Grahm AI was built from the ground up with a zero-retention AI pipeline, row-level database isolation, and end-to-end encryption. Here's exactly how your data stays protected.
Security isn't a feature we bolt on — it's the architectural foundation that every line of code is built upon. Every design decision at Grahm AI is filtered through three non-negotiable principles:
Your ticket content, SOP prompts, and generated outputs are never stored by the AI model. Data flows through and is immediately discarded.
Every database query is enforced at the row level. Users can only ever see and access their own organization's data — period.
All data is encrypted in transit via TLS 1.2+ and at rest via AES-256. No unencrypted data ever touches disk or wire.
This is the question most teams ask first: "When I send ticket data through AI to generate SOPs, where does that data go?" The answer is simple — nowhere. Here's the exact flow:
When you click "Convert to SOP" on a resolved ticket, the ticket content is sent to a secure Supabase Edge Function (our ai-proxy) that acts as a controlled gateway. This function packages the request and forwards it to the OpenAI API for processing.
Critically, OpenAI does not store, log, or train on data sent through their API. Under OpenAI's API data usage policy, inputs and outputs sent through their API endpoints are not used to train models and are not retained beyond the immediate request lifecycle. Once the AI returns the generated SOP, the original input payload is gone — it exists only in volatile memory for the duration of that single function execution.
The only thing that persists is the final generated SOP, which is saved to your secured database under your account — exactly as you'd expect. The raw prompt, the ticket content sent to the AI, and all intermediate processing data are never written to disk, never logged, and never stored in any database or file system.
If someone were to gain access to our AI processing layer, they would find nothing. There are no stored prompts, no cached inputs, no historical logs of what was sent. The Edge Function is stateless — it processes and forgets.
Grahm AI's backend runs on Supabase — an enterprise-grade platform built on PostgreSQL, one of the most battle-tested and security-audited database systems in the world. But we don't just rely on defaults. Here's how every layer is locked down:
Every single table in our database enforces PostgreSQL Row-Level Security policies. This means even if a query is somehow crafted to access another user's data, the database engine itself blocks it at the row level. It's not application logic — it's enforced by the database kernel.
All AI processing runs inside Supabase Edge Functions — isolated Deno runtime environments deployed globally on the edge. Each function invocation is sandboxed, stateless, and terminates after execution. No shared state, no persisted memory between calls.
User authentication is handled by Supabase Auth with JWT token verification on every request. Tokens are short-lived, signed, and validated server-side before any data access is permitted. No session data is stored client-side beyond the encrypted token.
TLS 1.2+ encrypts all data in transit between browser, Edge Functions, and API. PostgreSQL encrypts all data at rest using AES-256. Database backups are also encrypted. Your data is never exposed in plaintext at any stage.
Transparency matters. Here's a straightforward breakdown of exactly what data lives in our system and what is never retained:
| Data Type | Stored? | Details |
|---|---|---|
| Your Tickets & SOPs | Yes | Stored in your isolated database rows, protected by RLS. This is your data. |
| Account & Auth Info | Yes | Email, hashed password, subscription tier. Standard for account management. |
| Ticket Embeddings | Yes | Numerical vectors for semantic clustering. Not human-readable; cannot be reversed into original text. |
| AI Prompts & Inputs | Never | Raw text sent to the AI model is never written to any database, log, or file system. |
| AI Model Training Data | Never | Your data is never used to train or fine-tune any AI model. OpenAI API policy prohibits this. |
| Intermediate Processing | Never | Temporary data in Edge Functions exists only in volatile memory and is discarded on completion. |
| Third-Party Sharing | Never | Your data is never sold, shared with, or accessible to any third party. |
Grahm AI uses vector embeddings (via pgvector) to intelligently detect similar tickets and suggest SOP merges. Here's why this is safe:
When a ticket is created, its text content is converted into a high-dimensional numerical vector (a list of numbers). This vector captures the semantic meaning of the ticket — not the literal words. These vectors are:
[0.0234, -0.0891, 0.0412, ...]) with no inherent meaning outside the similarity model.No. Vector embeddings are lossy mathematical projections. Converting text to an embedding discards the specific wording and structure. It's analogous to reducing a photograph to a color histogram — you can compare color distributions, but you can't reconstruct the image.
Every data access in Grahm AI goes through multiple layers of validation:
user_id matches the row's owner. This is enforced at the PostgreSQL level, meaning not even our own application code can bypass it.ai-proxy and all other Edge Functions validate the user's JWT and subscription tier before processing any request. Unauthorized or unpaid requests are blocked before they reach the AI.Grahm AI supports integrations with Slack, Microsoft Teams, Discord, and custom webhook endpoints. Here's how we keep those channels safe:
Grahm AI runs on infrastructure trusted by millions of production applications worldwide:
Frontend hosting and serverless functions on Vercel's global edge network. SOC 2 Type II compliant. Automatic HTTPS. DDoS protection included. All deployments are immutable and auditable.
Database, auth, and edge functions on Supabase's managed PostgreSQL infrastructure. SOC 2 Type II compliant. Data encrypted at rest (AES-256) and in transit (TLS 1.2+). Automated daily backups with point-in-time recovery.
AI processing via OpenAI's enterprise API tier. SOC 2 compliant. API data is not used for model training. Zero data retention on API inputs. Requests are encrypted in transit.
Payment processing via Stripe. PCI DSS Level 1 certified — the highest level of payment security certification. Grahm AI never sees, stores, or processes raw credit card numbers.
Your ticket data flows through AI and is immediately discarded. It's never stored by the AI provider, never used for model training, and never logged anywhere in our infrastructure. The only data that persists is what you explicitly create and own — your tickets, your SOPs, and your account information — all protected by row-level database isolation, end-to-end encryption, and enterprise-grade hosting.
Grahm AI was designed for IT teams who handle sensitive operational data every day. We built the security model that we would demand as customers ourselves: transparent, provable, and zero-trust by default.