What we do to protect customer data across GreatRouter, GreatStudios, and GreatChat — and what we honestly cannot claim yet. Security and privacy are part of how the platform is engineered, not a marketing line.
The baseline that applies across all three products.
TLS 1.3 for data in transit on every product. AES-256 at rest where supported by the underlying storage layer. HTTP Strict Transport Security across all marketing and product domains.
Organization-scoped accounts with role-based access — Owner, Admin, Member, Viewer — and granular project permissions in GreatChat. API keys are scoped per workspace in GreatRouter.
Workspace-level audit logs for authentication events, billing changes, API key rotations, and configuration changes. Exportable on Enterprise plans.
US and EU regions for product data on supported plans. Custom residency available for Enterprise. Regional metadata is documented per workspace.
We follow industry best practices for privacy and data handling. We do not list certifications we have not legally verified. Specific posture details available on request for procurement teams.
On-call rotation with runbooks for production incidents. Customers are notified within reasonable timelines as required by applicable law and our customer contracts.
A single conceptual diagram. Every product follows the same path.
Through GreatStudios, GreatChat, or directly via the GreatRouter API. Authentication uses your workspace credentials.
The router classifies intent and selects the right model. The request is signed and sent to the inference provider over TLS.
Inference happens inside the provider's environment. Responses are streamed back through GreatRouter and surfaced in the product.
Outputs, generations, and chat history live in your workspace storage (Neon Postgres + R2). Only your team can access them, subject to role-based permissions.
Storage uses Neon Postgres (relational) and Cloudflare R2 (object) inside your workspace boundary. Provider names referenced here are the underlying database and object store; we do not name the inference platform in customer-facing product UI.
Six commitments we hold ourselves to.
Your prompts, documents, and generated content are not used to train our models or any third-party model. Inference passes through providers but is not retained for training.
We never sell or rent personal data. We share data with payment processors and AI model providers strictly to deliver the service you've requested.
Customers can request deletion of their account and associated data. We honor requests in line with applicable law (GDPR, CCPA, and equivalents).
Our Privacy Policy documents the legal basis for processing, retention windows, and your rights as a data subject. See the policy for jurisdiction-specific notices.
Customer data can be pinned to US or EU regions on supported plans. Custom residency is available under Enterprise agreements.
Default retention is the lifetime of your account plus a reasonable window for billing, security, and legal obligations. Specific retention details are documented per product.
Our current compliance posture includes verifiable practices and operational controls, not aspirational marketing claims. We do not advertise certifications we have not legally completed.
Need detailed information for a vendor security review? Write to security@greatstudiosai.com with your timeline and questionnaire format. We respond promptly during business days.
If you believe you have found a security issue in any Greatapps product, please email security@greatstudiosai.com with steps to reproduce. We thank reporters who follow coordinated disclosure and do not act in bad faith.
Related: Privacy Policy · Terms of Service · Cookie Policy
