Security FAQ

You have the option to completely control how and when your data is stored by us.

Data is encrypted in transit and at rest using TLS and AES-256 for data at rest.

No data is shared with anybody unless it is strictly necessary for the core product. We send document snippets to OpenAI for processing and store encrypted document indices in Google Cloud.

We use Google Cloud and replicate data across multiple North American regions.

We use models from OpenAI as well as a proprietary mix of open source models and hosted models.

We use Google Web Security Scanner and Event Threat Detection to continuously monitor for threads and vulnerabilities. All severe or moderately severe vulnerabilities are triaged and patched within a few days.

OpenAI: We send OpenAI portions of the documents you shared only as necessary to answer questions. We are proactively looking at open source models to remove our reliance on a third party provider. Google: We use Google Cloud for our services and data storage, including indices of your document. Your documents will pass through servers controlled by Google.

Other than usage metrics, this isn’t applicable as we’re not storing data that is fit for exporting. We do not store a repository of questions and answers. Instead, we hook into a user’s source data and build a data index around it. In the future, we may make available the logs of all questions requested and answers generated within an organization.

User activity - whenever a user requests an answer to a question - will be logged. These logs can be exported via email request by the user or the owner of the account.

The tool only has access to the data the user shares with it. If a user does not have access to certain data, for instance, a sensitive document, they will not be able to share it with the tool and we will not be able to see it. In the future, to provide more consistent answers across a single organization, we may index a single model per organization, in which case data would be shared. In this case, we will implement user-based access controls so that users can only see data from source documents that they have access to. This will provide a finer level of granularity than role-based access and will more faithfully reflect the access given within the user’s own organization.

Users authenticate via their Google Account, which natively supports MFA. The user is required to have MFA enabled on their end.

Data is encrypted in transit using TLS and AES-256 at rest.

Employees will not be able to access the data. Employees may request access to the data to help with debugging and customer support until the issue is closed.

Data is indexed via reading the documents that are shared with our email alias data@quilt.app and storing relevant excerpts from those documents alongside the relevant embeddings. No data is sent to third parties or external systems during the ingestion and indexing step. When a user requests an answer to a question, the relevant indexed data is sent on-demand to OpenAI.

We retain indexed data in our databases until the user or organization closes their account or requests deletion. Data can automatically be removed by removing access to the documentsquestion. It will take at most 8 hours for the removal to be reflected in our production environment. In addition, customers can request deletion of some or all data via email to support@quilt.app. All of that customer's data will be deleted within 30 days and will be confirmed via email.

The data is stored in a vector database hosted on GCP. The data center is ISO 27001 and SOC 2 compliant.