Your Data Is Safe.
Here's the Proof.

Absolutely not. GoldenGuide uses strict hard multi-tenancy architecture. Every company (tenant) is assigned a unique cryptographic identifier at the time of account creation. All data — documents, conversations, user records, analytics — is tagged with this identifier at every single layer of the stack. It is architecturally impossible for one tenant to query or access another tenant's data.

The relational database (PostgreSQL) uses PostgreSQL Row-Level Security (RLS), an enterprise-grade feature that enforces a policy at the database engine level: every read and write automatically filters by tenant_id. Even if a bug existed in our application code, the database itself would block cross-tenant access. The vector database (Pinecone) uses dedicated namespaces per tenant — each company's AI knowledge base is stored in a completely separate namespace that cannot be queried without the correct tenant context.

When you upload documents, they are converted into AI-readable vectors and stored in your company's dedicated namespace inside the vector database. Think of it as a private vault inside a larger building. Every AI query from your employees searches only inside your vault — the contents of other companies' vaults are never touched, never visible, never mixed.

No. GoldenGuide uses Google Gemini 1.5 Flash as the language model, but only for inference (generating answers). Your documents are never sent to Google for training purposes. The AI answers questions using only the text retrieved from your own document vault. No cross-company learning occurs at any point.

Upon contract termination, you have a 30-day window to export all your data (documents, conversation history, analytics reports) via our self-service export tools. After this period, all your data is permanently and irreversibly deleted from all our systems — including backups — in compliance with UK GDPR Article 17 (Right to Erasure). You will receive a signed deletion certificate upon request.

Yes, at every level. Data in transit is protected with TLS 1.3 — the latest and most secure transport protocol, used by major banks and governments. Data at rest (stored documents, database records, backups) is encrypted with AES-256, the same standard used by the US National Security Agency for top-secret information.

GoldenGuide manages encryption keys through Google Cloud Key Management Service (Cloud KMS), a hardware-backed key management system. Keys are rotated automatically on a regular schedule. No individual engineer at GoldenGuide has unilateral access to your decrypted data — key access requires multi-party authorization and is fully audited.

Yes. Original uploaded files (PDFs, DOCX, etc.) are stored in Google Cloud Storage with server-side AES-256 encryption. Access to any file requires a short-lived signed URL that expires within minutes, preventing link sharing or unauthorized access even if a URL were somehow exposed.

Every API call — from the web application, from the Slack bot, from the Microsoft Teams integration, from any client — travels over HTTPS/TLS 1.3. We enforce HSTS (HTTP Strict Transport Security) with a long max-age, meaning browsers will never allow unencrypted connections to our domain. Certificate pinning is applied on mobile-facing endpoints.

GoldenGuide uses JSON Web Tokens (JWT) signed with HS256, with short expiry windows (30 minutes for access tokens, 7 days for refresh tokens). Tokens are validated on every single API request — there is no session state stored on the server. This means even a stolen token becomes useless after expiry without the refresh token.

No. GoldenGuide operators (Super Admins) have access to platform-level metrics — uptime, error rates, usage counts — but cannot read the content of documents uploaded by your company. Document content access is restricted to the tenant namespace and requires a valid HR Admin token from within your organisation. All operator actions are logged in an immutable audit trail.

Yes. Each document can be assigned one of three access levels: Employee (all staff can retrieve answers from this document), Manager (only managers and above), or Confidential (HR Admins only). The AI query engine respects these access levels — an employee will never receive an answer sourced from a document they are not permitted to access.

HR Admins can deactivate or delete user accounts instantly from the Team Management panel. Deactivated accounts lose all API access immediately — active tokens are invalidated on the next request. The former employee's conversation history is retained for audit purposes (configurable) but is no longer accessible to them.

Yes, fully. GoldenGuide is registered with the UK Information Commissioner's Office (ICO) under registration number ZC107226. We have completed a Data Protection Impact Assessment (DPIA) and maintain a full Record of Processing Activities (RoPA). We support all data subject rights: access, rectification, erasure, portability and restriction of processing.

Yes. We classify GoldenGuide as a High-Risk AI System under Annex III of the EU AI Act and have implemented all required controls: full audit logging retained for 10 years, mandatory AI disclosure to all users, human oversight mechanisms (the "Report Incorrect Answer" button), complete technical documentation, and an ongoing monitoring programme to detect performance drift.

All primary data is stored in Google Cloud Platform data centres located in the European Union (Belgium, eu-west1). Backup replicas remain within the EEA. We do not transfer personal data outside the UK/EEA without appropriate safeguards (Standard Contractual Clauses). For UK-based clients, data residency is in the UK.

Yes. A DPA is included as standard in all paid plans and is available upon request for trial accounts. Contact dpo@goldenpays.com. Our DPA covers all GDPR Article 28 requirements including sub-processor lists, data subject rights, breach notification timelines (72 hours), and security measures.

GoldenGuide offers a 99.9% uptime SLA for all paid plans, equivalent to less than 9 hours of downtime per year. The platform runs on Google Cloud Run (serverless, auto-scaling), which automatically distributes load and restarts failed instances within seconds. Real-time status is available at status.goldenguide.ai.

The PostgreSQL database is backed up continuously with point-in-time recovery (PITR) up to 7 days back, and full daily snapshots retained for 30 days. Google Cloud Storage (documents) uses multi-region redundancy — your files are replicated across at least two physically separate data centres. Backup restoration is tested monthly.

We have a written Incident Response Plan tested quarterly. In the event of a confirmed breach affecting personal data: (1) We notify affected clients within 24 hours of confirmation. (2) We notify the ICO within 72 hours as required by UK GDPR Article 33. (3) We provide a full incident report within 14 days. (4) We implement remediation and share lessons learned. Clients can register for breach notification emails in their account settings.

Yes. GoldenGuide undergoes annual penetration testing conducted by an accredited third-party security firm. Additionally, our Slack and WhatsApp integrations are reviewed before each major release. We participate in responsible disclosure — if you find a security vulnerability, please report it to security@goldenpays.com and we will respond within 48 hours.

GoldenGuide uses Retrieval-Augmented Generation (RAG), specifically designed to prevent hallucination. Before generating any answer, the system retrieves the most relevant passages from your uploaded documents. The AI is then instructed to answer only using that retrieved content. If no sufficiently relevant document is found, the system responds with "I don't have that information in the current knowledge base" rather than inventing an answer.

Yes. Every answer includes the document name and page number from which the information was retrieved. Employees can click through to view the original source. This means managers can always verify the answer and employees have full transparency about where the information comes from.

Every answer includes a "Report Incorrect Answer" button (required by the EU AI Act for high-risk AI systems). When an employee reports an answer, the HR Admin receives an alert and can update the relevant document. The system's confidence scores are logged and monitored — if a category of questions shows consistently low confidence, we flag it for HR Admin review.

Absolutely. UK GDPR and the EU AI Act require transparent AI disclosure. GoldenGuide displays a clear "AI-Powered" indicator on every interface — web chat, Slack, and WhatsApp. The system never impersonates a human. The first message in every conversation includes an explicit disclosure that the assistant is AI-powered.

No. The document access level system (Employee / Manager / Confidential) is enforced at the retrieval layer — before the AI even sees the content. An employee-level user cannot retrieve confidential HR documents regardless of how they phrase their question. Access control is applied before content reaches the language model.