrypted with TLS 1.2 or higher.
Mutual authentication enforced for Control Plane and Data Plane traffic.
Services within the Data Plane communicate over encrypted traffic with mutual authentication.

At rest

All persisted data is encrypted at rest.
Each environment is encrypted with its own dedicated keys — keys are never shared between customers.

Key management

Customer-hosted Data Plane: keys reside in your cloud provider's key management service, in your subscription and under your control — including the ability to revoke access.
Workfabric-hosted: Workfabric AI manages the dedicated keys for your environment.

02 · Network Security

What protects the network?

The Data Plane accepts no inbound connections. Its only external traffic is a single authenticated, egress-only channel to the Control Plane, and internal service traffic remains within the customer-configured VNet / VPC.

No inbound connections

No inbound connections are permitted to any Data Plane service from outside the Data Plane.
Data Plane services expose no public endpoints.

Egress-only, single channel

The Data Plane can only egress to the Control Plane — never the reverse.
The secure egress channel is used solely for:
- Retrieving configuration updates
- Applying new security and compliance updates
- Reporting minimal telemetry (egress-only, customer-controlled)

Segregated planes, firewall enforced

Firewall enforced between the Control Plane and your Data Plane.
The boundary between Workfabric's environment and yours is crossed only by the authenticated egress channel.

Contained in your VNet / VPC

All Data Plane services deploy inside a customer-configured VNet / VPC.
Internal service-to-service traffic never traverses the public internet.

Secure delivery All software is signed — signed MSI on Windows, notarized DMG on macOS. Container images and security patches are pushed from the Control Plane through the authenticated channel; updating your Data Plane requires no personnel access.

03 · Authentication & Access

Who — and what — can access context?

Identity comes from your identity provider. Access is mediated three ways: fine-grained roles for people, scoped and revocable keys for users and agents, and Context Groups as the hard boundary on which context any agent can reach.

People

Single sign-on

Users authenticate through your SSO provider; sessions carry your identity provider's tokens. The Control Plane stores only the user's email and name, encrypted at rest.

Roles

Fine-grained permissions

Role and permission management governs administrators, Context Contributors, and AI agents — across the Context Library and every management surface.

Keys

Revocable API keys

Every user and agent API key is scoped and revocable at any time — stored in your Data Plane, cutting access instantly when revoked.

Context Groups are the access boundary.

Not every agent should see every team's context. A Context Contributor belongs to exactly one group, which defines what work it's OK to model from which applications. AI agents are then explicitly assigned to one or more groups — context is controlled from creation all the way through agent access, with no implicit access and no cross-team leakage.

Context Contributors

One group, one boundary

Every contributor belongs to exactly one Context Group. The group governs which applications, URLs, and entities are OK to model — with full visibility into what gets captured and what doesn't.

AI Agents

Explicit, multi-group assignment

Agents are securely assigned to one or more Context Groups. They can only synthesize context from the groups they're attached to — no implicit access, no cross-team leakage.

Go deeper The full governance walkthrough — Context Groups, agent assignment, and per-application modeling controls — lives in the Architecture tab.

04 · Endpoint Security

How is the endpoint secured?

Context capture starts on user devices. The AI Twin Runtime minimizes what persists on the endpoint: interaction data is encrypted and held briefly before transfer, and all transmission goes over the encrypted channel to your Data Plane.

Minimal local retention

Digital interaction data is encrypted at rest on the device.
Retained at most 2 minutes until transfer to your Data Plane.

Filtered at the edge

Sensitive patterns are filtered on-device, before anything is transmitted.
System metadata such as user and session identifiers is PII-filtered at capture.

Scoped by the sensed list

The Runtime only observes applications and URLs your admins allow.
Everything outside the sensed list is not captured.

Encrypted configuration

Runtime configuration and the local copy of the sensed list live in an encrypted configuration file.

Signed, centrally managed builds

Signed MSI on Windows, notarized DMG on macOS.
Deployed and updated through Microsoft Intune, SCCM, or Jamf — the endpoint tooling you already run.

In transit All data leaving the device is TLS-encrypted and transmitted only to your Data Plane.

05 · Data Protection

What's protected, where, and for how long?

