Our compliance status, who processes your data, how long we keep it, and how to get a DPA or a completed questionnaire — without scheduling a call.
We publish this list honestly — including what isn't done yet. Nothing below is marked complete unless it is actually live in the product today.
Encryption in transit (TLS)
All connections served over HTTPS/TLS.
Encryption at rest (AES-256)
Documents stored in AWS S3 with server-side AES-256.
Tenant isolation
Dedicated per-organization indices and compute.
Permission-aware search (fail-closed)
Results withheld when ACLs can't be verified.
SSO — OIDC & SAML (signature-verified)
Plus SCIM 2.0 provisioning.
GDPR-aligned Data Processing Agreement
Available on request.
SOC 2 Type I (Security + Confidentiality)
Readiness underway; report targeted, not yet issued.
Tamper-evident audit logging
Being built across authentication and admin actions.
AI subprocessor data-processing agreements
Zero-retention terms being finalized with providers.
Multi-factor authentication
On the near-term roadmap.
Independent penetration test
Planned alongside SOC 2.
These third parties may process customer data to deliver Indexara. AI providers receive document content only for the features you actively use (OCR, entity extraction, chat). If your policies prohibit sending content to third-party AI, contact us about bring-your-own-key and reduced-processing options.
| Subprocessor | Purpose | Data | Region |
|---|---|---|---|
| Amazon Web Services | Hosting, compute, and storage (ECS, S3, EFS) | All customer content and metadata | US (us-east-1) |
| Stripe | Subscription billing and payments | Billing contact & subscription status — no document content | US / Global |
| OpenAI | OCR of scanned pages, entity extraction, chat answers | Document content for features you invoke | US |
| Anthropic | Entity extraction and chat answers | Document content for features you invoke | US |
| Google (Gemini) | Chat answers (when selected) | Document content for queries you run | US |
| xAI (Grok) | Chat answers (when selected) | Document content for queries you run | US |
| Email delivery (SMTP) | Transactional notifications | Email addresses and message content | US |
We notify customers of material changes to this list. Last updated 2026-07-13.
You control your data. Delete any document or collection from the app at any time — this removes the source file and its indexed content. To delete your entire organization and all associated data, email privacy@indexara.ai and we will remove it. We retain content only while your account is active.
Your documents remain yours. They are isolated per organization, never shared across customers, and never used to train or fine-tune AI models — ours or our providers'. Export your content at any time.
Questions, DPA requests, or vulnerability reports — reach the security team directly.
security@indexara.ai