Trust & Security
Enterprise-Grade Security
Your data is protected by industry-leading security practices. We implement comprehensive technical and organizational measures to keep your strategic information safe.
Compliance & Certifications
We are committed to meeting the highest standards of security and compliance for enterprise customers.
GDPR
Full compliance with EU data protection regulations including data export and deletion rights.
SOC 2 Type II
Independent audit of security, availability, and confidentiality controls.
ISO 27001
International standard for information security management systems.
SSO/SAML
Enterprise single sign-on with SAML 2.0 and OIDC support via Firebase Identity Platform.
Your Data Never Trains AI Models
We are committed to protecting your proprietary information. Your workspace content is never used to train, fine-tune, or improve AI models.
- ✓Your data is used only to provide the Service to you
- ✓Anthropic (our AI provider) does not retain your prompts or responses for training
- ✓Your competitive strategies and sensitive information remain confidential
See our Privacy Policy for complete details on data handling.
Data Protection
We implement multiple layers of encryption and security controls to protect your data at every stage.
AES-256 Encryption at Rest
All data stored in our databases is encrypted using AES-256, the same encryption standard used by governments and financial institutions.
TLS 1.2+ Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher, preventing interception.
KMS-Encrypted OAuth Tokens
Integration credentials and OAuth tokens are encrypted using Google Cloud Key Management Service (KMS) with hardware-backed keys.
Logical Tenant Isolation
Every database query is filtered by tenantId, ensuring strict separation between customer workspaces. No data mixing is possible.
Authentication & Access Control
Enterprise-grade identity management with flexible authentication options.
SSO/SAML Integration
Connect your existing identity provider (Okta, Azure AD, Google Workspace) using SAML 2.0 or OpenID Connect via Firebase Identity Platform.
Multi-Factor Authentication
Support for MFA through your identity provider, adding an extra layer of protection to user accounts.
Role-Based Access Control
Granular permissions allow you to control who can access what within your workspace. Admin roles are enforced for sensitive operations.
Timing-Safe Token Validation
All authentication token comparisons use cryptographically secure timing-safe functions to prevent timing attacks.
Audit & Compliance
Comprehensive logging and compliance features for regulated industries.
29 Auditable Action Types
We log all sensitive operations including login, data access, configuration changes, and administrative actions with full context.
Immutable Audit Logs
Audit logs are stored in Google BigQuery with immutability guarantees, ensuring they cannot be tampered with.
Per-Tenant Log Export
Export your organization's audit logs for compliance reporting, SIEM integration, or forensic analysis.
GDPR Rights Support
Full support for Article 17 (Right to Erasure) and Article 20 (Data Portability) with automated data export and deletion endpoints.
Infrastructure
Built on enterprise-grade cloud infrastructure with high availability.
Google Cloud Platform
Hosted on GCP (us-central1) with enterprise security controls, SOC 2 and ISO 27001 certified infrastructure.
Cloudflare Protection
CDN and DDoS protection through Cloudflare, with Web Application Firewall (WAF) for additional security.
Distributed Rate Limiting
Cross-instance rate limiting prevents abuse and ensures fair usage across all customers.
99.5% Uptime SLA
We commit to 99.5% monthly availability with 48-hour advance notice for scheduled maintenance.
Security FAQ
Do you use my data to train AI models?
No. Your workspace content is never used to train, fine-tune, or improve AI models. Anthropic (our AI provider) has committed not to use your prompts or responses for model training.
Where is my data stored?
All data is stored in the United States (Google Cloud Platform, us-central1 region). For EU customers, we provide Standard Contractual Clauses (SCCs) for compliant international data transfers.
How do you handle data breaches?
We have a documented incident response plan. In the event of a breach affecting your data, we will notify you within 72 hours as required by GDPR, and within applicable timeframes for other jurisdictions (e.g., California).
Can I export or delete my data?
Yes. You can export all your data at any time through our API or by contacting support. You can also request complete deletion of your account and all associated data, which will be processed within 30 days.
Do you offer a Data Processing Agreement (DPA)?
Yes. We provide a DPA that incorporates EU Standard Contractual Clauses for all customers processing personal data. The DPA is automatically incorporated into our Terms of Service for applicable customers. View our DPA
What certifications do you have?
We are currently GDPR compliant with full data export and deletion support. SOC 2 Type II certification is in progress (expected 2025). ISO 27001 certification is planned. Our infrastructure providers (GCP, Firebase) are SOC 2 and ISO 27001 certified.
Do you perform penetration testing?
Yes. We conduct regular third-party penetration testing and vulnerability assessments. Results are available to enterprise customers under NDA.
Contact
Our security team is available to answer questions and provide additional documentation for enterprise security reviews.