Security and Data Practices

‍

Data Practices

Single-tenant isolation

Each project is provisioned as its own tenant container, with separate data stores (knowledge graph + file storage).

Tenants do not share databases, indices, or file buckets, which prevents cross-customer data paths and eliminates commingling.

Always-on encryption

All customer data is encrypted at rest and in transit using modern, industry-standard cryptography.

For customers with stricter key governance, we support Bring Your Own Key (BYOK), enabling you to control key generation, storage, rotation, and revocation in your own KMS/HSM.

No training on your data

Your data is used to serve your organization. Period.

We do not use customer data to train foundation models or to build derivative LLMs shared across customers. You retain full control of your data and its lifecycle.

Identity & Integrations

Enterprise ready auth

We integrate with your IdP via SAML 2.0 or OIDC (Okta, Microsoft Entra ID / Azure AD, Google, and others).

SCIM supports automated user lifecycle management (provisioning, de-provisioning, group sync).

Built-in role-based access control (RBAC) restricts access by project and role.Integrate SSO with your IdP using SAML 2.0/OIDC (Okta, Microsoft Entra ID/Azure AD, Google, etc.).

Procore and Autodesk

Native connectors integrate with Procore and ACC to ingest, synchronize, and reason over project artifacts.

Additional integrations enabled on request.

Minimal permission scopes

Integrations request only the specific, minimal scopes required to deliver agreed functionality.

Access tokens and permissions are limited and can be revoked at any time by your admins.

SOC 2 Type II compliant
Report on request.