Skip to Content
Security & TrustData Handling

Data Handling

This page describes how data is uploaded, stored, processed, shared and used by AI features in Nairo.

It is intended for customer administrators, IT teams and security stakeholders reviewing Nairo’s document and AI data lifecycle.

For contractual commitments, retention terms and deployment-specific guarantees, refer to the applicable agreement and data processing terms with Nairo.

Data lifecycle at a glance

StageCurrent implementation
UploadUsers upload documents into supported product surfaces
Upload pathUploads use signed URLs where supported
File storageUploaded files are stored in Google Cloud Storage
MetadataDocument metadata is stored in the workspace backend
ProcessingDocuments may be processed asynchronously after upload
Derived dataProcessing may create extracted text, structured values, chunks or embeddings
AI useRelevant document content may be used by AI features when selected or attached
SharingLibrary documents and folders can be shared with workspace users
RetentionNo self-serve retention policy UI is available today

Document upload

Teams upload documents into the workspace so they can be used in supported surfaces such as Library, Projects, Experts, Actions and Insight Table.

Nairo’s current document flow is primarily upload-based. External repository connectors and scheduled synchronisation are not available as a general self-serve admin capability today.

Where supported, the upload process uses signed URLs. This allows the application to upload files through controlled storage paths rather than sending all file contents through a generic application request.

After upload, Nairo creates document metadata so the file can be tracked, processed and made available to supported product surfaces.

File storage

Uploaded files are stored in Google Cloud Storage.

Documents are associated with workspace context and document metadata in the backend. Access to documents is controlled through the application’s authentication, tenant context and document access rules.

Customers should not treat Nairo as their system of record for all enterprise documents unless this has been agreed as part of the implementation and contractual scope.

Document processing

After upload, documents may enter an asynchronous processing flow.

Depending on the document type and product surface, processing may include:

  • File status tracking
  • Text extraction
  • Parsing
  • Chunking
  • Embedding
  • Structured extraction
  • Preparation for AI-assisted review

The UI may show processing progress and surface failures where supported.

Users can retry failed documents manually where the product allows it.

Documents should only be relied on for AI-assisted review once processing has completed successfully.

Derived data

AI-assisted review may require Nairo to create derived data from uploaded documents.

Derived data can include extracted text, structured fields, review cell values, chunks, embeddings or other intermediate outputs used to support search, retrieval, comparison and analysis.

Derived data should be treated as part of the customer workspace data lifecycle.

Not every surface creates the same type of derived data.

For example:

  • Library documents may be processed for retrieval and preview
  • Projects may use uploaded materials as workspace context
  • Insight Table may create structured review outputs across document sets
  • Assistant may use selected documents or folders as context
  • Experts and Actions may use uploaded or selected materials depending on configuration

Workspace data

Workspace data may include:

  • Uploaded files
  • Document metadata
  • Extracted text
  • Structured extraction outputs
  • Chunks and embeddings
  • Assistant conversations
  • Project materials and outputs
  • Insight Table review data
  • Library folders and sharing records
  • Expert and Action inputs or outputs where supported

Retention of this data depends on platform behaviour, implementation scope and contractual terms.

Nairo does not currently provide a self-serve customer admin UI for configuring retention periods.

For more detail, see Data Retention.

Sharing and access control

Library documents and folders can be shared with specific users in the workspace where sharing is supported.

Folder sharing may provide inherited access to documents inside the shared folder.

This sharing model is separate from general route-level permissions. A user may have access to the Library surface but only see the documents or folders available to them.

Administrative permissions control access to user management and related admin pages.

Customer administrators remain responsible for deciding which users should have access to sensitive materials.

Document preview

Documents can be previewed inline from the Library and from other surfaces that reference workspace content where preview is supported.

Preview access follows the relevant workspace, authentication and document access controls.

A document being visible in one product surface does not mean it is automatically available to every user or every surface.

AI data processing

When AI features are used, selected document content, extracted text, user prompts and relevant context may be sent for model processing as part of the selected surface.

Model execution differs by surface and configuration.

In the current implementation:

  • Assistant uses backend-managed model execution
  • Projects use backend-managed model execution for the Project Assistant
  • Insight Table execution is backend-managed
  • Experts and Actions may use client-side Gemini calls where configured

Internet search may be available for Assistant conversations where enabled. It should not be assumed to be enabled globally across all surfaces.

Teams should evaluate which materials are appropriate for each AI use case, especially where documents contain confidential, regulated or commercially sensitive information.

For more detail, see AI Usage and Human Review and Model Providers.

Encryption and sensitive values

Nairo includes application-level encryption capabilities for selected sensitive value stores where configured.

Where enabled for those selected stores, encryption uses AES-256-GCM.

This should not be interpreted as universal field-level encryption across every database table, document, metadata field, chunk, embedding or product surface.

Broader encryption controls, including transport-layer security, database encryption at rest and object storage encryption, depend on deployment infrastructure, cloud configuration and contractual commitments.

Customers with specific encryption, key management or data classification requirements should confirm those requirements with Nairo before using sensitive materials.

What data handling does not include today

The following are not available as general self-serve capabilities in the current application UI:

  • Configurable retention periods
  • Customer-managed encryption keys
  • Self-serve BYOK or BYOM
  • Automatic data classification or labelling
  • Self-serve data residency configuration by customer
  • General external repository connector administration
  • Scheduled synchronisation from third-party document systems

For retention and deletion policies, see Data Retention and contact your Nairo team for contractual terms.

Getting started

Include Nairo’s upload and AI usage model in your organisation’s data processing assessment.

Before a pilot, define:

  • Which document types can be uploaded
  • Which classification levels are permitted
  • Which surfaces can be used with sensitive materials
  • Which users can access shared folders and documents
  • Whether internet search should be enabled
  • Which outputs must be retained outside Nairo
  • Which contractual retention or deletion terms apply