Security & Trust

Enterprise-grade security,
built into every answer.

Your documents are your competitive advantage — and often your license to operate. knowledgeXpert is SOC 2 Type II audited, ISO 27001:2022 certified, and GDPR compliant, backed by 62 documented controls, single-tenant isolation, end-to-end encryption, and a guarantee your data is never used to train public AI models.

SOC 2 Type II ISO 27001:2022 GDPR Air-gapped / on-prem available
Certifications & frameworks

Independently audited. Continuously monitored.

Our security program is built on industry-recognized frameworks, verified by third-party auditors, and monitored continuously through Sprinto — not just checked at audit time.

SOC 2 Type II
Audited

Independent audit of our security, availability, and confidentiality controls — operating effectively over time, not just on paper.

ISO 27001:2022
Certified

The international standard for information security management — covering how we build, run, and govern the platform.

GDPR
Compliant

Documented DPIAs, an EU representative, and a full inventory of personal data — for teams that operate under European rules.

62 controls · 6 categories

Defense in depth, audited end to end.

Every layer of how we build, run, and govern knowledgeXpert is covered by documented, monitored controls. Here’s the shape of the program — the full control list lives in the Trust Center.

Product security

Keeping the platform itself safe to use.
  • Annual production system user review
  • Documented vulnerability remediation
  • Centralized flaw-remediation management

Data security

Protecting, isolating, and governing your information.
  • AES-256 encryption at rest
  • MFA on critical systems
  • Production database access restriction
  • Backups with recovery testing

Network security

Guarding traffic and connections at every hop.
  • Default-deny firewall on production hosts
  • HTTPS / TLS 1.2+ for all transmissions
  • Centralized security event logging

App security

Keeping customers informed, surfacing anomalies.
  • Continuous monitoring for unauthorized activity
  • Conspicuous privacy notice

Endpoint security

Keeping the devices that touch your data clean.
  • Anti-malware on all employee endpoints
  • Remote-device security validation
  • Automatic session lock after 15 min

Corporate security

Governing our people, policies, and vendors.
  • Security & privacy training, new-hire and periodic
  • Risk assessments & third-party reviews
  • CISO & CPO with assigned responsibilities
Our data principles

Three promises about your data.

Plain-language commitments. No legalese, no fine print, no hidden clauses.

Promise 01

Your data stays yours.

Your documents are never used to train public AI models, never shared with other customers, and never leave your isolated tenant. Full stop.

Promise 02

You control access.

Role-based permissions decide who sees what — down to specific knowledgeBases. Add, remove, or revoke users in seconds. Every action is logged.

Promise 03

You can leave with everything.

Export your documents and data at any time. If you cancel, we delete your tenant within the timelines defined in your contract. No lock-in.

Technical snapshot

For your security team.

The specifics your IT, InfoSec, and procurement teams will ask about — in one place. Forward this page; it’s built for that.

Encryption in transitTLS 1.2+

All API and browser traffic encrypted end to end.

Encryption at restAES-256

Customer data and backups encrypted with managed keys.

Tenancy modelSingle-tenant

Logical isolation per customer — data is never co-mingled.

Uptime & availability99.9% target SLA

Active monitoring, automated failover, documented RTO/RPO.

Deployment optionsCloud · air-gapped on-prem

For networks that never touch the public internet.

SubprocessorsPublished list

Current subprocessors listed in the Trust Center.

Security FAQ

The questions security teams ask first.

Is my data used to train AI models?
No. Your documents are never used to train public AI models, never shared with other customers, and never leave your isolated tenant.
How is my data isolated from other customers?
knowledgeXpert runs single-tenant with logical isolation — your data is never co-mingled with anyone else’s. For environments that require it, an air-gapped, on-premises deployment is available.
Can I export my data and leave?
Yes, at any time. If you cancel, we delete your tenant within the timelines defined in your contract. No lock-in.
Where do I get your SOC 2 report and policies?
Current audit reports, policies, and the subprocessor list are in the BearCreek AI Trust Center. If your procurement process needs something specific, contact us and we’ll get it to you.
Security review coming up?

Send this page to your security team — then see it on your own documents.

Thirty minutes, your documents, every answer traced to its source. Your data stays in your tenant.