Security & Compliance

Enterprise-Grade Security by Design

Every architectural decision we make is driven by one principle: your data belongs to you, and only you.

Global Deployment
Optimized for worldwide access
Zero Public Training
Contractual enterprise controls
Multi-Region Compliance
GDPR, PIPEDA, CCPA & more
Managed Keys Available
Tier 2 Enterprise only

Data Architecture

Tier 1 — Managed Cloud

Your documents are ingested into a dedicated, isolated managed-cloud environment operated by Utmost AI. Document content is transformed into a private knowledge index, and raw document files are removed from the processing pipeline after ingestion. Your index is logically isolated — no data is co-mingled with other clients. Our team has access only to system metadata such as query counts, document counts, and operational logs. We cannot read your document content.

Tier 2 — Enterprise Zero-Trust

The entire system can be deployed inside an environment owned and controlled by your organization. You own the billing relationship, access policies, and production resources. Our engineers are granted temporary implementation access during the build phase only. Upon delivery and your sign-off, you revoke all Utmost AI access. From that point, we have zero operational access to your infrastructure — contractually and technically.

Global Deployment with Optional Data Residency

Deploy globally by default

Your system is deployed globally for optimal performance and latency. Default deployment uses US regions for speed and availability.

Optional regional data residency

For customers requiring data residency in specific countries (Canada, EU, etc.), we offer dedicated deployments in those regions. Canadian deployments use northamerica-northeast1 (Montréal) or northamerica-northeast2 (Toronto). EU deployments use Europe regions. Data residency is configured on a per-customer basis as part of enterprise agreements.

No Public Model Training

Your data never touches a training pipeline

We use enterprise AI services that are contractually separated from public model training. Your proprietary documents — product manuals, lease agreements, internal knowledge bases — are never submitted to public training data pipelines, either by our platform or by our infrastructure providers.

Customer-Managed Encryption Keys

Available on Tier 2 (Enterprise)

Customer-managed encryption keys allow your organization to hold master control over the encryption of data at rest. In dedicated deployments, your own key management controls can protect knowledge indexes, stored files, and operational databases. If you revoke the key, data becomes cryptographically inaccessible to outside operators.

Zero-Touch Post-Deployment

Complete IAM access revocation

For Tier 2 clients, our standard engagement explicitly documents the access revocation step as a formal project milestone. After your system is live and you have been trained on the admin console, you revoke our implementation access. We provide a documented runbook for ongoing system administration. From that point forward, we are a retained support partner — not an operator of your infrastructure.

Global Privacy Compliance

Multi-jurisdiction compliance

Our data processing agreements (DPAs) cover privacy regulations across multiple jurisdictions including GDPR (EU), PIPEDA (Canada), CCPA (California), and others. Key provisions: data minimization (we collect only what's needed to build your index), explicit consent documentation, breach notification procedures (72-hour reporting), and regional data handling as per your legal requirements.

Questions about compliance for your specific industry?

Our engineering team is happy to walk you through exactly how your data would be handled.