Security
Your data. Your control.
An honest look at how we protect your data today and what we're building toward.
Data Isolation
Per-company isolation
Every company gets its own isolated infrastructure. Storage is separated with per-tenant key prefixes and optional bring-your-own-key encryption. There is no cross-tenant data access.
David is hostable in the US, UK, and Germany — you choose where your data lives.
Infrastructure
What's in place today
Hostable in US, UK, and DE regions
Bulk storage with optional bring-your-own-key encryption
Per-company infrastructure isolation
Role-based access, management, and onboarding flows
Encrypted in transit via HTTPS across all services
AI Providers
Vetted providers, clear boundaries
David uses the major AI providers you've heard of — Anthropic, OpenAI, Google — alongside specialist providers whose models work better for specific agentic tasks. We've done the hard work of evaluating which model works best for what, and vetting each provider's data policies, so you don't have to.
What goes to the AI provider: your task input and the minimum context needed to complete it. Provider API policies state this data is not used for model training.
What stays on our infrastructure: your files, credentials, conversation history, and organisational knowledge. This data is never sent to AI providers.
No vendor lock-in: Unlike assistants from Anthropic, Google, or OpenAI that only use their own models, David is provider-agnostic. As better models emerge — including open-source — David adopts them, passing on improvements in capability and cost savings directly to you.
Compliance
Where we are and where we're headed
GDPR foundations
Active
Data deletion on request, consent-aware processing
SOC 2 Type II
Planned
Formal audit process on our roadmap
Comprehensive audit logging
Planned
Full action tracking and access logs