Each data store in the platform has a defined protection mechanism and retention policy, summarized below.

Data	Where it lives	Protection	Retention
Digital interaction data	User device → Data Plane	Encrypted at rest on-device; TLS in transit.	≤ 2 min until transfer
Context Library	Data Plane	Encrypted at rest with environment-dedicated keys.	1 month default
Context source data	Data Plane	Encrypted at rest with environment-dedicated keys.	Matches Context Library
User & agent API keys	Data Plane	Encrypted; revocable at any time.	Until revoked
Service logs	Data Plane · Control Plane	Service and endpoint health, request metadata only.	30 days
Onboarded user account	Control Plane	Encrypted at rest; email and name only.	While user is active

Full detail The complete per-store breakdown — including exactly what flows between planes — is in the Architecture tab under "What's stored where?"

06 · Isolation & Tenancy

Is infrastructure shared with other customers?

No. ContextFabric splits into a global Control Plane — orchestration, policy, updates, and monitoring, operated by Workfabric AI — and a dedicated Data Plane per customer holding all storage, compute, and model inference, in your cloud or on dedicated Workfabric AI resources we manage for you. Context is not stored in the Control Plane, and no Data Plane is shared between customers.

Isolated by design

Dedicated storage, dedicated compute, and a dedicated inference path per customer. No shared service plane — in our cloud or yours.

No human access

Workfabric personnel do not require access into your Data Plane. Updates and configuration are delivered through the controlled egress channel.

Data residency

Your Data Plane runs in the region you choose; only metadata and configuration are stored in the Control Plane. Workflows, business objects, and traces remain in your environment.

Patching

Security fixes are pushed from the Control Plane through the authenticated channel. No personnel access is required to apply updates.

07 · Auditability

How is context traced and audited?

Every context unit an agent receives can be traced back to its origin. ContextFabric maintains semantic links from the context an agent consumes all the way down to the data sources and interactions that generated it.

Evidence-linked context

Traceable to the source

Workflows, participants, and business objects link back to the systems, documents, and interactions that generated them.

Lineage

Four layers, fully linked

Raw data → semantic entities → workflows → intent. Each layer preserves semantic links down to the layer below, so any context unit resolves to its raw origin.

Audit without exposure

Verifiable tags & lineage

Verifiable tags are embedded in context inside your Data Plane, while unified audit frameworks run in the Control Plane — audits are supported without requiring access into your environment.

08 · Assurance

What external testing and certifications exist?

ContextFabric undergoes annual third-party penetration testing across all APIs, cloud infrastructure, and the endpoint client, and Workfabric AI is undergoing a SOC 2 audit covering all of its operations.

Annual third-party penetration test

Comprehensive coverage of all APIs — agent, ingestion, and retrieval — plus cloud infrastructure.
Combination of automated tooling and manual testing by security professionals.
Includes the AI Twin Runtime thick client — configuration, logs, encryption, and data handling.
Report available upon request.

SOC 2

SOC 2 audit underway.
Covers all Workfabric AI operations — information security, the software development lifecycle, and business continuity.

Customer deployment

How is ContextFabric deployed?

ContextFabric has two halves to roll out: the AI Twin Runtime on each user's device, and the ContextFabric Environment (the Data Plane). Both are designed to deploy with tools your IT team already runs.

AI Twin Runtime

A background process on each user's device, with the user's awareness of it running. At scale, the Runtime is deployed centrally with Microsoft Intune or SCCM on Windows, and Jamf on macOS — the same endpoint-management tools you already use.

Small deployments For deployments of 10 Runtimes or fewer, we recommend installing manually with the signed MSI (Windows) or notarized DMG (macOS) — no endpoint-management tooling required.

Large deployments For deployments of 10–1000 Runtimes or more, centralized IT pushes to Windows and Mac, supported with Microsoft Intune, SCCM, and Jamf.

