Security & Compliance

Every tenant's documents, embeddings, and chat history are isolated at the database level using PostgreSQL Row Level Security (RLS). All queries are automatically scoped to your workspace — it is architecturally impossible for another tenant to access your data.

We use the OpenAI API for chat completions and text embeddings. Per OpenAI's API data usage policy, data submitted via the API is not used to train or improve AI models. Your documents and conversations are never used for model training — by us or by our AI provider.

All data is encrypted at rest (AES-256 via Supabase/AWS) and in transit (TLS 1.3). Sensitive fields such as chat questions are additionally encrypted at the application layer using AES-256-GCM with per-record unique initialization vectors — providing defence-in-depth beyond storage-level encryption.

Our infrastructure and engineering practices are designed to meet SOC-2 Type II criteria. We maintain immutable audit logs of all data access and mutations, enforce least-privilege access controls, apply security headers on all endpoints, and conduct regular dependency audits.

We comply with the General Data Protection Regulation. You can export a full copy of all your data at any time from the dashboard (Article 20 — data portability). You can permanently delete your workspace and all associated data instantly (Article 17 — right to erasure). We only process data necessary for the service.

All responses include strict HTTP security headers: Strict-Transport-Security (HSTS with preload), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. These prevent XSS, clickjacking, MIME sniffing, and protocol downgrade attacks.

Every significant action — document uploads, deletions, settings changes, token creation — is written to an append-only audit log. Tenant administrators can view their audit trail in the dashboard at any time. Logs are stored with row-level security so only the workspace owner can read them.

We use the following sub-processors, each with their own compliance certifications: Supabase (SOC-2 Type II, GDPR) for database and storage; Vercel (SOC-2 Type II) for hosting; OpenAI (SOC-2 Type II) for AI inference; Upstash for rate limiting; Inngest for background processing.