Data Privacy

Twig AI's commitment to protecting your data and ensuring privacy compliance.

Privacy Principles

Data Ownership: You own your data completely
No Training: Your data never trains our models
Encryption: Data encrypted at rest and in transit
Isolation: Complete organization data isolation
Transparency: Clear data usage policies

Data Collection

What We Collect

User Data:

Email address (required)
Name (optional)
Organization affiliation
Usage patterns (anonymized)

Content Data:

Documents you upload
Data source connections
Knowledge base articles
Conversation history
Agent configurations

Technical Data:

API request logs
Performance metrics
Error logs
System diagnostics

What We DON'T Collect

❌ Payment card details (handled by Stripe) ❌ Passwords (only hashed versions) ❌ Unnecessary personal information ❌ Data from other organizations

Data Storage

Storage Locations

Primary Region: US-East (AWS) Available Regions (Enterprise):

US-West
EU (Frankfurt)
Asia-Pacific (Singapore)
Custom regions on request

Encryption

At Rest:

AES-256 encryption
Encrypted database fields
Encrypted file storage (S3)
Key management via AWS KMS

In Transit:

TLS 1.3
HTTPS only
Perfect forward secrecy
Strong cipher suites

Data Access

Who Can Access Your Data?

Within Your Organization:

Users with appropriate permissions
Based on role and group membership
Audit-logged access

Twig AI:

Support team (with your permission only)
For troubleshooting specific issues
Fully audit-logged
Never for training or other purposes

Third Parties:

❌ Never shared
❌ Never sold
❌ Never used for advertising
⚠️ LLM providers process queries (see below)

LLM Provider Processing

When you use Twig AI:

Queries sent to LLM providers (OpenAI, etc.)
Zero-retention policy enforced
Data not used for training
Enterprise agreements in place

Control:

{
  "privacy": {
    "useOnlyPrivateModels": true,  // Enterprise: Use dedicated models
    "dataResidency": "EU",          // Control where processed
    "zeroRetention": true           // Enforce zero-retention
  }
}

Privacy Controls

Private Data Mode

Restrict agents to organization-only data:

{
  "configAIUseOnlyPrivateData": true
}

Effect:

No external knowledge used
Only your uploaded/connected data
Highest privacy
More controlled responses

Data Classification

Tag data by sensitivity:

{
  "dataSource": {
    "classification": "CONFIDENTIAL",
    "accessControl": {
      "allowedRoles": ["admin", "manager"],
      "allowedGroups": ["legal", "finance"],
      "requireMFA": true
    }
  }
}

PII Detection

Automatically detect and handle PII:

{
  "piiDetection": {
    "enabled": true,
    "types": ["email", "phone", "ssn", "credit_card"],
    "action": "REDACT",  // REDACT, MASK, or BLOCK
    "alert": true
  }
}

Example:

Input: "My email is [email protected]"
Stored: "My email is [EMAIL_REDACTED]"
Logged: PII detected and redacted

Data Retention

Default Retention

Data Type

Retention Period

Interactions

90 days

Analytics

2 years (aggregated)

Audit Logs

1 year

Documents

Until deleted

User Accounts

Until deleted

Custom Retention (Enterprise)

{
  "retention": {
    "interactions": 30,      // 30 days
    "auditLogs": 2555,       // 7 years (compliance)
    "analytics": 730,        // 2 years
    "autoDelete": true
  }
}

User Rights

Right to Access

Users can request all data we hold:

Settings → Privacy → Request Data Export
Receive email within 30 days
Download complete data archive

Includes:

Profile information
Interaction history
Analytics data
Audit logs

Right to Deletion

Users can request data deletion:

Settings → Privacy → Delete My Data
Confirm deletion
Processed within 30 days

Effect:

User account deleted
Personal data removed
Interactions anonymized
Analytics aggregated (no personal link)

Right to Portability

Export your data in standard formats:

JSON (machine-readable)
CSV (spreadsheet)
PDF (human-readable)