Deployed centrally · Windows + macOS

Windows requirements

Dimension	Requirement
OS	Windows 10 or 11
CPU	4 cores · Intel i5 or better (i5-6600 for reference)
RAM	16 GB
Disk	2.5 GB
Network	1 Mbps egress

macOS requirements

Dimension	Requirement
OS	macOS 25 (latest)
CPU	Apple Silicon (M1 · M2 · M3 · M4 · M5)
RAM	16 GB
Disk	2.5 GB
Network	1 Mbps egress

Installers The MSI and DMG, with installation instructions, are provided after your ContextFabric Environment is set up — so the installers authenticate with your isolated environment.

Manual installation walkthrough · what your team sees

acme.context.workfabric.com

Download AI Twin Runtime Installer to contribute context

Download

Illustration of the ContextFabric portal — not a real download link

License Key

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhY21lLWNvcnAiLCJ0ZW5hbnQiOiJhY21lLmNvbnRleHQud29ya2ZhYnJpYy5jb20iLCJlbnYiOiJwcm9kIn0.DEMO_ILLUSTRATION_ONLY⎘

Activation URL

https://acme.context.workfabric.com⎘

1 · Portal download — log in to your ContextFabric environment, choose your platform, and download the signed installer with your embedded license key.

AI Twin Runtime Installer─ ▢ ✕

ContextFabric™Version : 1.2.7.0

Software License Agreement

This End User License Agreement (“EULA”) shall be deemed to apply to any end user, individual or company (hereinafter “Licensee” or “you”) who uses or otherwise accesses any Workfabric Software (as defined below) or other services provided by Workfabric. In the event the Licensee has agreed separate terms in writing with Workfabric, such other terms shall control and prevail in the event of any conflict with this EULA.

1. Definitions

“Affiliate” means, with respect to either party, all entities directly or indirectly controlling, controlled by or under common control with such party, where control may be by either management authority, contract or equity interest…

Please review and accept license agreement to proceed with installation

PrintCancel

2 · License agreement — review and accept the EULA to begin.

AI Twin Runtime Installer─ ▢ ✕

ContextFabric™Version : 1.2.7.0

Install AI Twin Runtime

Install just for me Recommended

The AI Twin Runtime will be installed for the signed-in user.

Install for all users

The AI Twin Runtime will be installed for all users on this device.

BackNextCancel

3 · Install scope — per-user (recommended) or all users on the device.

AI Twin Runtime Installer─ ▢ ✕

ContextFabric™Version : 1.2.7.0

Installation Type

Standard Installation

The AI Twin Runtime will be installed with default configurations at: C:\Users\<user>\AppData\Local\TS\Sensor

Customized Installation

Choose installation location and configurations.

BackNextCancel

4 · Installation type — standard defaults, or a custom location and configuration.

AI Twin Runtime Installer─ ▢ ✕

ContextFabric™Version : 1.2.7.0

Installing AI Twin Runtime

Please wait while the Setup Wizard installs the AI Twin Runtime.

Status: Copying new files

Cancel

4 · Installation — the wizard copies files and registers the Runtime.

AI Twin Runtime Installer─ ▢ ✕

ContextFabric™Version : 1.2.7.0

Installation Completed ✓

Enable auto-activation via Activation URL

Enter Activation URL

Activate via license

The license key can be found in the ContextFabric portal

Activate AI Twin Runtime

6 · Activation method — auto-activate via URL, or use a license key from the ContextFabric portal.

Activate AI Twin Runtime✕

Enter your license key to activate

Your license key is available on the ContextFabric Portal.
Login details have been sent to your inbox.

Enter your license key here

Activate

7 · Activate — paste the license key from the portal; the Runtime authenticates with your isolated environment.

acme.context.workfabric.com

Download AI Twin Runtime Installer to contribute context

Download

Illustration of the ContextFabric portal — not a real download link

License Key

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhY21lLWNvcnAiLCJ0ZW5hbnQiOiJhY21lLmNvbnRleHQud29ya2ZhYnJpYy5jb20iLCJlbnYiOiJwcm9kIn0.DEMO_ILLUSTRATION_ONLY⎘

Activation URL

https://acme.context.workfabric.com⎘

1 · Portal download — log in to your ContextFabric environment, choose your platform, and download the signed installer with your embedded license key.

📦Install AI Twin Runtime

Introduction
License
Destination Select
Installation Type
Installation
Summary

Welcome to the AI Twin Runtime Installer

You will be guided through the steps necessary to install this software.

