Your data is protected by industry-leading security practices. We implement comprehensive technical and organizational measures to keep your strategic information safe.
Last updated: May 14, 2026
We are committed to protecting your proprietary information. Your workspace content is never used to train, fine-tune, or improve AI models.
See our Privacy Policy for complete details on data handling.
We implement multiple layers of encryption and security controls to protect your data at every stage.
All data stored in our databases is encrypted using AES-256, the same encryption standard used by governments and financial institutions.
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher, preventing interception.
Daily automated backups with 30-day retention and point-in-time recovery (PITR) enabled for disaster recovery.
Database-level and application-level controls ensure one team cannot access another team's data.
Enterprise-grade identity management with flexible authentication options.
Sign in with your Google or Microsoft work account. Seamless authentication for your entire team.
MFA is available through your identity provider (Google, Microsoft). Enable MFA in your identity provider to add an extra layer of protection.
Role-based access control with admin enforcement for team management and sensitive operations.
Enterprise controls for AI-powered features with strict data protection.
Your data is never used to train AI models. Our AI providers automatically delete API inputs and outputs within 30 days of processing.
All AI models are vetted for short data retention windows, DPA availability, and contractual guarantees against training on customer data. Models are accessed via API only — we never fine-tune on your data.
All AI outputs are validated to prevent prompt injection, data exfiltration, and unsafe content. Flagged responses are automatically redacted before reaching users.
Per-team admin controls for which AI features are enabled. Chat, document processing, voice, and conflict detection can be independently toggled per team and plan tier.
Comprehensive logging and compliance features for enterprise governance requirements.
We log all sensitive operations including login, data access, configuration changes, and administrative actions with full context.
Audit logs are stored with immutability guarantees, ensuring they cannot be tampered with.
Export your organization's audit logs for compliance reporting, SIEM integration, or forensic analysis.
Full support for Article 17 (Right to Erasure) and Article 20 (Data Portability) with automated data export and deletion endpoints.
Built on enterprise-grade cloud infrastructure with high availability.
Hosted on enterprise-grade cloud infrastructure in the United States with SOC 2 and ISO 27001 certified data centers.
Enterprise WAF with managed rulesets, DDoS protection, TLS termination, browser integrity checks, and bot mitigation.
Cross-instance rate limiting prevents abuse and ensures fair usage across all customers.
We target 99.5% monthly availability with 48-hour advance notice for scheduled maintenance.
All traffic is encrypted with TLS 1.2+ and inspected by Cloudflare WAF before reaching our servers. All data is stored and processed in the United States.
For detailed architecture diagrams, request our Security Architecture Whitepaper.
We use a minimal set of trusted third-party services. Customers are notified of changes at least 30 days in advance.
Dedicated resources and personalized service for enterprise customers.
Named customer success manager and direct access to our security engineering team for enterprise accounts.
Custom implementation plan designed for your organization, including integration support and admin training.
Priority response for critical issues with direct Slack or email access to our team.
Periodic security reviews and compliance assistance to keep your deployment secure.
No. Your workspace content is never used to train, fine-tune, or improve AI models. Our AI providers automatically delete API inputs and outputs within 30 days of processing and do not use your data for training.
All data is stored in the United States. For EU customers, we provide Standard Contractual Clauses (SCCs) for compliant international data transfers.
We have a documented incident response plan. In the event of a breach affecting your data, we will notify you within 72 hours as required by GDPR, and within applicable timeframes for other jurisdictions (e.g., California).
Yes. You can export all your data at any time through our API or by contacting support. You can also request complete deletion of your account and all associated data, which will be processed within 30 days.
Yes. Our Data Processing Agreement incorporates EU Standard Contractual Clauses and is effective upon acceptance of the Terms of Service. No separate signature is required. Contact [email protected] to request a countersigned copy.
We are currently GDPR compliant with full data export and deletion support. SOC 2 Type II and ISO 27001 certifications are planned. Our infrastructure providers (Google Cloud Platform, Cloudflare) are SOC 2 and ISO 27001 certified.
Third-party penetration testing is planned for 2026. We currently use automated security scanning including dependency vulnerability scanning and static analysis. We have a responsible disclosure program for security researchers.
Our security team is available to answer questions and provide additional documentation for enterprise security reviews.
Email: [email protected]
Public Resources:
Enterprise Security Package:
Contact [email protected] to request these documents.
Security Researchers:
We welcome responsible disclosure. Report vulnerabilities to [email protected]. Safe harbor provided for good-faith research.