Security & Trust
Your data is yours.
We never train on your data. We don't analyze it. We don't share it. It's used only to serve your requests.
Data Protection
- AES-256 encryption at rest via AWS KMS
- TLS 1.3 in transit
- Strict tenant isolation at the project and collection level
- Permanent deletion of indexes on request
Access Control
- API keys and role-based access control
- Production access is customer-approved and immutably logged
- SSO and SAML — on our roadmap
Compliance & Deployment
- SOC 2 Type II audit underway
- 34 AWS regions across North America, Europe, Asia, and the Middle East
- Customer-selected region at project creation — data stays in that region
- Dedicated VPC (BYOC) — available for enterprise on request
Compliance
Where we stand.
Honest status, not aspirational labels.
SOC 2 Type II
Audit underway
Subprocessors
List available on request
FAQ
Frequently asked.
- Do you train models on our data?
- No. Customer data is never used to train any model — there is no opt-out toggle to flip. It's the default.
- Can your team access our data?
- Production access requires explicit customer approval and is recorded in an immutable audit log. We do not access customer data outside of these controlled incident-response scenarios.
- What happens if a government asks for our data?
- We review every request through external counsel and challenge it where lawful. Where permitted, we notify the affected customer within 24 hours.
- When we delete data, is it really gone?
- Indexes are removed from production immediately on deletion. Backups follow a fixed retention cycle and are then permanently purged.
- Who holds the encryption keys?
- For standard plans, keys are managed by LambdaDB via AWS KMS. Bring-your-own-key (BYOK) is available for enterprise customers on request — when you hold the key, we cannot decrypt your data.
Have a security question?
Want to talk through isolation, region selection, or our SOC 2 status? We'll walk through it.