Skip to main content

Summary

Every AI feature in Nobly Insight processes your data inside Nobly’s own infrastructure. There is no path along which document content, queries, conversations, or AI-generated outputs are sent to an external AI provider, and there is no path along which any of that material is used to train a model. This page documents those guarantees in the form your security and compliance teams need to evaluate.

We do not train on your data

  • No model training, fine-tuning, or evaluation uses customer documents, queries, AI Chat conversations, summaries, redaction outputs, or indexing decisions.
  • No telemetry of AI inputs or outputs is shipped to any third party for the purpose of model improvement.
  • Models are updated by Nobly through a controlled release process based on publicly available open-weight checkpoints — never by ingesting customer data.
This applies to every AI surface in the product: AI Search, AI Chat, Document Summary, AI Redaction, AI Indexing, and OCR.

No third-party AI subprocessors

Nobly Insight does not route AI inference, embeddings, OCR, summarization, or any related processing through external providers. In particular, your data is not sent to:
  • OpenAI or Azure OpenAI
  • Anthropic
  • Google (Gemini, Vertex AI)
  • Azure AI Foundry
  • Any other hosted AI API
The list of subprocessors required to deliver Nobly Insight does not include an AI provider, because there isn’t one. This simplifies your supplier review and your records of processing.

Data residency

AspectWhere your data lives
AI inferenceNobly-owned and -operated GPU servers in EU co-location facilities, primarily in Denmark
Document storageWithin your Nobly Insight environment, hosted on EU infrastructure
Embeddings (vector representations)Stored alongside your search index, in the same EU environment
AI logs and tracesRetained in the same environment as your tenant; not exported outside the EU
All processing is therefore subject to EU data-protection law, including the GDPR.

Per-tenant isolation

  • Documents and embeddings are tenant-scoped. AI Search, AI Chat, and Document Summary operate over the indexes and storage of your tenant only. There is no shared pool of customer content.
  • Permissions are enforced at retrieval. When AI Chat or AI Search retrieves context, the retrieval is constrained to documents the requesting user is authorised to view in Nobly Insight. AI features never widen a user’s effective access.
  • No cross-tenant model state. Models do not retain state between requests — there is no per-customer fine-tune that could leak across tenants, because no fine-tuning takes place at all.

Lifecycle of AI inputs and outputs

ItemLifetime
Search query textProcessed in memory for the duration of the request; logged for diagnostics in line with your tenant’s logging configuration.
AI Chat messagesPersisted as part of the conversation history visible to the user; subject to the same retention rules as other tenant data.
Document Summary textGenerated at request time. Retention follows the configuration of the surface that requested it.
AI Redaction suggestionsHeld with the document review state until a human reviewer confirms or discards them.
AI Indexing suggestionsEither applied as keyword/document-type values (in which case they live as ordinary index data) or discarded.
EmbeddingsStored in your tenant’s search index and refreshed when the underlying document changes or is removed.
Nothing in this list is retained outside your tenant, and nothing is forwarded to a third party.

Access controls

  • Administrative access to AI infrastructure is limited to Nobly personnel under role-based controls and audit logging.
  • Customer-side access controls — user, group, and document-type permissions configured in Nobly Insight — are honoured by every AI feature. AI Search and AI Chat will not surface a document to a user who cannot otherwise retrieve it.
  • Security keywords and other access-control metadata are synchronised to the AI Search index and applied at query time.

What to put in your DPA and security questionnaires

For procurement, security review, and DPA drafting, you can rely on the following statements when describing how Nobly Insight uses AI:
  • AI processing is performed exclusively on Nobly-owned and -operated servers in EU co-location facilities. Co-location providers supply only the building, power, connectivity, and physical security; they have no logical access to the servers or to your data.
  • No customer data is shared with third-party AI providers (no OpenAI, Anthropic, Google, Azure OpenAI, or Azure AI Foundry in the AI processing path).
  • No customer data is used to train, fine-tune, or evaluate AI models.
  • All AI features honour the per-user and per-document permissions configured in Nobly Insight.
  • Embeddings and AI logs reside within the same EU environment as the source documents.
If your compliance program requires a written confirmation tailored to a specific framework (ISO 27001, NIS2, sector-specific guidance), contact support@nobly.dk.

Infrastructure and models

The hardware we run, the open-weight model families behind each feature, and how we evaluate and update them.