AskVault security and data-protection overview

Written by Aashiq, Founder, AskVault · Reviewed by Aashiq

Last updated: May 15, 2026 · 6 min read

TL;DR

AskVault runs on SOC 2 Type II certified database and compute infrastructure, with AES-256 at rest, TLS 1.3 in transit, daily backups, IP allow-listing, audit logs, and HIPAA-eligible BAA available on Enterprise. Every workspace is data-isolated by hard predicate enforcement, never shared.

Security posture at a glance

AskVault is built for B2B SaaS customers who handle real business data: support transcripts, internal documentation, customer PII. The platform was architected against SOC 2 Type II controls from day one, with a company-level audit in progress. The infrastructure-level controls are already certified by our hosting providers.

The short version: encryption everywhere, isolation by design, audited code paths for every data-touching operation, and an explicit incident-response policy. Customer data is never used to train AI models. It's never shared between workspaces. It's deletable within 60 minutes of a written request.

Layer	Protection	Status
Data at rest	AES-256 disk encryption	SOC 2 Type II certified infrastructure
Data at rest (cache/queue)	AES-256 disk encryption	SOC 2 Type II certified infrastructure
Data in transit	TLS 1.3 (TLS 1.2 minimum)	Public certificates
Compute isolation	Process per workspace operation	SOC 2 Type II certified hosting
Network	DDoS protection + WAF	SOC 2 Type II certified edge
Backups	Daily full + continuous WAL	30-day retention
Key management	Environment-variable secrets, never logged	Audited
Audit logs	Immutable, per-workspace	Retained 365 days
SSO/SAML	Workforce IdP integration	Enterprise
BAA (HIPAA)	Eligible on Enterprise contract	Enterprise

How multi-tenancy is enforced

AskVault is multi-tenant. Many workspaces share the same database and the same vector index. Cross-workspace data leakage is the single biggest risk in multi-tenant AI, so we've engineered four layers of defense.

Layer 1: database-level predicate. Every SQL query that touches customer data has WHERE workspace_id = :ws_id in its predicate, enforced by the ORM. Reviewed in code review. Untestable code paths trigger CI alerts.

Layer 2: per-workspace vector partition. Every vector retrieval is partitioned by workspace at the index level. A retrieval query for workspace A cannot match vectors from workspace B because they live in different index partitions.

Layer 3: per-workspace API key scoping. Every API key is bound to one workspace at creation time. The API enforces this at request time: a key from workspace A returning workspace B's data is impossible by design. The endpoint reads workspace_id from the API key, not from the request body.

Layer 4: random per-workspace UUIDs. Every workspace, document, chunk, conversation, and message uses a cryptographically random 128-bit identifier. Never sequential integers.

The architecture is designed so cross-workspace leakage is extremely hard to introduce. Workspace identity flows through every data-touching code path as a first-class context value, and code review enforces it. Any security incident would be disclosed under the policy described in the Incident-response policy section below.

Encryption at rest

All customer data (documents, embeddings, conversations, leads, audit logs) is stored on AES-256 encrypted disks. Encryption is provider-managed and SOC 2 Type II certified, which means encryption keys are rotated and access-logged independently of AskVault.

Customer-uploaded files (PDFs, DOCX, etc.) are NOT stored long-term. The ingestion pipeline reads each file, extracts the text, generates embeddings, and discards the source file within 10 minutes. Only the parsed text and embeddings remain in storage. This significantly reduces the data-at-rest surface.

Encryption in transit

Every connection to AskVault uses TLS 1.3 (TLS 1.2 minimum, no SSLv3 or TLS 1.0/1.1). TLS terminates at our edge with HTTP Strict Transport Security (HSTS) + preload, so browsers refuse to connect over HTTP after the first visit. Internal traffic between application workers and the database travels over private TLS-encrypted tunnels.

API keys (ak_xxx) are transmitted as Bearer tokens over HTTPS. We store only the SHA-256 hash; the original key is never retrievable after generation. If you lose a key, generate a new one in the dashboard. The old key remains revocable.

Audit logs and access controls

Every state-changing operation is logged to an immutable audit log with: the workspace ID, the acting user (or API key for programmatic calls), the action verb, the affected resource ID, the source IP (truncated to /24 for GDPR compliance), the user-agent string, and a UTC timestamp. Audit logs are append-only. No application code path has UPDATE or DELETE permission.

Customers can export audit logs via the dashboard's Activity Feed or programmatically via /api/conversations/\{id\}/audit-log. Logs are retained for 365 days; Enterprise customers can extend retention via contract.

Within a workspace, role-based access controls limit who can do what:

Role	Read content	Edit content	Manage channels	Manage billing	Manage team
Viewer	✓
Support	✓
Member	✓	✓
Admin	✓	✓	✓	✓	✓

Owners (the workspace creator) have Admin + workspace-deletion permission. SSO/SAML integration on the Enterprise plan lets you map IdP groups to AskVault roles automatically.

SOC 2 Type II posture

AskVault's infrastructure runs on SOC 2 Type II certified providers across three layers:

• Database and vector storage. SOC 2 Type II certified managed Postgres with native vector support. Audit report available on request under NDA.
• Application compute. SOC 2 Type II certified hosting. Horizontally-scaled worker fleet in the primary region, with regional alternatives available on Enterprise.
• Edge, DDoS, WAF, and DNS. SOC 2 Type II plus ISO 27001 certified edge provider.

The AskVault application layer is undergoing its own SOC 2 Type II audit covering Security, Availability, and Confidentiality. Customers requesting the in-progress letter of attestation can contact security@askvault.co.

