Privacy & Data Isolation

AI Inference & Data Handling

Sevrel uses an enterprise AI provider with tiered model routing (fast, standard, and deep tiers). All requests are transmitted over TLS-encrypted connections. Our AI provider does not use Sevrel customer data to train its models, and prompts are not retained beyond the transient processing window.

Sensitive document content is sent to the model only when needed to answer a query. Sevrel does not copy or persist Egnyte files — only the specific excerpts needed for the current question are read, and they are scoped to the requesting user's organization.

Tenant Data Isolation

Every organization on Sevrel operates in a completely isolated environment. When multiple organizations use Sevrel, their data is strictly separated:

• Each organization's data is scoped by a unique tenant identifier
• Every database query and API request is filtered by tenant — there is no way to query across organizations
• PostgreSQL Row-Level Security (RLS) policies provide defense-in-depth at the database level, preventing cross-tenant data access even if application logic were bypassed
• Egnyte connections are per-organization, with separate OAuth credentials
• AI context windows contain only the requesting organization's documents

Read-Only Document Access

Sevrel accesses your Egnyte library in read-only mode. It can search for files, read their contents, and browse folder structures — but it cannot modify, delete, move, or create files in your Egnyte account.

Document contents are read on-demand when answering queries. Sevrel does not maintain a separate copy of your files.

Encryption

• In transit: All communication between your browser, the Sevrel API, and backend services uses TLS encryption (HTTPS).
• At rest: Database contents are stored in encrypted storage. OAuth tokens for Egnyte and Microsoft Graph are encrypted with symmetric encryption before storage.
• Sessions: Authentication uses HttpOnly, Secure, SameSite=Lax cookies. Session tokens are never exposed to client-side JavaScript.

Authentication & Access Control

Sevrel authenticates users through Microsoft or Google. There are no Sevrel-managed passwords — authentication is delegated entirely to your organization's identity provider.

• Invitation-only access — no self-registration
• Role-based access control (viewer, member, admin) enforced on every API endpoint
• Per-IP rate limiting on authentication routes
• Per-user rate limiting on AI query routes

Audit Trail

Every significant action in Sevrel is logged in an append-only audit trail with timestamps, user identification, and correlation IDs. Tracked events include:

• User authentication (successful and failed attempts)
• AI queries and document access
• Role changes and administrative actions
• Document ingestion and integration events

Organization administrators can review audit logs to maintain compliance and monitor platform usage.

Your Data Is Not Used for Training

Sevrel does not use your documents, queries, or responses to train or fine-tune AI models. Your data is used solely to answer your questions in real time. Conversation history is stored for your convenience and can be deleted at any time.