Resources

Security is an architecture decision.

Unhold was designed for teams whose documents must not leak — healthcare, maritime, finance, legal. Here is how that shapes the product, plainly.

The hosted service

  • Encryption in transit for every connection — widget, dashboard, apps, and internal services.
  • Tenant isolation: your knowledge base and conversations are segregated from every other customer’s.
  • Least-privilege access: production access is role-based, limited to the people who operate the service, and logged.
  • Environment separation between development and production — real customer data does not float into test systems.

Self-hosting: the strongest guarantee

For teams where “trust us” isn’t an acceptable answer, self-hosted Unhold removes the trust question entirely. One Docker deployment inside your own perimeter — AWS, Azure, GCP, or bare metal — and the model weights, knowledge base, and every conversation stay on your hardware.

  • Zero egress: no telemetry, no call-home, no analytics leaving your network.
  • Not even us: we cannot see your content, because it never reaches us.
  • Your rules: retention, role-based access, backups, and audits run on your terms, with your tools.

How we handle data

  • No training on your content. Documents and conversations are used to answer your customers — nothing else.
  • A fully visible knowledge base: every fact the agent learned can be inspected, edited, or deleted, and changes apply immediately.
  • Retention you control for conversation data, and defined deletion windows for everything else — see the Privacy Policy.

Compliance posture

We’d rather be precise than impressive, so here is the honest state of things during early access:

  • GDPR and India’s DPDP Act 2023: our processing, DPA, and transfer safeguards (Standard Contractual Clauses) are built around them today.
  • SOC 2 Type II and ISO 27001: on our certification roadmap toward launch — controls are being built to those standards, but we do not yet hold the certificates and won’t claim them until an auditor says so.
  • HIPAA: the self-hosted deployment pattern is how careful healthcare teams run Unhold — PHI never leaves their perimeter. We do not yet offer a BAA for the hosted service.

Reporting a vulnerability

If you find a security issue, we want to know before anyone else does. Email support@unhold.chat with the subject “[SECURITY]” and enough detail to reproduce. We acknowledge within two business days, keep you posted while we fix it, and credit you if you’d like. Good-faith research that avoids harming users and data is welcome — we will not pursue action against it. There is no bounty program yet.

Questions we haven’t answered here

Security reviews and questionnaires are part of how we onboard early-access teams — and we’ll go as deep as you need.