Security, Privacy, and Compliance – EBM Smith Support

Understand the enterprise-grade security, privacy, and compliance that protect your data in Smith. This article covers data ownership and storage, encryption, access controls, certifications, workspace permissions, and answers to common security questions from IT, legal, and compliance teams.

SETTINGS AND SECURITY

Security, Privacy & Compliance

Enterprise-grade protection for your data

Data Security & Privacy

Smith is built with enterprise-grade security at its core. Your data protection is not an afterthought. It is a fundamental design principle that guides every aspect of how Smith handles your information.

🔐

Persistent Storage

Files remain in your workspace until you delete them

🔒

Instance Isolation

Your data is logically separated from other organizations

👥

User-Level Access

Only authorized users can access workspace content

Data Ownership & Control

You retain complete ownership of all content, documents, and data you upload to Smith. EBM Software acts solely as a processor to help you interact with your data through AI capabilities. Your intellectual property rights remain entirely with you.

Data Storage & Isolation

Your uploaded files are securely stored in your dedicated workspace environment managed through EBM's Ontario platform. Each workspace is isolated within your specific instance, ensuring that your document collection remains private and accessible only to authorized users within your organization.

Smith's security architecture is designed to eliminate the primary risk hindering enterprise AI adoption: data security. Unlike consumer-grade AI tools that may use your data for model training, Smith routes all queries through a single, governed gateway to top-tier enterprise models via end-to-end encrypted APIs. This architecture formally and technically ensures your proprietary prompts and corporate data are never used for model training, safeguarding your intellectual property.

Enterprise-Grade Infrastructure

Smith is built on Microsoft Azure's enterprise infrastructure, providing multiple layers of security and compliance:

🏢

Azure Cloud Platform

Hosted on Microsoft Azure (East US and East US 2 regions), keeping all data within the United States with enterprise-grade reliability and availability

🔐

Zero Training Policy

Your data is never used to train the underlying AI models from their providers

🛡️

Private Instances

For highest security requirements, physically segregated instances provide complete data isolation

✓

Certified Compliance

ISO 27001:2022 and SOC 2 Type II certified for information security management

Encryption Standards

All data is protected using industry-standard encryption protocols:

🔐

Encryption in Transit

All data transmitted between your browser and Smith's servers uses TLS/SSL protocols to prevent interception

🔒

Encryption at Rest

Files stored in the workspace database are encrypted using AES-256 encryption, ensuring they remain secure in storage

Data Usage & Training

Smith uses your data strictly for retrieval-augmented generation (RAG) to provide context for answering your specific queries. Your data is never used to train the underlying AI models or shared with model providers to improve their base systems.

✓

Your Data Stays Yours: The AI models process your files temporarily to generate responses, but they do not retain, learn from, or incorporate your proprietary information into their training data. Your business intelligence remains confidential and contained within your instance.

Access Controls

EBM employees do not have access to your private workspace data or document contents. Access is strictly controlled through role-based permissions:

👤 User Access

Full access to their own workspace files and folders based on organizational permissions

🔧 System Maintenance

EBM technical staff can access system metadata for maintenance but cannot view document contents

🛟 Support Access

Support personnel can only access your data if you explicitly grant permission for troubleshooting purposes

Advanced Security Features

Smith incorporates sophisticated security measures designed specifically for enterprise AI deployment:

Intelligent Query Routing

Sophisticated semantic models understand the precise intent and context of your queries, routing them to the most appropriate AI model while maintaining security boundaries.

Knowledge Graph Grounding

Queries are grounded in your organization's internal knowledge graphs and verified data sources, dramatically reducing the risk of AI "hallucinations" and ensuring responses are based on factual information.

Multi-Model Validation

Responses from multiple leading AI models are compared against verified facts from your knowledge graph, providing cross-validation and reducing model-specific biases.

End-to-End Encryption

All communications with enterprise AI models use encrypted APIs, ensuring your queries and responses remain confidential throughout the entire processing pipeline.

Session & Usage Monitoring

Smith includes session management capabilities that allow administrators and users to track interaction history. You can review the specific queries and outputs generated during sessions, providing transparency and oversight of how the tool is utilized within your organization.

Why Smith is More Secure Than Consumer AI Tools

The distinction between consumer-grade AI tools and enterprise platforms like Smith is fundamental. Consumer services are designed for the general public and often treat user data as a resource for model improvement. Smith, by contrast, is architected around the principle of data protection:

Security Feature	Consumer AI Tools	Smith Enterprise
Data Used for Training	Yes, by default (opt-out required)	No, never (contractual guarantee)
Data Encryption	Basic transit encryption	AES-256 at rest, TLS/SSL in transit
Access Control	Basic user account	Role-based permissions, enterprise SSO
Network Isolation	Public internet only	Private Azure infrastructure
Compliance Certifications	Generally not applicable	ISO 27001:2022, SOC 2 Type II
Data Retention	Provider-controlled (often years)	Customer-controlled with audit trails
Cross-Customer Isolation	Shared infrastructure	Isolated instances, optional physical segregation
Data Residency	Variable / unspecified	US-only (Azure East US regions)

⚡

The Shadow AI Risk: When employees use consumer AI tools like public ChatGPT for work tasks, they inadvertently expose sensitive company data to systems designed to learn from that data. Smith eliminates this "Shadow AI" threat by providing a governed, enterprise-grade alternative that routes queries securely to leading AI models without sacrificing your data privacy.

