Security & Data Protection

Rekall-IQ is engineered to protect customer knowledge. Our core architecture focuses on strict workspace isolation, role-based access controls, private document storage, and scoping AI processing strictly to retrieved context from your approved files.

We implement granular access controls to ensure users only access the features and data they are authorised to see:

• Supabase Auth: Utilises secure, industry-standard authentication mechanisms to handle logins, passwords, and sessions.
• Workspace Admin: Controls document uploads, document deletions, user invites, workspace settings, and knowledge gaps.
• Viewer: Scoped to query-only access in the chat interface. Viewers cannot upload documents, delete files, or view workspace-level configurations.

Our database and vector storage are designed to enforce partition security between organisations:

• Workspace Scoping: All database queries are scoped by a unique workspace_id.
• Vector Separation: Document chunk vectors are indexed in Qdrant Cloud and queried with metadata filtering that restricts search queries to matches containing the client's specific workspace_id.
• No Cross-Workspace Exposure: Users assigned to one workspace are unable to view documents, vectors, chat histories, or analytics from any other workspace.

Rekall-IQ operators holding the Platform Admin role can manage system health, view workspace metadata (such as document counts and plan status), and suspend or reactivate workspaces.

By default, Platform Admins do not view the text content of your uploaded documents or browse full user chat conversations in cleartext.

Our infrastructure partners provide secure database, storage, and processing environments:

• Supabase PostgreSQL: Houses structured application database records, user relations, workspace settings, and chat session metadata.
• Supabase Storage: Stores raw uploaded files (PDFs, TXT) in private storage buckets named documents.
• Qdrant Cloud: Holds index vectors representing document chunks.
• Vercel: Runs serverless functions and hosts application routes.
• Inngest: Coordinates state machine background queues.

To prevent generative model hallucination and leakage, the application uses a strict Retrieval-Augmented Generation (RAG) pattern. When a user asks a question, the application retrieves context chunks matching that specific workspace and inserts them directly into the Gemini prompt context. Responses are generated based strictly on this context, and source citations are returned.

• In Transit: All data transmitted to or from the platform is encrypted using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) (HTTPS).
• At Rest: Encryption at rest is managed by our underlying infrastructure providers (Supabase, Qdrant Cloud, and Vercel) using standard disk encryption technologies.

Document parsing, text extraction, embedding generation, and vector indexing are handled asynchronously by Inngest. Documents are tracked via lifecycle states: processing, ready, or failed. Inngest steps run inside isolated serverless sandboxes.

We collect application logs for diagnostic and reliability purposes. These logs contain metadata such as API response codes, timestamps, and error codes. We utilise these logs to maintain system health, troubleshoot background jobs, and monitor for unauthorized access attempts.

Security is a shared responsibility. We ask that customer organisations:

• Ensure only authorised documents are uploaded to the workspace.
• Manage invited users and review team roles regularly.
• Promptly remove users who should no longer have access to the workspace.
• Verify important facts and guidelines output by the AI prior to making operational or regulatory decisions.

We are actively developing security enhancements, with plans to introduce:

• Strict rate limiting on login and API endpoints.
• Workspace audit logs tracking admin actions (e.g., uploads, deletions, invites).
• Single Sign-On (SSO) integrations for enterprise tenants.
• Third-party security code audits and penetration testing.
• Formal security compliance reviews (such as SOC 2 and ISO 27001).

To report a suspected vulnerability or discuss enterprise security requirements, please email: