Security at Vectorspace

Our embeddable widget runs inside a sandboxed iframe served from a Vectorspace-controlled origin. Because of how browsers enforce the Same-Origin Policy, the widget cannot read your page's DOM, cookies, or local storage—and it cannot make authenticated requests on behalf of your users. Even if a vulnerability were ever discovered inside the widget itself, the blast radius would be contained to the widget's own origin. Nothing reaches your users or your data.

This is the same architectural choice made by Stripe Elements, Intercom, Drift, and HubSpot: treat the embedded surface as untrusted-by-default, and let the browser enforce the boundary.

We layer a strict Content Security Policy, sanitized content rendering, and origin-validated API calls on top of that isolation. None of these are marketing checkboxes—they are regression-tested on every deploy and verifiable from any browser's DevTools.

Every project you create has its own isolated knowledge store. There is no shared index, no cross-project search, and no mechanism by which one client's content can surface in another client's responses. Project isolation is enforced at the infrastructure layer—not at the query layer—which means it is not something a bug in application code can accidentally undo.

At the database level, access policies scope every query to the organization making it. Only our backend holds credentials that can bypass those policies, and they never touch the browser.

Your documents are used to answer your users' questions and nothing else. We do not use your content to train our models, and neither does our underlying AI provider—that is a contractual guarantee of the API tier we use, not a policy we apply ourselves. Your knowledge base is a retrieval source, not training data.

Conversations are stored so you can review them in your analytics dashboard, spot gaps in your documentation, and improve your users' experience over time. You can export or delete them at any time.

We run on managed, security-audited infrastructure rather than rolling our own. We rely on leading providers for cloud hosting, managed databases, and language models. All traffic between your users, the widget, and our API is encrypted in transit with TLS 1.2 or higher.

Secrets never reach the browser. API keys used to sign requests to upstream providers live only on our backend, rotated through our deployment pipeline. Customer-facing endpoints are rate-limited and origin-scoped.

Access to customer data inside Vectorspace is governed by role-scoped permissions. Admins see their organization; collaborators see only the projects they are assigned to; end users of the widget see only what the chatbot has been configured to retrieve. Authentication is federated, supporting email/password and corporate SSO.

Internally, only engineers on active incident response have access to production data, scoped to the minimum necessary to resolve the issue.

We operate in compliance with the Brazilian General Data Protection Law (LGPD) and comparable data protection standards in the regions we serve. Data subject requests—access, export, deletion—are honored within the timeframes mandated by applicable law.

If your procurement process requires a specific attestation or certification, talk to us — we are happy to discuss what's in scope for your evaluation and whether our current controls meet your requirements.