Built for confidential strategic work.

ChatDatak handles broadcaster studies, proprietary audience research, internal strategy memos, and competitive intelligence. The point of this page is honesty: what we actually do to keep that data safe — described in concrete terms, not slogans.

Encryption

At rest

AES-256 for Postgres (managed by Supabase) and AES-256 for Storage object buckets. Encryption keys are managed by Supabase and rotated according to their key-management policy.

In transit

TLS 1.2+ for all browser ↔ server, server ↔ Supabase, and server ↔ AI provider traffic. HSTS with a two-year max-age, includeSubDomains, and preload.

Application-layer secrets

The MediaDatak integration token is encrypted with pgcrypto symmetric encryption (pgp_sym_encrypt) inside the database itself — even a database leak does not expose it without the separately-stored key.

Webhook authentication

Internal ingestion webhooks are signed with HMAC-SHA256 using a per-environment secret.

Access control

Tenant model

Organization → workspace → role. A user can only see documents, conversations, and embeddings belonging to a workspace they are a member of.

Database-enforced isolation

Postgres Row Level Security is the primary boundary. Application code adds workspace filters as defense-in-depth; the database catches the mistake when a developer forgets.

Direct chunk access locked

Document chunks cannot be read directly via the database API — retrieval happens through server-side RPCs scoped to the caller's workspace.

Public endpoints

Public endpoints (e.g. the NYC Audience Twin demo) are per-IP rate-limited at the database level via an atomic check-and-increment RPC.

Super-admin

Super-admin access is restricted to a small set of Zniber Media operators, gated by an explicit profile flag and not granted by default to any account. Sensitive super-admin actions (token rotation, document upload as MediaDatak research) are written to the activity log.

Sub-processors

The complete, current list. We update it in the same change that introduces a new vendor.

• SupabaseEU (Frankfurt, eu-central-1)
  Postgres database, object storage, authentication, edge functions
• NetlifyEU (Frankfurt)
  Application hosting and serverless functions
• OpenAI API
  Chat completion (gpt-4o-mini) and embeddings (text-embedding-3-small). No training on API data.
• Anthropic API
  Chat completion on higher-tier models. No training on API data.
• Pinecone
  Per-workspace vector embedding storage. Embeddings only — no raw chunk text is sent.
• LlamaParse
  PDF-to-markdown parsing during ingestion. Soft spot: uploaded files transit through this service; we cancel and clean up job state on document deletion.
• Google Workspace SMTP
  Transactional email (invitations, document-ready notifications)

ChatDatak ships no third-party analytics — no Google Analytics, no Mixpanel, no Segment, no behavioural tracking. Your activity in the product is not sold or shared.

Deletion behavior

When you delete a document, all of the following happen in the same operation:

• The workspace_documents row is removed (chunks cascade via foreign key).
• The raw file is removed from the raw-documents Storage bucket.
• The parsed-markdown cache for that document is removed.
• Every embedding vector for the document is removed from the workspace's Pinecone namespace.
• Any in-flight LlamaParse parsing job is cancelled.
• The deletion is recorded in activity_logs.

Workspace and account deletion are available on request — write to security@znibermedia.com from the email on the account.