Go BackContinue

2 · Introduction — open the DMG and start the guided installer.

📦Install AI Twin Runtime

Introduction
License
Destination Select
Installation Type
Installation
Summary

Software License Agreement

To continue installing the software you must agree to the terms of the software license agreement.

Click Agree to continue or click Disagree to cancel the installation and quit the Installer.

Read LicenseDisagreeAgree

Go BackContinue

2 · License — review the EULA and click Agree.

📦Install AI Twin Runtime

Introduction
License
Destination Select
Installation Type
Installation
Summary

Select a Destination

How do you want to install this software?

Install for all users of this computer

Install for me only

Install on a specific disk…

Go BackContinue

4 · Destination — install for all users of the device.

📦Install AI Twin Runtime

Introduction
License
Destination Select
Installation Type
Installation
Summary

Standard Install on “Macintosh HD”

This will take 346.8 MB of space on your computer.

Click Install to perform a standard installation of this software for all users of this computer.

Go BackInstall

4 · Install — a standard install; admin credentials are requested once.

📦Install AI Twin Runtime

Introduction
License
Destination Select
Installation Type
Installation
Summary

✓

The installation was successful.

The software was installed.

Go BackClose

6 · Summary — installation completed successfully.

Activate AI Twin Runtime

Enter your license key

Your License Key is available in the ContextFabric portal

Enter your license key here

Activate

7 · Activate — paste the license key from the portal; the Runtime authenticates with your isolated environment.

Activate AI Twin Runtime

✓

Runtime Activated

Grant the following permissions to start context collection.
The AI Twin Runtime will restart automatically once the permissions are granted.

🔔

Notifications

✓ Granted

✓

♿

Accessibility

For capturing inputs on approved applications

Grant Access

⊙

Screen Capture

For capturing context on approved applications

Grant Access

1 of 3 grantedRestart AI Twin Runtime

8 · Permissions — grant Notifications, Accessibility, and Screen Capture; the Runtime restarts automatically.

System Settings

🔍 Search

Network

Notifications

Accessibility

Privacy & Security

Displays

Accessibility

Allow the applications below to control your computer.

CFAI Twin Runtime

··Other applications

The same toggle is enabled under Privacy & Security → Screen & System Audio Recording.

9 · System Settings — confirm the AI Twin Runtime toggles under Accessibility and Screen Recording.

ContextFabric Environment

Your Data Plane — a fully isolated environment with dedicated compute, dedicated storage, no shared service plane, and no shared inference path. Two ways to run it.

Option 1

Workfabric AI hosted

For any scale, small or large.

The simplest path. Workfabric AI provisions and operates dedicated, isolated compute and storage for your enterprise — no cloud accounts to set up, no Kubernetes clusters to maintain, no networking to configure. Your context data, models, and inference path remain dedicated to you. Your team gets context the day they sign in.

Option 2

Customer-hosted Data Plane

For enterprise contracts of 1000+ AI Twin Runtimes.

Run the same isolated Data Plane inside your own cloud account. Same architecture across clouds — only the underlying resource types change. See the per-cloud reference specifications below.

Customer-hosted Data Plane — cloud reference specifications

For enterprise customers that meet the criteria for Option 2, here are the reference resource sets per cloud. Same architecture and isolation guarantees in each — only the underlying resource types change.

Sizing The specifications below are a baseline reference set; final sizing is determined with your team during deployment planning for your AI Twin Runtime count.

Microsoft Azure

Available

All ContextFabric services run inside your Azure subscription, in a customer-configured VNet — internal service calls never traverse the public internet. The only external traffic is the secure, authenticated egress to the Workfabric Control Plane for configuration, telemetry, and upgrades.

