Skip to content
AiSU Strata
Back to Blog
Security

How We Handle Your Data (And Why We Don't Store It)

A technical overview of AiSU's transient processing architecture and what it means for your data security.

Christopher Kraus · CTO & Co-Founder6 min read
securityGDPRarchitectureprivacy

The Architecture Question

When IT directors evaluate AiSU, their first question is always: "Where does my data go?"

The answer is straightforward: your data doesn't go anywhere. AiSU uses transient processing — we access document content via OAuth at query time, process it to generate a response, and discard it. We don't maintain a persistent copy of your files.

How Transient Processing Works

When a user asks a question:

  1. Authentication — AiSU authenticates via OAuth 2.0 to the user's connected cloud providers (Google Workspace, Microsoft 365)
  2. Retrieval — Our multi-stage retrieval pipeline identifies the most relevant documents across all connected sources
  3. Processing — Document content is processed to generate a cited response
  4. Citation — The response includes claim-level citations linking each statement to its source document
  5. Cleanup — Processed content is discarded after response generation

No document content is persistently stored on our servers. No data is used for model training. No content leaves the EU processing boundary.

What We Do Store

For transparency, here's exactly what we persist:

  • Connection metadata — Which cloud providers are connected (not the documents themselves)
  • Search indices — Lightweight vector embeddings for semantic search (not document content)
  • Audit logs — Who searched what, when (for compliance)
  • User accounts — Authentication and organisation membership

GDPR by Design

AiSU is headquartered in Finland and processes data within the EU. GDPR compliance isn't a feature we bolted on — it's built into the architecture:

  • Data minimisation — We store the minimum data required to function
  • Right to erasure — Disconnect your storage and all associated data is deleted
  • Data processing agreements — Available for all customers
  • Sub-processor documentation — Available on request

Per-Organisation Isolation

Every organisation in AiSU is fully isolated. Queries, connections, and search indices are scoped to the organisation and user. There is no cross-tenant data access, by design or by accident.

What This Means For Your Evaluation

If your IT director needs to answer "where does the data go?" — the answer is: it doesn't. AiSU processes your documents transiently and discards them. Your files stay in your cloud provider, under your control, at all times.

Back to all posts