Security at askBIQ

When you enable encryption, your data is protected using AES-256-GCM - the same standard used by banks and government agencies. Your password is processed through Argon2id, which makes brute-force attacks computationally infeasible.

The technical flow: your password + a random salt generates a 256-bit encryption key. That key encrypts your database file. Only you have the password. We store only the salt and a one-way verification hash - never the key, never the password.

If you enable encryption: No. Your data is encrypted with a key derived from your password. We do not store your password or your encryption key. Without your password, your data is unreadable - to us, to anyone.

If you don't enable encryption: Your data is still isolated in its own database and protected by infrastructure-level security (encrypted storage, access controls, audit logs). Staff access is logged, but technically possible for support/debugging purposes.

Your data is permanently lost. This is intentional and by design. We cannot reset, recover, or bypass your encryption password because we never have access to it. We strongly recommend saving your password in a password manager. We show this warning during setup and require you to acknowledge it before enabling encryption.

Yes. You can upload data with or without encryption - it's a checkbox during upload. You can have some data sources encrypted and others not. It's your choice based on the sensitivity of each dataset.

Your data is stored on AWS infrastructure in the US (Ohio region). Each user's data lives in its own isolated database file - your data is never co-mingled with anyone else's.

The underlying storage uses EBS volumes with AES-256 encryption at rest, provided by AWS. All data in transit uses TLS 1.2+.

No. We use Claude (by Anthropic) to process your questions. Anthropic's API does not train on data sent through the API. Your data is processed to answer your question and then discarded by the AI. We do not store your queries or the AI's responses for training purposes.

No. Every user's data is stored in a completely separate database file. There is no shared database, no shared tables, no way for one user's query to accidentally access another user's data. This is physical isolation, not just permissions - the files are entirely separate.

Yes. You can delete any data source from the upload page at any time. When you delete a data source, the database file is removed from our servers. This is a permanent, irreversible deletion.

No. We do not sell, share, license, or provide your data to any third party. Your data is used exclusively to answer your questions within the askBIQ platform. Period.

We log metadata about your activity, not your actual data. Specifically:

• Which tables were queried (e.g., "sales", "customers")
• How many rows were returned (e.g., "15 rows")
• Query execution time
• Encryption unlock events and failed attempts
• Login timestamps and IP addresses

We do not log the actual data values returned by queries. If you have encryption enabled, we couldn't read them even if we tried.

We use Google OAuth for sign-in. We do not store passwords for your askBIQ account - Google handles authentication. Your encryption password (if you enable encryption) is separate from your sign-in and is never sent to or stored by Google.

If your data is encrypted: An attacker would have your encrypted database file, which is useless without your password. AES-256-GCM with Argon2id key derivation means brute-forcing the password would take longer than the age of the universe with current computing power.

If your data is not encrypted: Your data is still protected by infrastructure-level encryption (AWS EBS encryption at rest), but the data itself would be readable if an attacker gained server access.

This is exactly why we offer user-controlled encryption - it protects you even in the worst-case scenario.

Our infrastructure is designed with HIPAA requirements in mind:

• Access controls - User-controlled encryption keys, Google OAuth
• Audit controls - All data access logged with timestamps and IP addresses
• Integrity controls - AES-256-GCM provides cryptographic integrity verification
• Transmission security - TLS 1.2+ for all data in transit

We are happy to sign a Business Associate Agreement (BAA) with healthcare organizations. Contact us at security@askbiq.com.

We do not currently hold SOC 2 certification. We are transparent about this. What we can tell you is exactly what security measures are in place (everything described on this page), and you can evaluate whether they meet your requirements. As we grow, formal certification is on our roadmap.

Absolutely. We are happy to:

• Walk through our security architecture on a call
• Answer a security questionnaire
• Sign a BAA (for healthcare organizations)
• Provide documentation of our encryption and access controls

Contact security@askbiq.com to schedule a review.