Security

How we protect your research data

Soak processes qualitative research data -- interview transcripts, focus group recordings, field notes. This is often sensitive material about real people. We've designed the system with that in mind.

Where your data lives

By default, everything stays in the EU. Your documents, analysis results, and embeddings are stored on OVHcloud infrastructure in France. OVHcloud acts as a data processor under GDPR. When we send text to language models for analysis, we use Azure OpenAI's EU endpoints.

If you bring your own API key, you control where that processing happens.

What we send to language models

When you run an analysis, we send your transcript text to Azure OpenAI (or your own provider if using BYOK). The model processes it and returns themes, codes, and quotes. We don't send your account details, filenames, or metadata -- just the text being analysed.

Azure OpenAI does not use your data to train models. Neither do we.

Your API keys

If you provide your own key, we encrypt it before storing it. It's decrypted only when making API calls on your behalf, and never appears in logs.

Who can see your data

Only you, unless you explicitly share. Sharing is opt-in and per-analysis or project -- you choose who gets access and can revoke it anytime. Our team doesn't access your research data unless you ask us to help debug something and share access.

Encryption

All connections use TLS. Stored data is encrypted at rest via OVHcloud's infrastructure. We don't implement custom encryption layers -- we rely on well-tested provider defaults.

If something goes wrong

If we discover a breach affecting your data, we'll notify you within 48 hours with what happened, what was affected, and what we're doing about it.

What we don't do

  • We don't sell or share your data with third parties
  • We don't use your transcripts to train models
  • We don't retain data after you delete it (beyond short backup windows)
  • We don't log the content of your analyses

Subprocessors

We use a small number of third-party services which are required to run Soak. See the full list.

Questions

If you have specific security requirements or need documentation for ethics approval, get in touch: [EMAIL]