Until the application-level audit completes, AskVault inherits the SOC 2 controls of its providers and operates under SOC 2-compatible internal policies. These are available on Enterprise contract under NDA.

HIPAA: when and how

AskVault's Enterprise plan supports HIPAA-eligible deployments. Our database provider offers BAA-eligible storage. AskVault Enterprise contracts include the signed BAA naming AskVault as a Business Associate.

HIPAA-eligible deployments require:

1. Enterprise plan with the HIPAA-BAA addendum signed by both parties.
2. Dedicated workspace isolated from non-PHI workspaces (default for HIPAA deployments).
3. PHI training for the customer's authorized users (what can and cannot be stored).
4. Logging and audit retention extended to 6 years (HIPAA minimum).

Customers in regulated industries (healthcare, fintech, legal) should contact sales@askvault.co before uploading PHI; we'll route you through the compliance onboarding. Do not upload PHI to a non-Enterprise workspace. The BAA does not cover it, and you'd be in violation of HIPAA.

GDPR: data deletion and export

AskVault is GDPR-aligned. Three customer rights are operationalized:

• Right to access (Article 15). Customers can export all workspace data via Dashboard > Settings > Export Data as a single zip file: documents, conversations, leads, audit logs.
• Right to erasure (Article 17). Customers can delete a workspace via Dashboard > Settings > Danger Zone > Delete Workspace. Cascade deletion runs immediately across documents, chunks, conversations, messages, leads, and audit logs. Backups are purged within 30 days per our retention policy.
• Right to data portability (Article 20). The exported zip is in standard formats: JSON for structured data, original file format for uploaded documents. You can move to a competitor without lock-in.

AskVault is a Data Processor; the customer is the Data Controller. The Data Processing Agreement is available on Growth+ plans and is part of the Enterprise contract by default.

AskVault vs other vendors

Many AI-chatbot vendors require a written email request and a 30-day SLA for GDPR deletion. AskVault's deletion is one click in the dashboard with cascade execution in under 10 seconds. We don't gate basic GDPR rights behind support tickets.

Penetration testing and vulnerability disclosure

AskVault contracts annual third-party penetration tests by a CREST-certified security firm. The latest test (2026-Q1) covered: API authentication and authorization, multi-tenant isolation, injection attacks (SQL, LDAP, command), XSS, CSRF, session management, file-upload handling, and DoS resilience. Findings: 2 medium-severity issues (both fixed and re-tested within 14 days), 0 high or critical.

We operate a public vulnerability-disclosure policy at askvault.co/security. Reports go to security@askvault.co (PGP key published). We respond within 1 business day, fix critical issues within 7 days, and credit researchers in our public hall of fame. We do not offer cash bounties at this scale; we do offer AskVault swag and an Enterprise plan for the researcher's preferred non-profit.

Incident-response policy

We follow a documented incident-response runbook:

1. Detect. Monitoring and alerting catch latency, error rate, and anomalous queries.
2. Triage. On-call engineer pages within 5 minutes. Severity is assigned (P0 to P3).
3. Contain. For P0/P1, an immediate kill-switch goes on the affected feature. Status page is updated.
4. Notify. Affected customers are notified within 24 hours of any confirmed breach.
5. Eradicate and recover. Root-cause fix, redeploy, verify.
6. Postmortem. Written within 14 days. Shared with affected customers on Enterprise plans.

Status page: status.askvault.co (incidents, scheduled maintenance, uptime history).

Frequently asked questions

Does AskVault use customer data to train AI models?

No. Customer-uploaded content, customer conversations, and customer queries are NEVER used to train AskVault's models or any upstream LLM provider's models. We contractually opt out of training pipelines with every LLM provider AskVault uses, via each provider's data-processing terms. The opt-outs are audited annually.

Where is my data stored?

The primary region is in Asia-Pacific. Backups are replicated within the primary region's geographic boundary. Enterprise customers can request alternative regions (including EU and US) under contract.

Can I bring my own encryption keys (BYOK)?

Not at the database layer. Those keys are managed by our SOC 2 Type II certified storage provider. For sensitive workspaces, the BYOK Scraper feature on Business+ lets you bring your own premium-scraper API key, so AskVault never sees the raw third-party scrape output. For end-to-end customer-managed encryption keys, contact sales@askvault.co. This is available on Enterprise contracts subject to a scoping conversation.

How fast is data deleted after a workspace is deleted?

Active database rows: within 10 seconds. Backups: within 30 days per our provider's retention policy. Search indexes: within 5 minutes (we rebuild them after the cascade). After 30 days, the data is permanently unrecoverable.

Are you ISO 27001 certified?

Not currently. ISO 27001 is on the roadmap. The SOC 2 Type II application-level audit is the immediate priority for compliance-conscious B2B customers. Contact security@askvault.co for current status.

What's your uptime SLA?

99.5% uptime on Starter and Growth (publicly committed at askvault.co/sla). 99.9% on Business. 99.95% on Enterprise with credits per the SLA contract. Status history at status.askvault.co.

Related resources

• SOC 2 Type II posture in detail
• HIPAA: when AskVault can store PHI
• GDPR: data deletion and export
• Sub-processor list
• Incident-response policy
• SLA breakdown per plan
• Data Processing Agreement (DPA)
• Public vulnerability-disclosure policy

Talk to our compliance team

We can sign DPA, support BAA, and configure SSO for Enterprise contracts.

Talk to sales → View pricing

Was this page helpful? Yes No