Security and privacy
Data isolation
Section titled “Data isolation”Every customer project is served by a dedicated, isolated knowledge vault. Content from one customer is never indexed, retrieved or referenced in responses for another customer. This isolation is enforced at the infrastructure layer — not at the application layer — which means a bug in our code cannot accidentally cross the boundary.
Encryption
Section titled “Encryption”- In transit: TLS 1.2+ on every connection between users, the widget, our API, and our upstream providers.
- At rest: industry-standard encryption on all stored content.
- Secrets: never reach the browser. API keys live only on our backend, rotated through our deployment pipeline.
Authentication and access control
Section titled “Authentication and access control”- For your administrators: federated authentication with email/password and optional SSO. Role-based access inside your organization.
- For end users of the widget: no account required by default. The widget runs without cookies and does not track user identity beyond an anonymous session identifier.
- Internally: only engineers on active incident response have access to production data, scoped to the minimum necessary.
Widget isolation (on your site)
Section titled “Widget isolation (on your site)”The chat widget runs inside a sandboxed iframe served from a Vectorspace-controlled origin. Because of browser same-origin policy, the widget cannot read your page’s DOM, cookies, local storage or make authenticated requests on behalf of your users. Even if a vulnerability were discovered inside the widget, the blast radius is contained.
This is the same architectural pattern Stripe Elements, Intercom and Drift use. We layer strict Content Security Policy, sanitized rendering and origin-validated API calls on top.
AI providers — no training on your content
Section titled “AI providers — no training on your content”We use leading third-party language-model providers. Under the commercial API tiers we contract, your content is not used to train any model. This is a contractual guarantee at the API level, not a policy we enforce ourselves.
Compliance
Section titled “Compliance”- LGPD (Brazil): we comply with Law 13,709/2018. Every customer contract includes a signed Data Processing Agreement (DPA). Data-subject requests (access, correction, deletion, portability) are handled within legal timeframes. A Data Protection Officer is formally appointed — contact at hello@vectorspace.digital with subject line “LGPD”.
- GDPR (EU): for customers in the European Union, our processing aligns with GDPR requirements. Standard contractual clauses apply to international data transfers.
- Certifications: if your procurement process requires a specific attestation or certification, talk to us — we are happy to discuss what’s in scope for your evaluation and whether our current controls meet your requirements.
Subprocessors
Section titled “Subprocessors”Vectorspace relies on a short list of third-party providers for cloud hosting, managed databases, language models, transactional email, and messaging. The detailed list — with provider names, services and regions — is shared with customers upon formal request to the DPO. We do not publish it on the public website because it is part of our operational know-how.
Incident response
Section titled “Incident response”If a security incident involves your data, we notify you within 48 hours of becoming aware, with the information required by applicable law. We maintain a documented incident-response procedure covering detection, containment, communication, and post-incident analysis.
Responsible disclosure
Section titled “Responsible disclosure”If you believe you have found a security vulnerability, email hello@vectorspace.digital with “Security” in the subject line. We respond within one business day and credit researchers who help us improve.