Security

Last updated June 18, 2026

Keeping your engineering data secure is core to how we build Design IQ. This page outlines our approach for the web application.

For security questions, email lex@designiq.app. To request the full IT/security review document or schedule a pre-deployment call, see Full security review document below.

Data storage & access

Design IQ is a web application. Documents you upload are stored in encrypted cloud object storage, scoped to your organization. Project folders, workflows, review results, and metadata are stored in our application database — every record is tied to an organizationId and only accessible to members of that organization.

API routes authenticate via Clerk and re-resolve your active organization before reading or writing data. Cross-tenant access is blocked at the application layer; there is no shared document pool across customers.

Deleting a document or project removes it from your workspace. Enterprise plans can configure custom data retention policies.

What leaves your browser

All traffic between your browser and Design IQ uses HTTPS. When you upload a file, your browser receives a short-lived presigned URL and sends the file directly to our object storage — the upload does not pass through a third-party file host.

When you run a review or chat, document content and checklist context are sent to the Design IQ backend, which forwards processing to our AI pipeline. Results are written back to your organization's workspace. No AI API keys are stored in the browser.

AI model training

Google's Service Specific Terms for the Gemini Enterprise Agent Platform commit to not using customer data to train or fine-tune AI/ML models without prior permission. This applies to Google's own Gemini models and to partner models served through the platform (Anthropic Claude, Meta Llama, Mistral). Your prompts and responses are not shared with the model publishers.

By default, Google's Gemini models cache inputs and outputs in-memory only (not at rest), isolated per Google Cloud project, with a 24-hour TTL. Caching can be disabled at the project level for customers requiring formal zero-data-retention posture.

Authentication

Sign-in is managed by Clerk. The web app uses standard session-based authentication — you sign in through your browser and access your organization's workspace from any device.

No AI API keys live in the browser. All AI traffic flows through the Design IQ backend, which holds service credentials server-side and never exposes them to the client.

Sub-processors

Design IQ uses the following sub-processors to operate the web app:

  • Amazon Web Services (S3) — document storage. Receives uploaded engineering files, scoped per organization.
  • MongoDB — application data (projects, workflows, review results, metadata).
  • Modal — AI review and document processing. Receives document content and checklist context for active reviews.
  • Google — Gemini Enterprise Agent Platform (model serving). Receives prompts and document content sent for review or chat.
  • Clerk — authentication. Receives email and standard auth flow data.

Infrastructure & hosting

The Design IQ web app is served over HTTPS from managed cloud infrastructure. Object storage and the application database run in SOC 2 Type II–aligned cloud environments with encryption at rest and in transit.

AI processing runs in isolated compute environments scoped to each review job. Server-side credentials are stored as environment secrets and are not accessible from the browser.

Vulnerability disclosures

Email security reports to lex@designiq.app with “Security” in the subject line. Acknowledgment within 1 business day. Design IQ will not pursue legal action against researchers who report vulnerabilities in good faith and follow coordinated disclosure.

Full security review document

For IT and security teams evaluating a deployment, we maintain a detailed reference covering architecture, network endpoints, filesystem boundary enforcement, sub-processor contracts, vulnerability management, and incident response. Email lex@designiq.app or book a review call to request it.