Indexara ingests your contracts, recordings, and internal knowledge. Here is exactly how that data is protected — and, honestly, what we're still building.
All traffic is served over HTTPS/TLS. Documents are stored in AWS S3 with AES-256 server-side encryption, and workspace volumes use encrypted-in-transit EFS mounts.
Every organization runs in its own workspace with dedicated search indices and dedicated compute. There is no shared data layer — your corpus is architecturally separated from every other customer's.
Search results honor per-document access controls (ACLs). When permissions can't be verified, results are withheld rather than shown — the system fails closed, never open.
OIDC and SAML single sign-on with full signature verification against your identity provider, plus SCIM 2.0 for automated user and group provisioning.
OAuth tokens for connected sources (Google Drive, Slack, Confluence, Jira, Salesforce) are encrypted at rest. We request the minimum scopes needed to sync your content.
Documents are processed only to build your index and answer your queries. They are never used to train or fine-tune any AI model, and never shared across organizations.
Billing runs on Stripe (PCI DSS Level 1). Card details never touch our servers — we only store a customer reference and subscription status.
Hosted on AWS in us-east-1 using ECS Fargate, S3, and EFS. Workspaces are provisioned on demand and torn down when idle, reducing exposure.
You upload files or connect a source. Content is transferred over TLS and stored in your organization's encrypted S3 space.
Files are parsed, transcribed (audio/video), OCR'd (scans), chunked, and embedded inside your organization's dedicated workspace — never a shared pipeline.
Search indices (keyword + vector) live on encrypted per-org storage. One tenant can never query another tenant's index.
Every query is authenticated and filtered against document ACLs before results are returned. If access can't be verified, results are withheld.
Certain features (OCR, entity extraction, chat) send content to third-party AI providers. See the Trust Center for the full subprocessor list.
Changes are reviewed before release. Dependencies are tracked for known vulnerabilities, and security-relevant fixes are prioritized. We are formalizing this into a documented SDLC as part of our SOC 2 work.
Found something? Email security@indexara.ai. We investigate all good-faith reports and will not pursue legal action against researchers who act responsibly and avoid privacy violations or data destruction.
The Trust Center has our subprocessor list, data-handling practices, compliance roadmap, and how to request a DPA or a completed security questionnaire.
Open the Trust Center