Category	Resource	Specification	Purpose
Compute	AKS Cluster	1 node · Standard_D8s_v5	Runs all ContextFabric services — Operator, Context Creation, Context Synthesis, and the MCP interface.
Database	Azure PostgreSQL	Standard_D4ds_v4 · 256 GB	Context Library — structured context, retrieval indexes, semantic metadata, privacy policy config.
Storage	Azure Blob Storage	1 TB	Context Source Data — raw, unstructured inputs from which ContextFabric distills knowledge.
Security	Azure Key Vault	Standard tier	Customer-managed encryption keys for data at rest and runtime secrets. Workfabric never holds your keys.
Networking	Azure VNet	Customer-configured	Network isolation — internal service-to-service traffic stays within the VNet boundary.
AI models	Azure AI Foundry	GPT-4o-mini · 1M TPM GPT-4.1 · 0.2M TPM GPT-5-nano · 2M TPM text-embedding-small · 1M TPM	Model runtime for context creation, synthesis, and embeddings.

Amazon Web Services (AWS)

Coming Q2 2026

The AWS deployment translates the Azure architecture into AWS-native services — same Control Plane / Data Plane split, same isolation guarantees, same egress model. All ContextFabric services run inside your AWS account, in a customer-configured VPC.

Category	Resource	Specification	Purpose
Compute	Amazon EKS	1 node · m6i.2xlarge	Runs all ContextFabric services — Operator, Context Creation, Context Synthesis, and the MCP interface.
Database	Amazon RDS for PostgreSQL	db.m6i.xlarge · 256 GB	Context Library — structured context, retrieval indexes, semantic metadata, privacy policy config.
Storage	Amazon S3	1 TB	Context Source Data — raw, unstructured inputs from which ContextFabric distills knowledge.
Security	AWS KMS	Customer-managed keys	Customer-managed encryption keys for data at rest and runtime secrets. Workfabric never holds your keys.
Networking	Amazon VPC	Customer-configured	Network isolation — internal service-to-service traffic stays within the VPC boundary.
AI models	Amazon Bedrock	Amazon Nova Micro · 1M TPM GPT-5.4 · 0.2M TPM GPT-5.4 (low reasoning effort) · 2M TPM Amazon Titan Text Embeddings V2 · 1M TPM	Model runtime for context creation, synthesis, and embeddings — Bedrock-native equivalents of the Azure model set.

Google Cloud Platform (GCP)

Coming Q3 2026

Coming Q3 2026. The GCP deployment will translate the same architecture onto Google Kubernetes Engine, Cloud SQL for PostgreSQL, Cloud Storage, Cloud KMS, and a customer-configured VPC.

What twins unlock on your platform.

Use cases

What is ContextFabric?

AI Twin Runtime

Context Library

Intelligence layer

MCP for your agents

How do digital interactions become context?

How does context flow?

What’s centralized, what’s isolated?

End-to-end encryption

Data at rest

Segregated planes with strong boundaries

Controlled Data Plane egress

What’s stored where?

Team / User Machines

Digital interaction data

AI Twin Runtime configuration

ContextFabric Data Plane

Context Library

Context source data

Sensed list

User & agent API keys

Log information

Workfabric Global Control Plane

Data Plane configuration

Product upgrades

Log information

Global portal management information

Onboarded user account

How does it coexist with your AI stack?

100+ enterprise apps

MCP-compatible

Model-agnostic

What is the AI Twin Runtime?

How is privacy protected?

Pattern matching

Semantic rules

Remove private information using natural-language rules

How does Context Synthesis work?

How is context governed?

One group, one boundary

Explicit, multi-group assignment

How is context synthesized on demand?

What the rep actually did

Why the steps were taken

The work's full provenance

What additional context was available

What protects data in transit and at rest?

In transit

At rest

Key management

What protects the network?

No inbound connections

Egress-only, single channel

Segregated planes, firewall enforced

Contained in your VNet / VPC

Who — and what — can access context?

Single sign-on

Fine-grained permissions

Revocable API keys

One group, one boundary

Explicit, multi-group assignment

How is the endpoint secured?

Minimal local retention

Filtered at the edge

Scoped by the sensed list

Encrypted configuration

Signed, centrally managed builds

What's protected, where, and for how long?

Is infrastructure shared with other customers?

How is context traced and audited?

Traceable to the source

Four layers, fully linked

Verifiable tags & lineage

What external testing and certifications exist?

Annual third-party penetration test

SOC 2

How is ContextFabric deployed?

Workfabric AI hosted

What twins unlock
on your platform.