Security.
Your drawings are engineering property. They are encrypted, isolated from other customers, never used to train AI, and deleted on your instruction. Below is the full account of how the platform protects them, and what your security team needs to clear Tagsight as a vendor.
- Privacy regulations
- PIPEDA · GDPR · CCPA
- Data processing agreement
- GDPR Article 28
- International transfers
- Standard Contractual Clauses
- Breach notification
- Within 72 hours
- Customer data in AI training
- Never
Controls.
Data protection
How your drawings are stored, isolated, and kept yours.
- Encrypted in transit and at rest, including database connections.
- Processed for extraction only, never used to train, fine-tune, or improve any model.
- Never shared between customer accounts.
- Exports contain your engineering data and nothing else.
- Remove the original drawing at any time and keep the extracted list.
Access and authentication
Who can reach your account, and how that access is controlled.
- Passwords hashed, never stored in plaintext.
- Two-factor authentication via authenticator app.
- Account lockout after repeated failed attempts.
- Short-lived sessions with automatic rotation, invalidated on password change.
- Single sign-on (SAML) and SCIM provisioning on Firm and Enterprise plans.
- Organization-enforced two-factor authentication from the Practice plan.
- IP allowlisting on Firm and Enterprise plans.
Privacy and your rights
Your control over your data, and the regulations we operate under.
- Compliant with PIPEDA, GDPR, and CCPA.
- Export all your data, or delete your account, from settings at any time.
- Data processed only for the purposes you authorize.
- Signed Data Processing Agreement under GDPR Article 28.
- Standard Contractual Clauses for international data transfers.
Monitoring and audit trail
A durable record of what happened, available to you.
- Tamper-evident history of every change to your account, drawings, billing, and security settings.
- The full history can be exported for your own audit.
- Extended audit-log retention on Firm and Enterprise plans.
- Structured logging with request correlation.
- Per-endpoint rate limiting across the API.
Reliability and infrastructure
Where the service runs, and how it stays available.
- Hosted on managed cloud infrastructure with automatic failover.
- HTTPS-only webhook delivery with network-level protections.
- Service-level availability commitment on Enterprise agreements.
- Data residency options on Enterprise.
Vendors and data processing
The third parties involved, and the terms that bind them.
- Sub-processors are vetted, contractually bound, and limited to necessary functions.
- Listed by category below; the full list sits in the DPA under confidentiality terms.
- 30 days notice before a new sub-processor takes effect, with a right to object.
- Breach notification within 72 hours of confirmation.
- Data deleted or returned within 30 days of termination.
Where your file goes.
Every drawing follows the same path, from upload to deletion.
- Upload
- Your file is encrypted in transit and at rest. No other user, and no Tagsight employee, can access it without your explicit support request.
- Processing
- The file is read for extraction in an isolated environment. Sub-processors are listed in the DPA under signed confidentiality terms. Never shared between customer accounts, never used to train AI models.
- After extraction
- Files stay attached to your project. Review and export run against the same project record.
- On delete
- Delete a project and it moves to trash, then is permanently purged after the retention window along with its files, extraction results, annotations, and exports. You can remove the original drawing immediately at any point, keeping only the extracted data.
- Never
- Never accessed by Tagsight staff unless you explicitly request support.
Sub-processors.
The categories of third parties involved in delivering the service. The named list, under signed confidentiality terms, is in the DPA.
| Cloud hosting | Application hosting, database, and file storage. |
|---|---|
| Payment processor | Billing and subscriptions. Processes card data directly; Tagsight never receives card numbers. |
| Email delivery | Transactional and notification email. |
| AI processing | Document analysis for extraction, contractually prohibited from training on your content. |
| CDN and security | Content delivery, DDoS protection, and DNS. |
For your security review.
What a procurement or security team needs to clear Tagsight as a vendor, ready on request.
Available on request
- Signed Data Processing Agreement, GDPR Article 28
- Sub-processor list under confidentiality terms
- Completed CAIQ and SIG Lite security questionnaires
- Security posture documentation
- Standard Contractual Clauses for international transfers
Organization controls
- Single sign-on, SAML, and SCIM provisioning
- Organization-enforced two-factor authentication
- IP allowlisting
- Extended, tamper-evident audit-log retention
- Data residency options
- Service-level availability commitment
Working under NDA.
Drawings are processed in isolated environments, never shared between users, never used for AI training. If your project requires a data processing agreement or a non-disclosure agreement, the signed templates are ready on request.