Security at DeskGraph

Infrastructure

Everything runs on Google Cloud Platform. Compute, storage, vector search, embedding generation. Your data never touches our local machines, personal devices, or third-party services outside Google's trust boundary.

• TLS 1.3 for all data in transit
• AES-256 encryption at rest
• VPC network isolation between tenants
• Cloud SQL with automated backups and point-in-time recovery

AI and your data

Embeddings are generated through Google Cloud's Vertex AI, the enterprise API. This is not the consumer Gemini API. Vertex AI's Data Processing Addendum contractually prohibits Google from using your data to train or improve their models. Your ticket content is processed, embedded, and discarded. It never enters a training pipeline.

We don't use any AI provider that trains on customer input. This is non-negotiable. If a vendor can't guarantee it in writing, we don't use them.

What we store

Vector embeddings: mathematical representations of your tickets used for similarity search. These aren't readable text. They can't be reversed into your original content. We don't store raw ticket bodies, screenshots, or recordings. We read them, embed them, and let go. The only human-readable data we keep is resolution summaries and ticket metadata (IDs, timestamps, status).

What we measure

Usage signals only. Sidebar opens, match click-throughs, thumbs up/down, time-to-resolution. We can tell whether your agents find the matches useful. We never read, log, or store your ticket content. This is how we power proactive refunds: we know if the product is working without ever seeing your data.

Access control

MFA is enforced for every staff account, every service, no exceptions. Not optional. Not "recommended." Enforced at the identity provider level with hardware keys or TOTP.

• Principle of least privilege for all GCP IAM roles
• No shared credentials or service accounts with broad access
• Audit logging on all production access
• No customer data in development or staging environments

Deletion and GDPR

Fully GDPR compliant. Request deletion at any time. We'll wipe your embeddings, usage data, and account information. No retention period, no "we'll get to it," no fine print. DPA available on request.

Integrations

We connect to your ticketing system via OAuth with the minimum scopes needed: read-only access to tickets and attachments. We never modify, delete, or create tickets in your system. We never request admin or write permissions.