Trust

Security

Built into every layer of the architecture, not bolted on at the end.

AnswerVault is built for regulated organisations. Encryption at rest and in transit, per-tenant key isolation, full audit trail on every query, and a sovereign deployment tier outside US legal exposure.

Data encryption

  • In transit. All connections use TLS 1.3. Communication between internal services uses mutual TLS (mTLS).
  • At rest. All stored data is encrypted using AES-256-GCM. Encryption keys are managed through dedicated key management services and are never stored alongside the data they protect.
  • Credentials. OAuth tokens and authentication credentials are encrypted using AES-256-GCM with HKDF-derived per-tenant keys, ensuring full isolation between customers.

Authentication and access control

  • OAuth 2.0 with least-privilege scopes. The Service requests only the minimum read and search permissions needed to index the content you connect, never write, administrative, or elevated scopes. The OAuth consent screen on your document repository is the access-control gate: AnswerVault can only see what you grant during consent, and we ask you not to grant anything beyond what we request.
  • MFA. Multi-factor authentication for all user accounts.
  • RBAC. Role-based access control over AnswerVault administration: who in your tenant can connect sources, manage knowledge bases, and view audit logs.
  • Curated, admin-scoped knowledge: what answers can surface is determined at connection time by an admin, not inferred per-user from the source. Documents outside the curated set never enter retrieval. The flip side: anything an admin connects becomes retrievable by any Authorised User on the tenant, so choose what to connect with the same care you'd apply to any internal information-sharing decision.
  • Session management. Secure session handling with configurable timeouts and automatic expiry.

Multi-tenancy and isolation

AnswerVault is built as a multi-tenant platform with strict isolation between customers:

  • Each tenant's data is logically isolated at the database level.
  • Per-tenant encryption keys mean one customer's data cannot be decrypted with another's keys.
  • All queries are scoped to the authenticated tenant.
  • Audit logs are maintained per tenant.

For Enterprise customers requiring complete physical isolation, we offer dedicated single-tenant deployments, separate infrastructure, separate databases, and separate encryption with no shared components. Contact us to discuss your requirements.

Data residency and the CLOUD Act

The US CLOUD Act (2018) allows US authorities to compel US-headquartered cloud providers to produce customer data regardless of where it is physically hosted. In June 2025, Microsoft confirmed under oath to the French Senate that it cannot guarantee EU data on its infrastructure will never be accessed by US authorities.

AnswerVault resolves this architecturally:

  • All customer data is processed and stored in your selected data residency region (EU, UK, or US). Data does not flow between regions.
  • Standard and Business tiers run on hyperscaler infrastructure (AWS primary, with Microsoft Azure for AI inference via Azure OpenAI). These providers are US-headquartered, so the CLOUD Act framework above applies; this is mitigated by per-tenant encryption, contractual no-training and no-retention commitments with our AI subprocessors, and the regional data boundary, but it is not eliminated.
  • Business and Enterprise tiers offer explicit region selection (EU, UK, or US). Data residency settings apply to all processing, including AI inference.
  • Enterprise customers requiring full sovereignty can request a bespoke deployment configured to their requirements, including non-US-headquartered providers, dedicated infrastructure, and inference using sovereign-region or self-hosted models. Where required, this keeps all processing outside US legal exposure.

For organisations in government, financial services, healthcare, and legal sectors, this is not optional, it is a procurement requirement. AnswerVault is built to meet it. See our sovereignty topic guide for the deeper position.

Infrastructure

  • Cloud hosting. AWS and Azure for standard, Business, and Enterprise tiers. Enterprise sovereign deployments can be hosted on any provider the customer specifies (for example Hetzner, OVH, Scaleway). All infrastructure is managed through Terraform for consistency and auditability.
  • Network security. Services run in private networks with no direct internet access. External traffic passes through load balancers and firewalls.
  • Containerised workloads. Applications run in isolated containers on managed orchestration platforms.
  • Automated deployments. Infrastructure changes go through version-controlled, peer-reviewed pipelines.

AI and data processing

AnswerVault is retrieval-augmented, not training-based. We use AI to index your documents and to answer your queries, never to train or fine-tune models. You should know exactly what gets processed and where.

Where AI is used in the platform:

  • Document processing: parsing, chunking, and extracting entities from connected and uploaded documents.
  • Embedding generation: vector representations of document content for semantic search.
  • Query understanding: interpreting user queries to determine retrieval intent.
  • Retrieval and re-ranking: selecting and ordering the most relevant passages.
  • Response generation: grounded answers with citations from retrieved content.

What data AI processes: the content of your connected and uploaded documents, derived embeddings and metadata, user queries, retrieved context passed to the generation model, and the AI-generated outputs.

What we commit to:

  • AI inference runs on infrastructure inside your selected data residency region (EU, UK, or US).
  • We do not use Customer Data to train, fine-tune, or improve any foundation model.
  • We do not share Customer Data with any AI provider for their independent use.
  • AI subprocessors are contractually bound to process data only on our instructions and to not retain it beyond what is required to serve the request.
  • AI-generated responses are not retained beyond the session unless you save them.

A current list of AI subprocessors is available on request as part of our Data Processing Agreement.

AI inference provider. AnswerVault uses Microsoft Azure OpenAI Service for AI inference. Under Microsoft's enterprise contract, customer data is not used to train or improve OpenAI's foundation models, is not shared with OpenAI, and is not retained by the provider beyond the immediate request. Inference runs in the Azure region matching your data residency selection (EU, UK, or US).

AnswerVault is grounded in your connected documents, so the accuracy, currency, and fairness of the answers depend on the accuracy, currency, and fairness of the underlying documents. Treat AnswerVault as a retrieval surface over your existing content, not as a corrective layer.

Output handling

AnswerVault returns natural-language answers with citations to your source documents. The AI itself has no agency to take actions: it cannot access files, run commands, execute transactions, or modify systems, it can only return text. Outputs are intended for human review, not for automated execution. If you integrate through the API and route responses into downstream systems, treat each response as untrusted input. Do not auto-execute code, SQL, shell commands, or HTML/script content from a response without sanitising and reviewing it. The detailed contractual position is in section 3.6 of the terms of service.

Audit logging

A complete audit trail is maintained for all significant actions, including:

  • User authentication events (login, logout, failed attempts).
  • Document access and queries.
  • Configuration changes.
  • Administrative actions.

Compliance

  • GDPR. Fully compliant with the General Data Protection Regulation. See our Privacy Policy for details on how we handle personal data.
  • ISO 27001. Our information security management practices align with ISO 27001 standards.
  • ISO 42001. AI management system certification is underway.
  • G-Cloud. Listed on the UK Government's G-Cloud framework for public sector procurement.
  • Data Processing Agreements. Available for all paid tiers upon request.

Responsible disclosure

If you discover a security vulnerability, please report it responsibly by emailing hello@answervault.ai. We take all reports seriously and will respond promptly.

Questions

If you have questions about our security practices, please contact us at hello@answervault.ai.