Data Handling
This page describes how data is uploaded, stored, processed, shared and used by AI features in Nairo.
It is intended for customer administrators, IT teams and security stakeholders reviewing Nairo’s document and AI data lifecycle.
For contractual commitments, retention terms and deployment-specific guarantees, refer to the applicable agreement and data processing terms with Nairo.
Data lifecycle at a glance
| Stage | Current implementation |
|---|---|
| Upload | Users upload documents into supported product surfaces |
| Upload path | Uploads use signed URLs where supported |
| File storage | Uploaded files are stored in Google Cloud Storage |
| Metadata | Document metadata is stored in the workspace backend |
| Processing | Documents may be processed asynchronously after upload |
| Derived data | Processing may create extracted text, structured values, chunks or embeddings |
| AI use | Relevant document content may be used by AI features when selected or attached |
| Sharing | Library documents and folders can be shared with workspace users |
| Retention | No self-serve retention policy UI is available today |
Document upload
Teams upload documents into the workspace so they can be used in supported surfaces such as Library, Projects, Experts, Actions and Insight Table.
Nairo’s current document flow is primarily upload-based. External repository connectors and scheduled synchronisation are not available as a general self-serve admin capability today.
Where supported, the upload process uses signed URLs. This allows the application to upload files through controlled storage paths rather than sending all file contents through a generic application request.
After upload, Nairo creates document metadata so the file can be tracked, processed and made available to supported product surfaces.
File storage
Uploaded files are stored in Google Cloud Storage.
Documents are associated with workspace context and document metadata in the backend. Access to documents is controlled through the application’s authentication, tenant context and document access rules.
Customers should not treat Nairo as their system of record for all enterprise documents unless this has been agreed as part of the implementation and contractual scope.
Document processing
After upload, documents may enter an asynchronous processing flow.
Depending on the document type and product surface, processing may include:
- File status tracking
- Text extraction
- Parsing
- Chunking
- Embedding
- Structured extraction
- Preparation for AI-assisted review
The UI may show processing progress and surface failures where supported.
Users can retry failed documents manually where the product allows it.
Documents should only be relied on for AI-assisted review once processing has completed successfully.
Derived data
AI-assisted review may require Nairo to create derived data from uploaded documents.
Derived data can include extracted text, structured fields, review cell values, chunks, embeddings or other intermediate outputs used to support search, retrieval, comparison and analysis.
Derived data should be treated as part of the customer workspace data lifecycle.
Not every surface creates the same type of derived data.
For example:
- Library documents may be processed for retrieval and preview
- Projects may use uploaded materials as workspace context
- Insight Table may create structured review outputs across document sets
- Assistant may use selected documents or folders as context
- Experts and Actions may use uploaded or selected materials depending on configuration
Workspace data
Workspace data may include:
- Uploaded files
- Document metadata
- Extracted text
- Structured extraction outputs
- Chunks and embeddings
- Assistant conversations
- Project materials and outputs
- Insight Table review data
- Library folders and sharing records
- Expert and Action inputs or outputs where supported
Retention of this data depends on platform behaviour, implementation scope and contractual terms.
Nairo does not currently provide a self-serve customer admin UI for configuring retention periods.
For more detail, see Data Retention.
Sharing and access control
Library documents and folders can be shared with specific users in the workspace where sharing is supported.
Folder sharing may provide inherited access to documents inside the shared folder.
This sharing model is separate from general route-level permissions. A user may have access to the Library surface but only see the documents or folders available to them.
Administrative permissions control access to user management and related admin pages.
Customer administrators remain responsible for deciding which users should have access to sensitive materials.
Document preview
Documents can be previewed inline from the Library and from other surfaces that reference workspace content where preview is supported.
Preview access follows the relevant workspace, authentication and document access controls.
A document being visible in one product surface does not mean it is automatically available to every user or every surface.
AI data processing
When AI features are used, selected document content, extracted text, user prompts and relevant context may be sent for model processing as part of the selected surface.
Model execution differs by surface and configuration.
In the current implementation:
- Assistant uses backend-managed model execution
- Projects use backend-managed model execution for the Project Assistant
- Insight Table execution is backend-managed
- Experts and Actions may use client-side Gemini calls where configured
Internet search may be available for Assistant conversations where enabled. It should not be assumed to be enabled globally across all surfaces.
Teams should evaluate which materials are appropriate for each AI use case, especially where documents contain confidential, regulated or commercially sensitive information.
For more detail, see AI Usage and Human Review and Model Providers.
Encryption and sensitive values
Nairo includes application-level encryption capabilities for selected sensitive value stores where configured.
Where enabled for those selected stores, encryption uses AES-256-GCM.
This should not be interpreted as universal field-level encryption across every database table, document, metadata field, chunk, embedding or product surface.
Broader encryption controls, including transport-layer security, database encryption at rest and object storage encryption, depend on deployment infrastructure, cloud configuration and contractual commitments.
Customers with specific encryption, key management or data classification requirements should confirm those requirements with Nairo before using sensitive materials.
What data handling does not include today
The following are not available as general self-serve capabilities in the current application UI:
- Configurable retention periods
- Customer-managed encryption keys
- Self-serve BYOK or BYOM
- Automatic data classification or labelling
- Self-serve data residency configuration by customer
- General external repository connector administration
- Scheduled synchronisation from third-party document systems
For retention and deletion policies, see Data Retention and contact your Nairo team for contractual terms.
Related areas
- Security Overview
- Tenant Isolation
- Library
- Projects
- Model Providers
- AI Usage and Human Review
- Data Retention
- Subprocessors
Getting started
Include Nairo’s upload and AI usage model in your organisation’s data processing assessment.
Before a pilot, define:
- Which document types can be uploaded
- Which classification levels are permitted
- Which surfaces can be used with sensitive materials
- Which users can access shared folders and documents
- Whether internet search should be enabled
- Which outputs must be retained outside Nairo
- Which contractual retention or deletion terms apply