Enterprise-grade security.
Engineered from day one.

No. We never use your data to train any AI models.

Each customer's data is isolated at the storage level — both initial raw data and any user derived data.

By default, Overstand uses secure, stateless endpoints backed by agreements with major model providers — your data is never stored or used for training. If you want full control, you can optionally bring your own API keys from providers like OpenAI, Anthropic, or Azure OpenAI, so all prompts and responses flow through your own accounts.

Overstand's infrastructure is designed to meet HIPAA requirements, including encryption at rest and in transit, access controls, audit logging, and isolated environments. We execute Business Associate Agreements (BAAs) with customers who require them.

We use AES-256 encryption for all data at rest and TLS 1.3 for data in transit. Each data chunk is encrypted with its own unique key, and encryption keys are rotated automatically on a regular schedule.

Yes. Every query, export, and administrative action is logged with full user attribution, timestamps, and IP addresses. Audit logs are immutable and available for export to your SIEM or compliance tooling.

Upon cancellation, all your data is permanently deleted from our systems within 30 days, including backups. We provide a data export window before deletion begins, and we issue a certificate of destruction upon request.

Most SaaS platforms use logical partitions within shared databases — your data sits alongside other customers' data. Overstand isolates every customer's data at the storage level, covering both raw ingested data and any derived data created by users. No customer's data ever crosses into another environment.