Compliance

✅ Data processing agreements ✅ Lawful basis for processing ✅ Right to access, deletion, portability ✅ Data protection officer designated ✅ Privacy by design ✅ Breach notification (72 hours)

CCPA (California)

✅ Right to know what data is collected ✅ Right to delete ✅ Right to opt-out of sale (we don't sell data) ✅ Non-discrimination

HIPAA (Healthcare)

Available for Enterprise: ✅ Business Associate Agreement (BAA) ✅ Encrypted data storage ✅ Access controls ✅ Audit logging ✅ Breach notification

SOC 2 Type II

✅ Annual audit ✅ Security controls ✅ Availability controls ✅ Confidentiality controls ✅ Report available on request

Privacy-First Features

Data Minimization

We only collect what's necessary:

✅ Collect: Email (required for account)
❌ Don't collect: Date of birth, address, phone

Purpose Limitation

Data only used for stated purposes:

Provide AI services
Improve platform
Support customers
Comply with legal obligations

NOT used for:

Marketing to non-customers
Selling to third parties
Training public models

Anonymization

Analytics use anonymized data:

Personal: user-123 asked "What is pricing?"
Anonymous: User in segment X asked category Y question

Incident Response

Data Breach Protocol

If breach occurs:

Detection: Identify and contain (< 1 hour)
Assessment: Evaluate scope and impact (< 6 hours)
Notification: Inform affected users (< 72 hours)
Remediation: Fix vulnerability
Review: Post-mortem and improvements

User Notification

You'll be notified if:

Data breach affects your account
Unauthorized access detected
Security settings changed
Suspicious activity observed

Privacy Settings

Organization-Level

{
  "privacy": {
    "dataResidency": "US",
    "allowDataTransfer": false,
    "requireMFAForAdmins": true,
    "sessionTimeout": 3600,
    "encryptionLevel": "STRONG"
  }
}

User-Level

Users can control:

Data sharing preferences
Analytics inclusion
Email communications
Third-party integrations

Best Practices

1. Classify Your Data

✅ Identify sensitive data ✅ Apply appropriate controls ✅ Restrict access ✅ Audit regularly

2. Enable Private Data Mode

✅ For sensitive use cases ✅ For compliance requirements ✅ For controlled environments

3. Regular Audits

✅ Review access logs quarterly ✅ Verify permissions annually ✅ Remove inactive accounts ✅ Update security policies

4. Train Your Team

✅ Privacy awareness training ✅ Data handling procedures ✅ Incident reporting ✅ Secure practices

Next Steps

Compliance - Regulatory compliance
Security Best Practices - Harden security
SSO Integration - Enterprise authentication
User Permissions - Access control

PreviousSSO Integration NextCompliance

Last updated 7 hours ago

hashtagPrivacy Principles

hashtagData Collection

hashtagWhat We Collect

hashtagWhat We DON'T Collect

hashtagData Storage

hashtagStorage Locations

hashtagEncryption

hashtagData Access

hashtagWho Can Access Your Data?

hashtagLLM Provider Processing

hashtagPrivacy Controls

hashtagPrivate Data Mode

hashtagData Classification

hashtagPII Detection

hashtagData Retention

hashtagDefault Retention

hashtagCustom Retention (Enterprise)

hashtagUser Rights

hashtagRight to Access

hashtagRight to Deletion

hashtagRight to Portability

hashtagCompliance

hashtagGDPR (EU)

hashtagCCPA (California)

hashtagHIPAA (Healthcare)

hashtagSOC 2 Type II

hashtagPrivacy-First Features

hashtagData Minimization

hashtagPurpose Limitation

hashtagAnonymization

hashtagIncident Response

hashtagData Breach Protocol

hashtagUser Notification

hashtagPrivacy Settings

hashtagOrganization-Level

hashtagUser-Level

hashtagBest Practices

hashtag1. Classify Your Data

hashtag2. Enable Private Data Mode

hashtag3. Regular Audits

hashtag4. Train Your Team

hashtagNext Steps