Gyld

Security at Gyld

Gyld indexes your company's knowledge so your AI tools can use it. That only works if the data is protected like it's ours — here is exactly how.

Your company's knowledge stays yours

Your data is never used to train AI models — ours or anyone else's. Every workspace's brain is isolated from every other customer's, and access inside your workspace mirrors the permissions of your source tools: if someone can't open a document in Drive, Slack, or SharePoint, they can't see it through Gyld either — and neither can any AI agent acting as them.

Source permissions, mirrored

Document, channel, and record permissions are read from each connected source and enforced on every query — including every AI agent request. Permission checks fail closed: when in doubt, nothing is shown.

Encrypted in transit and at rest

All traffic uses TLS. Stored data is encrypted at rest, and connection credentials get an additional application-layer of AES-256-GCM encryption on top — a database leak alone cannot expose your tokens.

Admin-controlled organization access

Org-wide installs use read-only scopes your IT admin explicitly approves in Microsoft Entra or the Google Admin console — and can revoke there instantly. Access tokens for org installs are minted on demand and never stored, so revocation is total.

Workspace isolation

Every page, memory, and embedding is scoped to your workspace, and membership is verified on every request. AI agents connect with credentials bound to a specific person and see only what that person can see.

What we store

Indexed content

Pages, extracted summaries, and vector embeddings built from the sources you choose to connect — that's the product. You decide what gets indexed, per source, and deletions in the source propagate to the brain. Disconnecting a source purges its indexed content.

Connection credentials

OAuth tokens for the accounts you connect, encrypted with AES-256-GCM at the application layer before they touch the database. Organization-wide installs store no tokens at all — access is minted per request from admin-granted consent.

Request logs

A record of every AI-agent request against your brain — which tool, which member, what was retrieved. These logs exist for YOUR visibility: they power your workspace's activity dashboard and audit trail.

How we protect your data

  • TLS encryption in transit; encryption at rest for all stored data
  • Application-layer AES-256-GCM encryption for all connection credentials
  • Source permissions mirrored per document and enforced on every query, failing closed
  • AI-agent (MCP) access bound to individual member identity — no shared or elevated service access
  • Workspace admins get a kill switch and per-member usage caps for agent access
  • Read-only, least-privilege scopes for organization-wide installs, revocable by your admin at any time
  • Deletions and permission changes in your sources propagate to the brain automatically
  • No training of AI models on customer data — LLM providers are used via API with training disabled
  • Every agent request logged to your own audit dashboard

Subprocessors

We use a small set of infrastructure providers to deliver Gyld. Each processes data only as needed to provide their service:

ProviderPurpose
VercelApplication hosting and compute
SupabaseDatabase, authentication, and storage
OpenAILLM inference via API (no training on API data)
AnthropicLLM inference via API (no training on API data)
StripeBilling and payments
ResendTransactional email
PostHogProduct analytics (no indexed content)

Compliance

We follow GDPR-aligned data practices, offer a Data Processing Agreement on request, and are glad to complete security questionnaires as part of your review. A SOC 2 program is on our compliance roadmap — contact us for our current security documentation and posture details.

Questions about security?

Security review, questionnaire, DPA, or anything else — we answer directly and fast.

Last updated: July 2026