Security FAQ

light purple quilt wave
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Data Retention

Is any of my data retained?

You have the option to completely control how and when your data is stored by us.
Data Encryption

What type of encryption is being used in transit/at rest?

Data is encrypted in transit and at rest using TLS and AES-256 for data at rest.
Data Accessibility

Who has access to the data?

No data is shared with anybody unless it is strictly necessary for the core product. We send document snippets to OpenAI for processing and store encrypted document indices in Google Cloud.
Data Storage

Where is your infrastructure and where do you store data?

We use Google Cloud and replicate data across multiple North American regions.
Data Model

What AI models do you use?

We use models from OpenAI as well as a proprietary mix of open source models and hosted models.
Continuous Monitoring

Do you monitor for security threats continuously, and how do you handle discovered vulnerabilities?

We use Google Web Security Scanner and Event Threat Detection to continuously monitor for threads and vulnerabilities. All severe or moderately severe vulnerabilities are triaged and patched within a few days.
Third Party Integration

If the tool integrates with third-party services, how do you ensure the data security is shared with these services?

OpenAI: We send OpenAI portions of the documents you shared only as necessary to answer questions. We are proactively looking at open source models to remove our reliance on a third party provider. Google: We use Google Cloud for our services and data storage, including indices of your document. Your documents will pass through servers controlled by Google.
Data Portability

Is it possible to export data from the tool in a usable format if you decide to switch to a different tool or vendor in the future?

Other than usage metrics, this isn’t applicable as we’re not storing data that is fit for exporting. We do not store a repository of questions and answers. Instead, we hook into a user’s source data and build a data index around it. In the future, we may make available the logs of all questions requested and answers generated within an organization.
Audit Logging

Are audit logs that record user activities and data access available? Can these logs be exported for analysis?

User activity - whenever a user requests an answer to a question - will be logged. These logs can be exported via email request by the user or the owner of the account.
Access Control

What authentication methods are supported? Does the tool support multi-factor authentication (MFA)?

The tool only has access to the data the user shares with it. If a user does not have access to certain data, for instance, a sensitive document, they will not be able to share it with the tool and we will not be able to see it. In the future, to provide more consistent answers across a single organization, we may index a single model per organization, in which case data would be shared. In this case, we will implement user-based access controls so that users can only see data from source documents that they have access to. This will provide a finer level of granularity than role-based access and will more faithfully reflect the access given within the user’s own organization.
User Authentication

Does the tool allow for role-based access control to ensure users only have access to the necessary data and features for their role?

Users authenticate via their Google Account, which natively supports MFA. The user is required to have MFA enabled on their end.
Data Encryption

Is data encrypted both in transit and at rest? What encryption standards are being used?

Data is encrypted in transit using TLS and AES-256 at rest.
Data Access

Who has access to the data? What are your policies on employee access?

Employees will not be able to access the data. Employees may request access to the data to help with debugging and customer support until the issue is closed.
Data Retention & Deletion

What is the data retention policy? How can data be deleted, and can the vendor ensure that it is permanently erased?

We retain indexed data in our databases until the user or organization closes their account or requests deletion. Data can automatically be removed by removing access to the documentsquestion. It will take at most 8 hours for the removal to be reflected in our production environment. In addition, customers can request deletion of some or all data via email to All of that customer's data will be deleted within 30 days and will be confirmed via email.
Data Storage

Where is the data stored? Are the data centers compliant with security standards such as ISO 27001, SOC 2, or others?

The data is stored in a vector database hosted on GCP. The data center is ISO 27001 and SOC 2 compliant.
Indexing & Data Processing

How is the data indexed using GPT? Is any data sent to third parties or external systems during processing?

Data is indexed via reading the documents that are shared with our email alias and storing relevant excerpts from those documents alongside the relevant embeddings. No data is sent to third parties or external systems during the ingestion and indexing step. When a user requests an answer to a question, the relevant indexed data is sent on-demand to OpenAI.

Unlock your team's
full potential with Quilt

Get Started