Workspace Permissions

While individual user settings are personal, workspace access operates at the organizational level. Understanding how workspace permissions work helps ensure the right people have access to the right information.

"My Workspace" is unique to each user and is not shared between team members. Each person has their own isolated workspace for private files and folders. Shared organizational access, allowing multiple team members to query a common knowledge base, is on the product roadmap and will be introduced in a future release.

🔒

Private Folders

Accessible only to the user who created them. Files in private folders cannot be queried or viewed by other users.

COMING SOON

👥

Shared Folders

Designated at the folder level to allow multiple users access to the same content. Users will be able to query files in shared folders based on their access permissions.

🗂️

Shared Workspace Access (Coming Soon)

Team-level shared folder access is on the roadmap. When available, it will be governed by the same instance isolation, role-based permissions, and AES-256 encryption that protect individual workspaces today, so your organization's collective knowledge base will be just as secure as your personal files. Contact your EBM account representative for availability timelines.

ℹ️

Workspace Collaboration Today: While workspaces are currently personal, users can share access to the same underlying data source through the Ontario platform. This allows multiple team members to query and generate insights from a collective knowledge base while maintaining individual workspace organization. For more information on organizing your workspace, see the Organizing Your Work with Workspaces article.

Compliance & Governance

Smith is designed with enterprise security and data sovereignty in mind, addressing the needs of IT, Legal, and Compliance teams. Our platform provides the contractual guarantees, technical controls, and compliance assurances necessary to protect corporate assets in regulated industries.

Current Certifications

Smith maintains industry-leading security certifications that demonstrate our commitment to information security:

🏆

ISO 27001:2022

Information Security Management System certification demonstrating a systematic, audited approach to managing sensitive company information. Recertified December 2025, valid through January 2029.

✓

SOC 2 Type II

Audited controls for Security, Availability, and Confidentiality of customer data over time

Compliance Framework

Smith's architecture supports secure enterprise environments where access control and data sovereignty are priorities:

🛡️

Data Isolation

Your data remains in your Ontario-connected workspace, separate from other organizations

🔍

Source Grounding

Responses can be restricted to verified internal documents through workspace file selection

👁️

Usage Tracking

Session history and usage monitoring provide visibility into how the tool is utilized

📋

Audit Capability

Chat history and file metadata support audit requirements for regulated industries

Decision Support, Not Decision Making

Smith is designed as an assistive tool to augment human intelligence, not replace it. The platform provides information retrieval, synthesis, and drafting assistance based on the data you provide. Final decision-making authority and liability rest with you as the user.

⚠️

Professional Review Required:

All critical outputs, especially those regarding legal, financial, or compliance matters, should be reviewed by a qualified professional before implementation. Smith provides intelligent assistance, but human expertise remains essential for high-stakes decisions.

Security Best Practices

While Smith provides robust security infrastructure, following these best practices helps ensure your data remains protected:

Tips for Keeping Your Account Secure

🔑Credential Management	Never share your login credentials. Each user should have their own account for accountability and audit purposes.
🔐Sensitive Data	Verify you have proper authorization before uploading confidential or regulated information to your workspace.
📁Folder Organization	Use private folders for sensitive personal files and shared folders only for content appropriate for team access.
🧹Regular Cleanup	Periodically review and delete outdated files and chat history to minimize your data footprint.
💾Export Important Work	Download critical analysis or responses to your local system for backup and version control.
✓Verify Permissions	Before uploading to shared folders, confirm the appropriate team members should have access to the content.

Common Security Questions

How long are my files stored in the workspace?

▶

Files remain in your workspace indefinitely until you manually delete them. Smith does not automatically remove uploaded content.

Can I see who has accessed my shared folders?

▶

File metadata includes upload and modification information. For detailed access logs and permissions management, contact your Smith administrator.

What happens if I reach the file size limit?

▶

Files larger than 25MB cannot be uploaded. Consider splitting large files into smaller sections or compressing them before upload.

How do I request support access to my workspace?

▶

Contact EBM support through the standard support channels. Support personnel will request explicit permission before accessing your data for troubleshooting.

Does Smith support Single Sign-On (SSO)?

▶

Yes. Smith supports SSO through Microsoft Entra B2B guest accounts, allowing your organization to authenticate users through your existing identity provider without separate credentials. This simplifies access management and keeps authentication within your existing IT governance framework. Contact your EBM account representative to configure SSO for your organization.

Does my data stay in the United States?

▶

Yes. All data is stored and processed exclusively within Microsoft Azure's East US and East US 2 regions. No data is transferred outside the United States as part of normal platform operations, making Smith well-suited for organizations with US data residency requirements.

Does EBM conduct regular penetration testing?

▶

Yes. EBM conducts penetration testing on a regular cadence to proactively identify and remediate vulnerabilities. The most recent test was completed in August 2025. Results are used to continuously harden the platform's security posture.

Does Smith have a disaster recovery plan?

▶

Yes. Disaster recovery planning is a formal component of EBM's ISO 27001:2022-certified Information Security Management System. Our policies cover business continuity, data backup, and recovery procedures to minimize service disruption and protect data integrity in the event of an incident. Specific RTO/RPO details are available to enterprise customers upon request.