Gigacatalyst Trust Center

Zero Retention

AI providers

BYOK

Bring your own key

You're in Control

Fully inspectable

Network requests are visible in dev tools. Source code of every generated app is available to your team for review or audit.

Write access is granular

You choose: no writes, writes via your existing API endpoints, or new write operations through our intermediary. Disable destructive endpoints entirely.

Minimal integration surface

We need API endpoints or a read replica, and optionally your AI key. No access to your full stack or source code.

How We Handle Data

During building, the AI sees only your schema structure and sample rows your team explicitly provides. At runtime, apps query your APIs live. We never store your customer data, API responses, or query results.

We store

•Generated app source code
•App metadata (who created it, when)
•Usage logs (optional, can be disabled)

We never store

•Your customer data or API responses
•Query results or database contents
•End-user PII from your platform
•AI prompts or responses (zero-retention with all providers)

Two Deployment Modes

Every deployment is secure out of the box. For teams that want nothing routed through us, switch to Direct.

Default

Managed

•Requests route through Gigacatalyst proxy for caching, rate limiting, and analytics
•AI powered by AWS Bedrock (our account, zero-data-retention)
•Basic telemetry for usage insights and debugging
•Customer data is never stored or logged, only metadata

Optional

Direct

•API calls go straight to your infrastructure, nothing routes through us
•Bring your own AI key (Vertex, Azure, AWS, or any provider)
•All telemetry disabled
•No Gigacatalyst infrastructure in the request path

Architecture at a Glance

Layer	Managed	Direct
API Calls	Via Gigacatalyst proxy	Straight to your infrastructure
AI Provider	AWS Bedrock (our account, zero-retention)	Your own key, direct to provider
Telemetry	Usage analytics (PostHog)	Disabled
App Runtime	Runs in your environment	Runs in your environment
Source Code	Visible and auditable	Visible and auditable

Sub-processors

Provider	Purpose	Location
Supabase	App metadata storage	United States
Vercel	Hosting & deployment	United States
AWS Bedrock	AI code generation (default provider)	United States
PostHog	Product analytics (can be disabled)	United States

Breach Notification

If we become aware of a breach affecting your data, we will notify you within 24 hours of discovery, in writing, with a description of what happened, what data was affected, and what we are doing about it.

Policies & Documents

Vulnerability Disclosure Policy

Request DPA

Common Questions

No. Our apps run inside your environment using the same credentials and permissions as your logged-in user. The AI works off your schema/structure and sample rows (synthetic or hand-picked by your team). We don't need a separate admin connection to your database or APIs.

The app runs in your environment. Your team can inspect every outbound request. The source code of every app is available to your team for review, audit, or static analysis. In Direct mode, no requests route through Gigacatalyst at all.

Apps use the user's session credentials and call your infra. In Managed mode, requests route through our proxy for caching and analytics, but your customer data is never stored or logged. In Direct mode, nothing routes through us at all.

We are actively pursuing SOC 2 certification. Our architecture is designed so that your customer data never enters our systems, limiting exposure far beyond what a certification alone provides. We're happy to walk your security team through specifics.

Yes. Contact [email protected] to initiate.

Yes. We delete everything: app code, metadata, credentials, logs. We confirm deletion in writing.

Want to learn more?

We're happy to walk your security team through our architecture in detail.

Schedule a Review [email protected]