Respell makes it easy to use AI in your work life. Our drag-and-drop workflow builder can automate a tedious process in minutes, allowing you to build AI workflows without code. Powered by the latest AI models. It’s like magic. From individuals to businesses, everyone can use it.

We’re committed to keeping your data safe and secure. Our vigilant approach guarantees that your information remains confidential, while our adherence to regulations ensures the highest ethical standards.

Within this document, you’ll gain insights into our security controls and compliance practices.

Information Security Framework

We’ve taken a robust approach to ensure the security of your data, and our commitment is underscored by our adherence to the SOC 2 Type 2 framework. SOC 2 evaluates an organization’s controls over security, availability, processing integrity, confidentiality, and privacy of customer data.

Our systems and processes are regularly audited by independent professionals to ensure they meet the highest security standards.

Data Protection and Privacy

Customer Data Access

  • Customer data is stored and encrypted at rest on our production database in Google Cloud Platform (GCP).
  • Confidential Customer Data is not used or stored in non-production systems/environments.
  • Automatic vulnerability scanning is set up on GCP and Github.
  • Only lead engineers have access to production.
  • Event logging is monitored to track who is accessing the production database.

Data Retention and Destruction

Data is retained as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners may determine retention periods for their data.

Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use.

Retention periods are documented in Respell’s Data Management Policy.


Customer data is encrypted in the PostgreSQL database in accordance with Respell’s Cryptography Policy.

Key Management

Access to keys and secrets shall be tightly controlled in accordance with the Access Control Policy.

The following table includes usage for cryptographic keys:

DomainKey TypeAlgorithmKey Length
Web CertificateRSA or ECC with SHA2+ signatureRSA or ECC with SHA2+ signature2048 bit or greater/RSA, 256bit or greater/ECC
Web Cipher (TLS)Asymmetric EncryptionCiphers of B or greater grade on SSL Labs RatingVaries
Confidential Data at RestSymmetric EncryptionAES256 bit
PasswordsOne-way HashBcrypt, PBKDF2, or scrypt, Argon2256 bit+10K Stretch. Include unique cryptographic salt+pepper
Endpoint Storage (SSD/HDD)Symmetric EncryptionAES128 or 256 bit

Network Security

Application Security

  • Code Reviews and Audits: We conduct audits by experienced security professionals to identify and address vulnerabilities and weak points in the Respell platform codebase.
  • Vulnerability Assessments: Automatic vulnerability scanning is set up on GCP and Github.
  • Authentication and Authorization: Authentication mechanisms are in place to ensure that only authorized users can access specific functionalities and data, including making changes to production data.
  • Deployment Access: Specific engineers have access to deploy changes in the production database. No single user can push changes; a second verification is required.
  • Least Privilege Principle: Granting users and components only the minimum permissions required for their specific roles and functionalities.
  • Error Handling: Error-handling mechanisms are in place to avoid disclosing sensitive information to potential attackers in error messages.
  • Auditing and Logging: Thorough auditing and logging mechanisms are in place in GCP to monitor and track user activities for potential security breaches.

Employee Training and Awareness

All employees must complete a Security Awareness Training course and be onboarded onto Respell’s best practices for securely handling data and accessing company applications.


Compliant Models

The following models on our platform are compliant:

  • Azure GPT-3.5 Turbo 16k
  • Azure GPT-4 32k
  • Azure GPT-4 8k

No user data that is inputted and outputted into this models is sent to OpenAI or other model providers to be saved or to be trained on.

Find more detailed information on Azure’s privacy and security here.

Explore Page

We manually approve every single spell before it is made public, examining it for accuracy, relevance, security, and overall quality. Once a spell has been approved, it will appear on our Explore page for anyone to see or use.

For more in depth information regarding compliance, please contact the Respell team: