Your data stays yours. Period.
Apart Intelligence is built from the ground up to protect your organization's knowledge. We never access, read, or use your data. Strict tenant isolation, encryption at rest, and GDPR compliance are not add-ons — they are the foundation.
Our security commitments
These are not aspirational goals. They are how the system works today.
No access to your data
Apart employees cannot read, browse, or query your knowledge graph. There is no admin backdoor. Your data is yours alone.
No training on your data
Your knowledge is never used to train models, improve our product, or feed any AI system. It is stored, served to you, and nothing else.
Data deletion on request
You can request deletion of your organization and all associated data. Deletion is permanent and irreversible with no retention.
Tenant isolation
Every API request is scoped to your organization at the database level. There is no way for one tenant to access another tenant's data.
Customer-managed encryption
PII is encrypted with your organization's own key using AES-256-GCM. Revoke the key, and the data becomes permanently unreadable.
GDPR compliant
Data processing agreements, right to deletion, data portability, and lawful basis documentation. Built for European data protection requirements.
Tenant isolation at every layer
Apart Intelligence enforces tenant boundaries at the database query level. Every read and write operation is automatically scoped to your organization. This is not application-level filtering that can be bypassed — it is enforced through database extensions that apply to every query, every time.
Nodes, edges, domains, workspaces, API keys, and configuration are all scoped to your organization. There is no shared data layer between tenants.
Database-level enforcement
Tenant scoping applied via ORM extensions on every query — not application middleware
Per-request authentication
API keys are hashed with SHA-256 and validated on every request
No cross-tenant references
Foreign keys and indexes enforce that data cannot reference another organization
Scoped to all data types
Nodes, edges, domains, workspaces, API keys, embeddings — everything is isolated
How PII encryption works
Detect
Content is scanned for PII patterns: emails, phone numbers, SSNs, credit cards, addresses, IP addresses
Encrypt
Each PII match is encrypted with AES-256-GCM using your organization's key and a unique initialization vector
Store
Encrypted tokens replace the original PII in storage. The original plaintext is never persisted
Search
Embeddings are generated from the original text before encryption, so semantic search still works
Encryption you control
PII is automatically detected and encrypted before it reaches storage. Your organization manages its own encryption key. Without the key, encrypted data is meaningless. Revoke the key and the data becomes permanently unreadable — even to us.
Organizations can configure PII handling per their needs: encrypt all detected PII, detect and warn without encrypting, or disable detection entirely. Per-request bypass is available for cases where PII storage is intentional, with bypass events flagged in node metadata.
Architecture built for security
Apart Intelligence runs as a stateless API service with no persistent servers that accumulate state or present a standing attack surface. Each request is authenticated, scoped to a tenant, and processed in isolation.
All connections are encrypted in transit. API keys are stored as SHA-256 hashes — plaintext keys are never persisted after initial generation.
Stateless compute
Containers spin up per request and terminate after — no persistent attack surface
Encrypted in transit
All API communication uses TLS. Database connections are encrypted end-to-end
Hashed API keys
API keys are SHA-256 hashed before storage. Plaintext keys exist only at generation time
Minimal surface area
No admin UI, no internal dashboards with customer data access. The API is the only entry point
Usage tracking
API key last-used timestamps are recorded. PII bypass is flagged in node metadata for review
GDPR compliance checklist
Lawful basis for processing
Legitimate interest and contractual necessity for knowledge management services
Right to erasure
Organizations can request deletion of all data. Deletion is complete and permanent
Data access
Read your knowledge graph data at any time via the API
Data minimization
We store only what you explicitly upload. No telemetry, no usage analytics on content
Purpose limitation
Data is used solely to provide the knowledge graph service. No secondary use, no sharing
Data processing agreement
Available on request for organizations that require formal DPA documentation
GDPR from day one
Apart Intelligence is designed with European data protection requirements built in, not bolted on. We process data under clear lawful bases, support the full range of data subject rights, and maintain documentation for regulatory accountability.
Your organization retains full ownership of all data uploaded to the knowledge graph. We act strictly as a data processor under your direction. No data is transferred to third parties except where explicitly configured by you (e.g., embedding providers you choose to connect).
You choose who processes your data
Semantic search requires generating vector embeddings from your text. By default, Apart Intelligence uses a managed embedding service. But if your security policy requires it, you can bring your own API key for OpenAI, Voyage, or any supported provider.
Your embedding API keys are encrypted at rest in our database. They are used only to generate embeddings for your content and are never logged or shared.
Bring your own key
Use your organization's own API key for embedding providers — full control over data flow
Encrypted key storage
Embedding API keys are encrypted at rest — never stored in plaintext
No vendor lock-in
Switch embedding providers at any time without losing your knowledge graph
Transparent data flow
You know exactly which services touch your data because you configure them yourself
Questions about security?
If your organization has specific security requirements, compliance questions, or needs a formal data processing agreement, reach out to us. We are happy to walk through our security architecture in detail.