Security at Indexara

Built to index your most sensitive documents

Indexara ingests your contracts, recordings, and internal knowledge. Here is exactly how that data is protected — and, honestly, what we're still building.

Encrypted in transit and at rest

All traffic is served over HTTPS/TLS. Documents are stored in AWS S3 with AES-256 server-side encryption, and workspace volumes use encrypted-in-transit EFS mounts.

Isolated per organization

Every organization runs in its own workspace with dedicated search indices and dedicated compute. There is no shared data layer — your corpus is architecturally separated from every other customer's.

Permission-aware search

Search results honor per-document access controls (ACLs). When permissions can't be verified, results are withheld rather than shown — the system fails closed, never open.

Enterprise SSO, cryptographically verified

OIDC and SAML single sign-on with full signature verification against your identity provider, plus SCIM 2.0 for automated user and group provisioning.

Encrypted connector credentials

OAuth tokens for connected sources (Google Drive, Slack, Confluence, Jira, Salesforce) are encrypted at rest. We request the minimum scopes needed to sync your content.

Your data is never used to train models

Documents are processed only to build your index and answer your queries. They are never used to train or fine-tune any AI model, and never shared across organizations.

Payments handled by Stripe

Billing runs on Stripe (PCI DSS Level 1). Card details never touch our servers — we only store a customer reference and subscription status.

Hardened AWS infrastructure

Hosted on AWS in us-east-1 using ECS Fargate, S3, and EFS. Workspaces are provisioned on demand and torn down when idle, reducing exposure.

How your data flows

1

Ingest over TLS

You upload files or connect a source. Content is transferred over TLS and stored in your organization's encrypted S3 space.

2

Process in isolation

Files are parsed, transcribed (audio/video), OCR'd (scans), chunked, and embedded inside your organization's dedicated workspace — never a shared pipeline.

3

Index privately

Search indices (keyword + vector) live on encrypted per-org storage. One tenant can never query another tenant's index.

4

Retrieve with permission checks

Every query is authenticated and filtered against document ACLs before results are returned. If access can't be verified, results are withheld.

Certain features (OCR, entity extraction, chat) send content to third-party AI providers. See the Trust Center for the full subprocessor list.

Secure development

Changes are reviewed before release. Dependencies are tracked for known vulnerabilities, and security-relevant fixes are prioritized. We are formalizing this into a documented SDLC as part of our SOC 2 work.

Responsible disclosure

Found something? Email security@indexara.ai. We investigate all good-faith reports and will not pursue legal action against researchers who act responsibly and avoid privacy violations or data destruction.

Reviewing Indexara for your team?

The Trust Center has our subprocessor list, data-handling practices, compliance roadmap, and how to request a DPA or a completed security questionnaire.

Open the Trust Center