← GAAP IQ
Trust & Security

Built for confidential work

GAAP IQ handles draft agreements, unreleased filings, and pre-decision accounting positions. Everything below is enforced in code or infrastructure — not just policy — and we only publish a claim after the behavior behind it ships.

Segregated

Your content is isolated to your account and never appears on any internal surface.

  • Every request is scoped to your account with ownership checks — other users get a 404, not your data.
  • Our admin and operations tools show counts, timestamps, and system health only. No screen we operate displays your documents, questions, memos, or titles.
  • Nothing you write or upload appears in our application logs.
Encrypted

Encrypted at rest and in transit, including backups.

  • Database encrypted at rest with AES-256 — primary, replicas, and backups.
  • TLS for everything in transit: your browser to us, and us to every provider we use.
Never trained, never retained

Your content is never used to train AI models, and the AI providers we route to don't keep it.

  • Every AI request carries a zero-data-retention constraint enforced in our code — it can only route to endpoints that don't store prompts and don't collect data. This isn't a dashboard setting that can drift; it's on every call.
  • Our account-level provider settings independently block training-permitted routing.
  • We never train models on your content, full stop.
Uploads delete themselves

Documents you upload are processed for your session and automatically deleted 24 hours later.

  • A sweeper removes uploaded documents — including every derived search index entry — 24 hours after upload.
  • Every uploaded document has a delete-now control if you don't want to wait.
  • Content you create (memos, research threads, policies, schedules) persists until you delete it — that's your work product.

Who touches your data

A deliberately short list, each provider only for its function:

ProviderRoleData posture
AI model providersAI model inference (research, memos, drafts)Zero-data-retention routing enforced in code on every request; no training on content. Provider list available on request.
RenderHosting and database (United States)AES-256 at rest, TLS in transit
StripePaymentsWe never see or store card numbers
GoogleSign-in (only if you choose it)Name, email, profile photo only
ResendTransactional email (password resets)Email address only — never content

What we don't do

Being precise about the boundary

To answer your questions, our systems necessarily read your content at runtime — retrieval searches it and the AI models process it to generate output. So we don't claim your content is invisible to processing; we claim, and enforce, that it isn't retained by AI providers, isn't used for training, isn't shown on any surface we operate, and — for uploads — is deleted within 24 hours. Deleted data can persist briefly in encrypted backups until they expire on their cycle.

Our controls are designed against SOC 2 criteria; a formal independent audit is on our roadmap. Security questions or disclosure requests: support@gaapiq.ai.