Security

Security at Vectorspace

We power knowledge bases for companies whose teams are paid to vet us. Here is how we earn that trust.

Your website, untouched

Our embeddable widget runs inside a sandboxed iframe served from a Vectorspace-controlled origin. Because of how browsers enforce the Same-Origin Policy, the widget cannot read your page's DOM, cookies, or local storage—and it cannot make authenticated requests on behalf of your users. Even if a vulnerability were ever discovered inside the widget itself, the browser's isolation model is designed to contain the blast radius to the widget's own origin—sharply limiting what could reach your users or your data.

This is the same widely adopted pattern used by the embedded payment forms and support messengers you already trust on sensitive pages: treat the embedded surface as untrusted by default, and let the browser enforce the boundary.

We layer a strict Content Security Policy, sanitized content rendering, and origin-validated API calls on top of that isolation. None of these are marketing checkboxes—they are regression-tested on every deploy and verifiable from any browser's DevTools.

One tenant, one vault

Every project you create has its own isolated knowledge store. There is no shared index and no cross-project search, and the system is designed so that one client's content does not surface in another client's responses. Project isolation is enforced at the infrastructure layer—not just at the query layer—which significantly reduces the risk that a bug in application code could expose one client's content to another.

At the database level, access policies scope every query to the organization making it. Only our backend holds credentials that can bypass those policies, and they never touch the browser.

We don't train on your content. Neither does our AI provider.

Your documents are used to answer your users' questions and nothing else. We do not use your content to train our models, and neither does our underlying AI provider—that is a contractual commitment of the API tier we use, not a policy we apply ourselves. Your knowledge base is a retrieval source, not training data.

Conversations are stored so you can review them in your analytics dashboard, spot gaps in your documentation, and improve your users' experience over time. You can export or delete them at any time.

Boring infrastructure, on purpose

We run on managed, security-audited infrastructure rather than rolling our own. We rely on leading providers for cloud hosting, managed databases, and language models. All traffic between your users, the widget, and our API is encrypted in transit with TLS 1.2 or higher.

Secrets never reach the browser. API keys used to sign requests to upstream providers live only on our backend, rotated through our deployment pipeline. Customer-facing endpoints are rate-limited and origin-scoped.

Least privilege, from the first login

Access to customer data inside Vectorspace is governed by role-scoped permissions. Admins see their organization; collaborators see only the projects they are assigned to; end users of the widget see only what the chatbot has been configured to retrieve. Authentication is federated, supporting email/password and corporate SSO.

Internally, only engineers on active incident response have access to production data, scoped to the minimum necessary to resolve the issue.

Where we stand

We operate in compliance with the Brazilian General Data Protection Law (LGPD) and comparable data protection standards in the regions we serve. Data subject requests—access, export, deletion—are honored within the timeframes mandated by applicable law.

If your procurement process requires a specific attestation or certification, talk to us — we are happy to discuss what's in scope for your evaluation and whether our current controls meet your requirements.

Found something? Tell us.

If you believe you've found a security vulnerability in Vectorspace, please email hello@vectorspace.digital. We take every report seriously, respond within one business day, and credit researchers who help us improve.

Please don't test against customer data or production systems without coordinating with us first. We are glad to set up an isolated environment for good-faith research.

hello@vectorspace.digital

Ready to make your knowledge work?

Tell us where your knowledge lives today—we'll tell you honestly whether Vectorspace fits.