Insigo
Trust center

Security at Insigo

Insigo holds your competitive position, the facts you teach it, and the calls you make. Protecting that isn't an add-on — isolation, privacy, and provenance are how the system is built. This page is a plain summary of how.

Tenant isolationNo model trainingEncryption in transit & at restInvite-only accessFull provenance
How we protect your data

Tenant isolation

Every workspace is a separate tenant. Membership is enforced server-side on every request, so no one outside your team can reach your data — and internal service routes are unreachable from the public internet.

No model training

Your prompts, your corpus, and the facts you teach the system are processed under enterprise terms and are never used to train foundation models. Your private facts stay in your workspace.

Encryption

All traffic is encrypted in transit (TLS 1.2+). Data is encrypted at rest, and integration secrets are held in an encrypted store — never committed to source. Passwords are bcrypt-hashed.

Access control

No open sign-up: accounts are provisioned or invited. Access is role-based (Owner / Admin / Member), authenticated with short-lived tokens, with self-serve reset over a time-boxed link.

Provenance

The system reasons only from evidence it collected or facts you taught it — never free-floating model opinion. Every claim drills to the document behind it, so you can audit the reasoning.

Least privilege

Services run with the minimum access they need. Collection reads public and primary-source records only — it never requires access to your internal systems to work.

Technical controls
Encryption in transit
TLS 1.2+ on every connection, with HSTS and auto-renewed certificates.
Encryption at rest
Database and backups encrypted at rest; an encrypted store for integration secrets.
Secrets
Credentials and keys encrypted with an environment-held key, never committed to source control.
Passwords
bcrypt-hashed with per-user salt — never stored or logged in plaintext.
Authentication
Short-lived access tokens with refresh; invite-only provisioning; role-based authorization.
Isolation
Per-workspace scoping enforced on every request; internal routes sealed from the public edge.
Data ownership
Your evidence, taught facts, and reads are yours — export or deletion available on request.
Availability
Managed, encrypted database with automated backups; monitored infrastructure.