Xybern
Legal · Privacy Policy

How Xybern handles workspace and connector data

Xybern builds reasoning AI for regulated law and finance teams. This policy describes what data we collect, how we use it, and the controls available to your organization.

Last updated: March 2025

Data we process

We collect the minimum data required to operate the Assistant, Deep Research, Projects, and compliance features.

Account & workspace profile

  • Name, email, role, authentication metadata
  • Admin settings (SSO, SCIM, org structure)
  • Billing contacts and audit recipients

Content you provide

  • Prompts, uploads, connectors, regulatory docs, spreadsheets
  • Outputs from Deep Research, Projects, runs, and annotations
  • Support tickets and product feedback

Product telemetry

  • Timestamps, run duration, feature flags, performance metrics
  • Device/browser attributes for security
  • Aggregated usage counts (no prompt text)

Third-party data sources

  • Optional integrations with S3, SharePoint, databases, or document portals that you configure
  • Audit logs and connector health data
  • Attribution to the workspace that owns the connector

How we use data

Customer Data is used to deliver the Services, power reasoning chains, surface citations, run compliance checks, provide support, and detect abuse. Aggregated metrics help us plan capacity and improve inference quality, but prompts and uploads remain scoped to your workspace unless you explicitly share them.

Model routing & retention

Depending on your configuration, prompts may be processed by multiple reasoning models (first-party or contracted LLM providers) to achieve consensus. Providers only receive the minimum text needed for the request, under agreements prohibiting training on your data.

Security & residency

Data is encrypted at rest and in transit. You may request dedicated environments, EU/US residency, customer-managed keys, or private networking. Access is restricted by role-based controls, hardware security tokens, and continuous logging.

Trusted subprocessors

We leverage audited infrastructure and carefully-vetted vendors. Your admin team can request the full list during diligence.

Cloud & storage

  • Primary hosting in SOC 2 data centers (AWS/GCP)
  • Encrypted object storage for uploads and runs
  • Disaster recovery backups with strict retention

Reasoning providers

  • LLM partners (e.g., OpenAI, Anthropic, DeepSeek) with no training rights
  • Specialized models for financial simulation and legal retrieval
  • Usage isolated per workspace

Operational tools

  • Email delivery (support + notifications)
  • Product analytics with IP trimming
  • Penetration testers and security monitoring partners

We do not sell personal data or permit advertising technology inside Xybern. Subprocessor changes are communicated to admins with opt-out options consistent with your agreement.

Retention & deletion

Customer Data remains in your workspace until you delete it or your agreement ends. After termination, we retain backups for up to 30 days (unless law requires more) solely for disaster recovery, then purge them using certified deletion procedures.

Access & export

Admins can export Projects, Deep Research runs, audit logs, and connector inventory through the product or by contacting support. You can request confirmation about where your data is stored and how it is segmented.

Your privacy rights

Depending on where you live (EU/EEA/UK, California, etc.), you may request access, correction, deletion, portability, or restriction. Email info@xybern.com and we will respond within the timelines required by applicable law.

Children

Xybern is not directed to children under 16 and we do not knowingly collect their personal data.

Need a DPA or data schedule?

Contact info@xybern.com or your account team for tailored terms, data residency commitments, or copies of penetration and compliance reports.

Request Documentation