Trust Center

Everything a security review needs

Our compliance status, who processes your data, how long we keep it, and how to get a DPA or a completed questionnaire — without scheduling a call.

Compliance & controls

We publish this list honestly — including what isn't done yet. Nothing below is marked complete unless it is actually live in the product today.

Available

Encryption in transit (TLS)

All connections served over HTTPS/TLS.

Available

Encryption at rest (AES-256)

Documents stored in AWS S3 with server-side AES-256.

Available

Tenant isolation

Dedicated per-organization indices and compute.

Available

Permission-aware search (fail-closed)

Results withheld when ACLs can't be verified.

Available

SSO — OIDC & SAML (signature-verified)

Plus SCIM 2.0 provisioning.

Available

GDPR-aligned Data Processing Agreement

Available on request.

In progress

SOC 2 Type I (Security + Confidentiality)

Readiness underway; report targeted, not yet issued.

In progress

Tamper-evident audit logging

Being built across authentication and admin actions.

In progress

AI subprocessor data-processing agreements

Zero-retention terms being finalized with providers.

Planned

Multi-factor authentication

On the near-term roadmap.

Planned

Independent penetration test

Planned alongside SOC 2.

Subprocessors

These third parties may process customer data to deliver Indexara. AI providers receive document content only for the features you actively use (OCR, entity extraction, chat). If your policies prohibit sending content to third-party AI, contact us about bring-your-own-key and reduced-processing options.

SubprocessorPurposeDataRegion
Amazon Web ServicesHosting, compute, and storage (ECS, S3, EFS)All customer content and metadataUS (us-east-1)
StripeSubscription billing and paymentsBilling contact & subscription status — no document contentUS / Global
OpenAIOCR of scanned pages, entity extraction, chat answersDocument content for features you invokeUS
AnthropicEntity extraction and chat answersDocument content for features you invokeUS
Google (Gemini)Chat answers (when selected)Document content for queries you runUS
xAI (Grok)Chat answers (when selected)Document content for queries you runUS
Email delivery (SMTP)Transactional notificationsEmail addresses and message contentUS

We notify customers of material changes to this list. Last updated 2026-07-13.

Retention & deletion

You control your data. Delete any document or collection from the app at any time — this removes the source file and its indexed content. To delete your entire organization and all associated data, email privacy@indexara.ai and we will remove it. We retain content only while your account is active.

Data ownership

Your documents remain yours. They are isolated per organization, never shared across customers, and never used to train or fine-tune AI models — ours or our providers'. Export your content at any time.

Documentation & requests

Data Processing Agreement

GDPR-aligned DPA available on request.

Request DPA

Security questionnaire

Completed CAIQ / SIG-Lite available on request.

Request questionnaire

Security overview

How we protect data, end to end.

Read the security page

Security contact

Questions, DPA requests, or vulnerability reports — reach the security team directly.

security@indexara.ai