Security

Security and data privacy

Written answers to the questions your IT and security team will ask when your team starts using Pixel Office. No embellishment — just the facts.

1. Where is your data stored?

Persistent data — Neon Postgres (EU)

Your office data (briefs, chats, documents, memory records) lives in a Neon Postgres + pgvector database hosted in the EU.

Application — Railway (API) + Vercel (web)

Our API runs on Railway and the web front-end on Vercel (US-based providers). Data passes through these servers during processing; the database above is the persistent store.

Analytics — PostHog (EU, consent-gated)

Product analytics is hosted on PostHog’s EU servers, gated behind your cookie consent, and typed text is masked before collection — a KVKK-compliant setup.

International transfer framework

Transfers outside Turkey happen under Article 9 of the Turkish KVKK and Standard Contractual Clauses (SCCs). The full provider list is in the sub-processor table below.

2. Tenant isolation and encryption

  • Office (tenant) isolation

    Every office is a separate tenant; all queries are scoped by tenant ID at the application layer. On the most sensitive tables — the knowledge pool (uploaded document chunks) and office memory — Postgres Row-Level Security (RLS) is additionally enforced at the database level (FORCE ROW LEVEL SECURITY): one tenant’s query cannot reach another tenant’s rows, enforced by the database engine itself.

  • In transit

    HTTPS is enforced everywhere (HSTS active); database connections use TLS (sslmode=require).

  • At rest

    Our database and hosting providers apply disk-level encryption (provider-level at-rest encryption).

  • Integration credentials

    OAuth tokens for accounts you connect (Google, Slack, etc.) are stored Fernet-encrypted in the database, decrypted only for the specific tool call, and never logged in plaintext. Production refuses to boot without the encryption key configured.

3. AI data policy

Your data is not used to train AI models.

This commitment rests on the commercial API terms of our model providers: inputs and outputs sent through the API are not used to train their models. Pixel Office does not train its own models on user data either — the only exception is aggregated, anonymised usage metrics (e.g. which Pixmate gets hired most).

What goes to the model

  • Your brief text and chat history
  • Relevant excerpts from documents you upload (knowledge search)
  • Office memory records (your preferences, prior decisions)
  • Data fetched from connected tools at request time (e.g. calendar slots) — transiently, to produce the response

What never goes to the model

  • Payment/card details — card data is never held in our systems; the Merchant of Record (Whop) processes payment
  • Passwords and credentials — authentication happens at Clerk
  • Your OAuth tokens — tool calls run server-side; tokens are never placed into prompts

Our primary model provider is Anthropic (Claude). During outages we fail over to Google Gemini; DeepSeek may be used for cost routing on specific task types, and OpenAI as the last hop of the fallback chain. LLM call traces are kept solely for internal quality and debugging in EU-hosted Langfuse Cloud; they are never shared with third parties or used for marketing.

4. Sub-processor list

The providers we use to deliver the service and what each one does. No provider uses your data for its own marketing. This page is updated when the list changes.

ProviderPurposeRegion
Anthropic (Claude)Primary AI model inference (Pixmate responses)US
Google (Gemini)Fallback AI model — takes over during primary-provider outagesUS
OpenAIReserve AI model (last hop of the fallback chain)US
DeepSeekMay be used for AI inference on specific task types (cost routing)China-based provider
Voyage AIEmbeddings for uploaded documents/text (knowledge search)US
RailwayAPI hosting (application server, background jobs)US
VercelWeb front-end hostingUS
NeonPostgres database + pgvector (persistent data store)EU
ClerkAuthentication (sessions, passwords, SSO connections)US
WhopPayment processing — Merchant of Record; card data lives only at WhopUS
PostHogProduct analytics — EU servers, consent-gated, typed text maskedEU
SentryError monitoring (crash reports, performance)US
Langfuse CloudLLM call traces — internal quality/debugging onlyEU
ResendTransactional email (invites, billing notices)US

5. Access control and SSO

  • Roles (RBAC)

    Every office is multi-user with four roles: owner (full control including deletion + billing), admin (member management + settings), editor (running briefs + uploading documents), viewer (read-only). Members join via email invite; invite links are time-limited and single-use, and roles can be changed later.

  • Enterprise SSO (SAML / OIDC)

    We support SAML 2.0 and OIDC-based enterprise SSO — including Microsoft Entra ID, Okta and Google Workspace. Setup takes about 15 minutes on the IdP side; existing user accounts link to SSO via email match with no data loss. To enable it for your team, write to: alperen@pixel-office.com

  • MFA / 2FA

    For teams on SSO, your MFA and Conditional Access policies apply unchanged — authentication happens entirely at your IdP. For password users, optional 2FA (TOTP) is available via Clerk.

  • Sessions

    Session JWTs are short-lived and refreshed per request; a revoked session cannot obtain new tokens. A user disabled at your IdP can no longer start new sessions.

6. Data rights

  • Account deletion — self-serve

    You can delete your account yourself via Profile → Danger Zone. Deletion is immediate: offices you solely own and everything in them (briefs, output, documents, integration tokens) are permanently deleted. Full removal from backups can take up to 90 days due to rolling backup retention.

  • Deleting memory records

    Office memory records can be viewed and permanently deleted one by one (irreversible hard delete).

  • KVKK / GDPR requests

    For access, correction, deletion and objection requests: alperen@pixel-office.com — we respond within 30 days. Details: KVKK Disclosure · Privacy Policy

7. Our compliance posture — the honest version

  • KVKK + GDPR: We are a Turkish-incorporated company and comply with KVKK for every user. International transfers happen under SCCs and Article 9 of KVKK.
  • SOC 2 / ISO 27001: We do not hold these certifications yet. They are on our roadmap; we plan to start the process alongside our first corporate teams. This page + our DPA is our written security posture today.
  • DPA: We can sign a Data Processing Agreement (DPA) with teams that need one — request a DPA.
  • Support: Support is provided during business hours (Istanbul, GMT+3) on a best-effort basis. We do not offer a contractual SLA; our MSA draft explicitly labels response targets as goals, not commitments.
  • Security reports: If you believe you found a vulnerability: alperen@pixel-office.com

Start Pixel Office for your team

No sales call needed — set up your office and invite your team. If your IT team wants to review this page and our DPA, we are ready.