Persistent data — Neon Postgres (EU)
Your office data (briefs, chats, documents, memory records) lives in a Neon Postgres + pgvector database hosted in the EU.
Security
Written answers to the questions your IT and security team will ask when your team starts using Pixel Office. No embellishment — just the facts.
Your office data (briefs, chats, documents, memory records) lives in a Neon Postgres + pgvector database hosted in the EU.
Our API runs on Railway and the web front-end on Vercel (US-based providers). Data passes through these servers during processing; the database above is the persistent store.
Product analytics is hosted on PostHog’s EU servers, gated behind your cookie consent, and typed text is masked before collection — a KVKK-compliant setup.
Transfers outside Turkey happen under Article 9 of the Turkish KVKK and Standard Contractual Clauses (SCCs). The full provider list is in the sub-processor table below.
Every office is a separate tenant; all queries are scoped by tenant ID at the application layer. On the most sensitive tables — the knowledge pool (uploaded document chunks) and office memory — Postgres Row-Level Security (RLS) is additionally enforced at the database level (FORCE ROW LEVEL SECURITY): one tenant’s query cannot reach another tenant’s rows, enforced by the database engine itself.
HTTPS is enforced everywhere (HSTS active); database connections use TLS (sslmode=require).
Our database and hosting providers apply disk-level encryption (provider-level at-rest encryption).
OAuth tokens for accounts you connect (Google, Slack, etc.) are stored Fernet-encrypted in the database, decrypted only for the specific tool call, and never logged in plaintext. Production refuses to boot without the encryption key configured.
Your data is not used to train AI models.
This commitment rests on the commercial API terms of our model providers: inputs and outputs sent through the API are not used to train their models. Pixel Office does not train its own models on user data either — the only exception is aggregated, anonymised usage metrics (e.g. which Pixmate gets hired most).
Our primary model provider is Anthropic (Claude). During outages we fail over to Google Gemini; DeepSeek may be used for cost routing on specific task types, and OpenAI as the last hop of the fallback chain. LLM call traces are kept solely for internal quality and debugging in EU-hosted Langfuse Cloud; they are never shared with third parties or used for marketing.
The providers we use to deliver the service and what each one does. No provider uses your data for its own marketing. This page is updated when the list changes.
| Provider | Purpose | Region |
|---|---|---|
| Anthropic (Claude) | Primary AI model inference (Pixmate responses) | US |
| Google (Gemini) | Fallback AI model — takes over during primary-provider outages | US |
| OpenAI | Reserve AI model (last hop of the fallback chain) | US |
| DeepSeek | May be used for AI inference on specific task types (cost routing) | China-based provider |
| Voyage AI | Embeddings for uploaded documents/text (knowledge search) | US |
| Railway | API hosting (application server, background jobs) | US |
| Vercel | Web front-end hosting | US |
| Neon | Postgres database + pgvector (persistent data store) | EU |
| Clerk | Authentication (sessions, passwords, SSO connections) | US |
| Whop | Payment processing — Merchant of Record; card data lives only at Whop | US |
| PostHog | Product analytics — EU servers, consent-gated, typed text masked | EU |
| Sentry | Error monitoring (crash reports, performance) | US |
| Langfuse Cloud | LLM call traces — internal quality/debugging only | EU |
| Resend | Transactional email (invites, billing notices) | US |
Every office is multi-user with four roles: owner (full control including deletion + billing), admin (member management + settings), editor (running briefs + uploading documents), viewer (read-only). Members join via email invite; invite links are time-limited and single-use, and roles can be changed later.
We support SAML 2.0 and OIDC-based enterprise SSO — including Microsoft Entra ID, Okta and Google Workspace. Setup takes about 15 minutes on the IdP side; existing user accounts link to SSO via email match with no data loss. To enable it for your team, write to: alperen@pixel-office.com
For teams on SSO, your MFA and Conditional Access policies apply unchanged — authentication happens entirely at your IdP. For password users, optional 2FA (TOTP) is available via Clerk.
Session JWTs are short-lived and refreshed per request; a revoked session cannot obtain new tokens. A user disabled at your IdP can no longer start new sessions.
You can delete your account yourself via Profile → Danger Zone. Deletion is immediate: offices you solely own and everything in them (briefs, output, documents, integration tokens) are permanently deleted. Full removal from backups can take up to 90 days due to rolling backup retention.
Office memory records can be viewed and permanently deleted one by one (irreversible hard delete).
For access, correction, deletion and objection requests: alperen@pixel-office.com — we respond within 30 days. Details: KVKK Disclosure · Privacy Policy
Start Pixel Office for your team
No sales call needed — set up your office and invite your team. If your IT team wants to review this page and our DPA, we are ready.
We value your privacy
We use essential cookies to run the site and, with your consent, analytics cookies to understand how it's used. Learn more