Trust & Security

All customer data — workshop notes, requirements, templates, user accounts — is stored on Google Cloud Platform in the us-east1 (South Carolina, United States) region. This includes Cloud SQL (PostgreSQL) and Cloud Run compute. No data is replicated outside this region unless you request a custom data-processing arrangement.

Customers who need a different residency region or a written data-processing addendum can contact us — we provide a signed DPA with Standard Contractual Clauses (SCCs) and UK transfer terms on request. View our DPA.

• At rest: Google Cloud SQL encrypts all data at rest using AES-256 with Google-managed keys (CMEK available on request for Enterprise plans).
• In transit: All connections use TLS 1.2 minimum; TLS 1.3 is negotiated by default between clients and Cloud Run. HTTP Strict Transport Security (HSTS) is enforced on all public endpoints.
• Internal traffic: Cloud Run to Cloud SQL communication travels over a private VPC; no traffic leaves the GCP network unencrypted.

Exordia processes workshop notes through Google Vertex AI (Anthropic Claude and Google Gemini). That processing is transient: data is sent to the inference endpoint, the response is returned, and nothing is retained by the AI provider for training purposes. This is a contractual guarantee under Google's enterprise service agreements for Vertex AI.

Specifically: we use Vertex AI — not the consumer-facing Claude.ai or Gemini.google.com APIs — and Vertex AI's enterprise terms explicitly prohibit Google and Anthropic from using customer-submitted prompts or outputs to train or improve their foundation models.

All workshop notes, requirements, templates, and client data you create in Exordia belong to your organization. We process and store it on your behalf — we never claim ownership, never aggregate it across customers for training, and we never sell or share it with third parties.

Your data is yours to export at any time via Settings → Privacy → Export Data. The export is a complete JSON archive of your organization's projects, workshops, requirements, and templates.

Every query in Exordia is scoped to a single organization. The Prisma ORM client is extended at the database layer to automatically inject deletedAt: null on soft-delete models, and every server action gates on the authenticated user's organizationId before touching the database. Cross-organization reads are structurally impossible, not just policy-prohibited.

An ESLint rule (exordia/require-deleted-at-null) enforces the soft-delete filter at author time; violations are a build error. A recent internal security audit closed all 9 open findings against the query layer.

• Sign-in: Google OAuth 2.0 and Microsoft Entra ID (OIDC). No passwords are stored for production users — credentials live with your identity provider.
• Sessions: Auth.js v5 session cookies, signed and validated server-side on every request. Session state is never stored client-side in a form that can be tampered with.
• RBAC: Four roles — Owner, Admin, Editor, Viewer — enforced at the server action and API route level. Clients (external workshop participants) have a separate, narrowly-scoped role limited to viewing assigned projects.
• Admin access: Time-boxed temporary access grants (24-hour TTL) for support scenarios, with full audit trail for accountability and compliance.

• Automated daily backups: Cloud SQL performs automated backups daily. Production retains 30 daily backups; development retains 7.
• Point-in-time recovery (PITR): Enabled on production. You can restore to any second within the retention window.
• Recovery time: Cloud SQL restore from a recent backup typically completes in under 30 minutes for our database size. We do not publish a formal SLA for RPO/RTO; contact us if your contract requires one.
• Deletion protection: The production Cloud SQL instance has deletion_protection_enabled = true — it cannot be destroyed without an explicit override.

If you discover a security issue, report it to [email protected] (also listed in security.txt).

• Include: reproduction steps, affected endpoints, potential impact.
• Do not access data that is not yours, disrupt availability, or perform destructive testing.
• For confirmed security incidents affecting customer data, we commit to notification within 72 hours of discovery — consistent with GDPR Article 33 obligations.

AI sub-processors (Anthropic, Google Gemini) operate under Google Vertex AI enterprise service terms, which prohibit use of customer data for model training or improvement.

Exordia respects your rights under GDPR, CCPA, and other applicable privacy laws. You can:

• Request a full export of your organization's data (JSON format)
• Request deletion or anonymization of your data
• Access, correct, or restrict processing of personal data

Deletion and anonymization requests are fulfilled within 30 calendar days, subject to legal hold and platform-integrity requirements. See our Privacy Policy for the full policy, or our DPA for the contractual obligations around data processing.