Data Privacy

We prioritize data privacy with strict access controls and comprehensive encryption in our AWS environment. All data is encrypted both at rest and in transit, ensuring protection throughout its lifecycle. Only one authorized person in our company (CTO) has regular access to the AWS account, with Multi-Factor Authentication (MFA) required for all AWS Console access. In case of emergency, our CEO can also access the AWS Console, ensuring there is no single point of failure.

• Access Control: AWS account access is restricted to a single, trusted individual, and Multi-Factor Authentication (MFA) is required for all AWS Console access, adding an extra layer of security.
• Secrets Management: Sensitive information, such as database credentials, is securely managed with AWS Secrets Manager, accessible only by the authorized person (CTO).
• Monitoring: System logs are sent to AWS CloudWatch with alerting enabled, ensuring we are notified of any unusual activity in real time.

Data Access

There is no external SSH access to our EC2 instances, further limiting access to production environments. All resources are managed centrally with a single point of control.

Data Residency

All data is stored within the AWS eu-central-1 region (Frankfurt), keeping data within the European Union to align with EU residency requirements.

Data Storage

Data is securely stored using Amazon RDS and Amazon S3, with encryption in place to protect data.

• Application Data: Stored in Amazon RDS (MySQL) with encryption at rest and in transit.
• File Storage: Files are stored in Amazon S3 with encryption at rest, accessible only to authorized users.
• We’re utilizing an open-source self-hosted vector database Qdrant to store processed pieces of information.

Integrations

Google Drive Integration

Our integration with Google Drive enables seamless file access and synchronization while ensuring privacy and security:

• Authentication: We use Google’s OAuth 2.0 and Picker API, ensuring secure access only to the files and folders you explicitly choose to share with our app.
• File Processing: Retrieved files are indexed and securely stored in our self-hosted vector database, enabling advanced search and retrieval capabilities while maintaining full control over your data.
• Automatic Syncing: Changes in Google Drive are reflected in ydoca. Updates to files outside our app are synchronized, and deletions are mirrored to maintain consistency.
• Privacy and Security: File content is processed securely, with no third-party storage beyond Google Drive and our app. Any temporary data used during processing is deleted immediately.

Slack Integration

Our Slack AI Assistant is designed with privacy and security in mind:

• Limited Scope: The integration only operates in direct messages with users who explicitly engage with it. It does not have access to any channels, user information, or workspace data.
• Channels management: Ydoca requires permission to manage public channels
• Minimal Data Collection: Only the messages directly sent to the AI assistant in private chats are processed. These messages are not stored permanently and are only used to generate responses.
• Secure Processing: Messages are processed through our secure infrastructure and LLM providers (as described in Section 6), with all communication encrypted in transit.
• Data Retention: Chat messages are only retained temporarily for the duration of the conversation session and are automatically deleted afterward.
• User Control: Users can delete their conversation history at any time, and the assistant can be disabled or removed from the workspace by workspace administrators.
• Compliance: The integration adheres to Slack's security requirements and our overall data privacy standards outlined in Section 1.

Additional Data Control and LLM Usage

We use a self-hosted Qdrant vector database to store data, and no other third-party services are involved, ensuring that data remains fully under our control. Additionally, for certain features, parts of data may be processed by large language model (LLM) providers, such as OpenAI or Anthropic. We use their business APIs with a Retrieval-Augmented Generation (RAG) mechanism, where data is temporarily provided in the context window (no fine-tuning), and no client data is permanently stored or used by LLM providers. This approach ensures that client data is safe and not used to train or improve the models.

https://openai.com/enterprise-privacy/

https://www.anthropic.com/legal/commercial-terms

‍