Security & Trust

How we protect your business documents

You're trusting us with your team's internal documents — SOPs, policies, handbooks, operational procedures. We take that seriously. This page explains exactly what happens to your data, who can see it, and what we do to keep it safe. No jargon, no hand-waving.

The short version

✅ Your documents are encrypted at rest and in transit
✅ Your data is completely isolated — no other customer can ever access it
✅ We never sell your data or share it with advertisers
✅ Your documents are never used to train AI models
✅ When you delete something, it's actually deleted — files, text chunks, embeddings, all of it
✅ All connections are encrypted via HTTPS (enforced at the domain level)

Your documents are private to your organization

Every piece of data in WithoutAsking is scoped to your organization. Your documents, your team's questions, and the AI's answers are only accessible by people you've invited to your team. No other customer, and no one at WithoutAsking, can see your content.

This isn't just an application-level rule — it's enforced at the database level using Row-Level Security (RLS) policies. Even if there were a bug in our code, the database itself would prevent cross-organization data access.

What happens when you upload a document

When you upload a PDF, Word file, or text document, here's exactly what happens:

The file is stored in encrypted cloud storage, in a path unique to your organization. No other org can access this path.
Text is extracted from the document on our servers. We pull out the readable text content.
The text is split into small chunks (roughly paragraph-sized). This is how the AI finds the right section to answer a question.
Each chunk is sent to OpenAI to create a mathematical representation (called an “embedding”) used for search. OpenAI processes this data under their API terms — they do not store it or use it to train their models.
The chunks and their embeddings are stored in our database, tagged to your organization only.

Your original file, the extracted text, and the embeddings are all private to your organization at every step.

What happens when someone asks a question

The question is converted into an embedding (same process as above, via OpenAI).
We search your organization's chunks — and only yours — for the most relevant sections.
The relevant chunks and the question are sent to Anthropic's Claude AI to generate an answer.
The answer is streamed back to the user, along with which document(s) it came from.

At no point does the AI see documents from any other organization. The AI is instructed to answer only from the provided context — not from general knowledge. Anthropic processes this data under their API terms and does not use it to train their models.

What we don't do

We don't sell your data. Not to advertisers, not to data brokers, not to anyone. Ever.
We don't train AI on your documents. Your content is used only to answer your team's questions. Our AI providers (OpenAI and Anthropic) do not train on data sent through their APIs.
We don't share your data with third parties beyond what's required to run the service (cloud hosting, AI processing, payment processing).
We don't read your documents. We have no reason to access your content, and our architecture is designed so we don't need to.
We don't mix your data with other organizations. Every query, every search, every result is filtered to your organization at the database level.

When you delete, it's gone

When you delete a document from WithoutAsking, we remove everything associated with it: the original file from storage, every text chunk extracted from it, and all the embeddings generated from it. It's not archived or soft-deleted — it's removed from our systems.

If you delete your entire account, all your data — documents, chunks, embeddings, query history, team member records — is deleted within 30 days.

Where your data lives

WithoutAsking runs on Supabase (built on AWS infrastructure) for database, authentication, and file storage. The application is hosted on Vercel. Both providers offer industry-standard security practices including encryption at rest and in transit, SOC 2 compliance, and regular security audits.

All data is stored in US-based data centers. All connections use HTTPS — this is enforced at the domain level (the .app domain requires HTTPS with no exceptions).

Authentication & access control

Authentication is handled by Supabase Auth. Passwords are hashed using bcrypt — we never store or see your plaintext password. Sessions use secure, httpOnly cookies.

Team access is role-based: Admins can upload documents, manage team members, and view usage. Members can only ask questions and see answers. Role enforcement happens server-side — not just in the UI.

AI safety

The AI is configured to answer strictly from your uploaded documents. It will not make up information, search the internet, or draw from general knowledge. If it can't find a relevant answer in your docs, it says so — it doesn't guess.

We use clear boundaries between system instructions and user input to defend against prompt injection. The AI cannot be tricked into revealing your raw document content, system prompts, or another organization's data.

Cost controls & rate limits

Every query follows a single-pass flow: one search, one AI call, one answer. There are no loops, no retries, and no autonomous behavior. This keeps costs predictable for us and ensures predictable performance for you. Rate limits are enforced per user and per organization to prevent abuse.

Questions?

If you have any questions about how we handle your data, please contact us at support@withoutasking.app. We're happy to answer anything — security shouldn't be a black box.

For full details on data collection and processing, see our Privacy Policy.