Loading…
Encrypted credentials, per-project RBAC, indefinite audit logs, read-only by default, and an honest accounting of exactly what we do — and don't — send to the LLM.
The boring controls that matter when something goes wrong.
Per-source credentials are encrypted with authenticated symmetric encryption and decrypted only server-side at the moment of query. All browser-to-API traffic is protected with modern TLS. Credentials are never logged and never returned by any API endpoint.
Passwords are stored only as strong adaptive hashes — never in plaintext. Short-lived access tokens with refresh and rotation. Email verification required before first login. Password-reset tokens are single-use and rate-limited.
Three roles per project — owner, editor, viewer. Source credentials are visible only to the owner. Editors run queries; they cannot see or modify credentials. Role changes are audit-logged.
Per-project audit table tracks every member change, source create/update/delete, report mutation, and ERP write-back. Indefinitely retained. Exportable for compliance reviews.
Per-tenant row-level filtering on every database query. Each user sees only their own resources plus project-shared resources where they're a member. No cross-tenant query path exists.
All connections are read-only by default. ERP write-back (Procore RFI/submittal, Aconex transmittal) is opt-in per source with a per-action audit log. Autodesk APS / BIM is read-only end-to-end — we do not have a write surface.
The single most-asked question about any AI product. Here's the answer.
Your prompt, schema metadata (table + column names + types), recent message history, generated SQL, and small row samples only when needed for context. Token counts are logged per message.
Credentials. Full result sets of large queries. Document body text outside the chunks the user explicitly searched. We do not pass entire query results back through the LLM.
Uploaded files are stored in isolated per-source containers. Text is extracted on-platform; scanned pages fall back to vision OCR with image bytes sent only at OCR time. Embeddings and chunks are stored per-source — never pooled cross-tenant.
The short version. The full list is available to enterprise customers under NDA.
We use a small set of vetted subprocessors for transactional email and AI-assisted query generation. Enterprise customers can request the current subprocessor list — including locations, scope of data access, and contractual terms — under NDA at [email protected].
The honest version.
We sign mutual NDAs, complete security questionnaires (CAIQ and custom vendor forms), and provide architecture briefings to Custom Enterprise customers on request — [email protected].
Hard delete, no soft-delete fallback. Source delete cascades widgets, reports, chats, exports, and embeddings. Backups follow a 30-day retention window.
Email [email protected]. For everything else, [email protected].
Start free. Connect a read-only replica. See exactly what we do with your data.
No credit card required · 1M tokens / month free