Data Security, Privacy & Trust Overview

Effective Date: January 14, 2026

At Smart, security, privacy, and trust are foundational. We work with sensitive business data, and our platform is designed to minimize data exposure while maintaining transparency, auditability, and user control.

This document explains how Smart accesses, processes, protects, and retains data when you use our services.

1. Scope & Applicability

This policy applies to all users of the Smart platform and governs the handling of data accessed or processed through Smart, including database connections, file uploads, and third-party integrations.

This document is intended to complement contractual agreements and does not replace customer-specific Data Processing Agreements (DPAs) where applicable.

2. Core Principles

Smart is built around the following core principles:

• Least Data Access
  Smart accesses only the minimum amount of data required to answer a specific user request.
  
  
• No Unnecessary Storage
  Customer business data is not persistently stored or replicated by Smart.
  
  
• User Visibility & Control
  Users retain visibility into how results are generated and control which data sources are connected and analyzed.
  
  

These principles guide every aspect of our system design and operations.

3. Data Classification

Smart may process the following categories of data:

• Customer Business Data
  Structured data stored in customer databases or files, accessed solely to perform user-initiated analyses.
  
  
• Configuration & Metadata
  Connection settings, schema mappings, and technical metadata required to operate the service.
  
  
• User Interaction Data
  User prompts, filters, and feedback submitted through the Smart interface.
  
  

Smart does not intentionally process personal data beyond what is present in customer-provided sources.

4. Data Handling & Processing

Least-Data Principle

For each query, Smart processes only the minimum information required to generate an answer. This may include:

• Database or file schema metadata and definitions
  
  
• Limited data samples (up to 10 rows per column) strictly for query disambiguation
  
  
• User-provided inputs such as questions and filters
  
  

Smart does not ingest or copy full tables unless explicitly required to perform an analysis initiated by the user.

In-Memory Processing

• Query data is processed in memory
  
  
• Data is not written to disk as part of query execution
  
  
• Smart does not maintain a persistent copy of customer databases or spreadsheet contents
  
  

5. Data Storage & Retention

• Smart does not store customer business data or query results beyond what is required to operate the service
  
  
• Configuration data (e.g., connection settings, schema mappings) may be retained to support continued use
  
  
• Customer data is not used to train foundation models unless explicitly agreed in writing
  
  

Retention & Deletion

Customer configuration and metadata are retained only as long as necessary to provide the service.
Upon termination of service or disconnection of a data source, retained configuration data can be deleted upon request.

6. Encryption & Security Controls

Smart applies industry-standard security controls, including:

• Encryption in transit using TLS
  
  
• Encryption at rest at the infrastructure or database layer
  
  
• Isolated customer environments to prevent cross-customer access
  
  

Access to systems is restricted based on role and operational need.

7. Regional Data Isolation & Deployment

• Each customer operates in a dedicated, isolated environment
  
  
• Regional deployment options are available (e.g., EU-based deployment for GDPR considerations)
  
  
• Customers are responsible for selecting a deployment region aligned with their regulatory obligations
  
  

8. Onboarding & Data Preparation

Smart uses a lightweight onboarding approach:

• Direct connections to databases or file sources
  
  
• Automated schema mapping
  
  
• Optional use of existing table documentation
  
  

No additional data restructuring or manual preparation is required.

9. Auditability & Transparency

SQL Visibility

Users can inspect SQL queries generated by Smart at any time.

Reasoning Traceability

Where applicable, Smart surfaces the execution logic used to generate outputs, enabling users to validate and audit results before acting on them.

These features are designed to support trust, accountability, and informed decision-making.

10. Subprocessors

Smart may engage trusted subprocessors to operate and maintain the service, such as cloud infrastructure providers and AI service providers.

All subprocessors are subject to contractual confidentiality, security, and data protection obligations consistent with this policy.
A list of subprocessors can be provided upon request.

11. Security Incident Management

Smart maintains procedures to detect, respond to, and remediate security incidents.

In the event of a confirmed data security incident affecting customer data, Smart will notify affected customers without undue delay and provide relevant information to support response and mitigation efforts.

12. User Responsibilities

Users are responsible for:

• The accuracy and legality of data they provide
  
  
• Reviewing outputs before using them for business or operational decisions
  
  
• Ensuring internal compliance with applicable laws and policies
  
  

Smart provides analytical assistance and decision support, not professional advice.

13. Google User Data Disclosure (OAuth Compliance)

Data Accessed

When connecting Google services (e.g., Google Sheets), Smart may access:

• Spreadsheet metadata (file name, structure)
  
  
• Spreadsheet contents explicitly selected by the user
  
  
• Account identifiers required for authentication
  
  

Smart does not access Google Drive files unless explicitly authorized by the user.

Data Usage

Google user data is used solely to provide the Smart service, including:

• Reading spreadsheet structure and contents
  
  
• Generating analytical outputs such as tables and charts
  
  
• Enabling interactive analysis based on user input
  
  

Google user data is not used for advertising, profiling, or marketing.

Data Sharing

Smart does not sell or share Google user data.

Google user data may be processed by:

• Smart’s infrastructure providers, strictly to operate the service
  
  
• AI service providers used to generate analytical outputs, under contractual confidentiality obligations
  
  

Data Protection & Retention

• Google user data is processed in memory where possible
  
  
• Data is encrypted in transit using TLS
  
  
• Smart does not maintain a persistent copy beyond what is required to deliver the service
  
  

Users may revoke access at any time. Upon revocation or deletion request, retained Google user data under Smart’s control is removed.

No Training Commitment

Smart does not use Google user data to train foundation models unless explicitly agreed in writing.

14. Policy Updates

Smart may update this policy from time to time to reflect product changes, regulatory requirements, or security improvements.
Material changes will be communicated through appropriate channels.

15. Contact & Additional Requirements

If your organization has specific security, privacy, or compliance requirements, please contact us.
We are committed to working with customers to meet enterprise expectations as we scale together.