Data Protection & Confidentiality

Purpose

This document explains what data Visual Expert AI processes, how data flows through the system, where data is stored, and how long it is retained. It provides transparency into Visual Expert's data handling practices to support your privacy and compliance assessments.

For additional information, please refer to:

• Security & Admin Hardening: encryption posture, isolation model, access policies, and vulnerability management
• Architecture & Network: endpoints, outbound rules, and connectivity requirements

Visual Expert Core Principles

User-Controlled Scope

Visual Expert analyzes only the source elements you explicitly select for analysis. This includes source files, database object definitions (procedures, functions, views), SQL queries, and application code. Visual Expert does not automatically scan or analyze code that you have not selected.

No Production Data Processing

Visual Expert processes code structure and metadata (object definitions, schemas, code syntax) but does not access or process production data, business records, or runtime data from your databases or applications.

Read-Only Operations

Visual Expert operates in read-only mode and does not modify your source code, database schemas, or any other elements in your environment.

What VE AI Sends to the Model

Data Transmitted to AI Service

When you use Visual Expert AI features, the following data is transmitted:

• Your request: The specific question you trigger through the Visual Expert user interface
• A minimal code excerpt: Only the code fragment strictly necessary to answer your question (such as a specific procedure, function, query, or object definition)

Data Not Transmitted to AI Service

• Complete source code repositories or database dumps
• Code or database objects that are not directly relevant to your current analysis request
• Production data, business records, or runtime data

"Project Context" & Improving Future Results

What is Project Context?

Project Context is a knowledge layer that Visual Expert builds and maintains for each customer project. It consists of code excerpts, AI outputs, and derived representations (such as summaries, annotations, or analysis patterns) that have been generated through your use of VE AI features.

Purpose of Project Context

Project Context serves to improve the accuracy, relevance, and consistency of AI responses over time within your specific project environment. By retaining information about previous analyses, Visual Expert AI can provide more contextually appropriate answers that take into account your application's structure, naming conventions, and coding patterns.

Where Project Context Is Stored

• Your VE Cloud tenant: Data is stored within your dedicated, isolated tenant environment in VE Cloud (hosted on Microsoft Azure by Novalys)
• OpenAI: OpenAI may retain Project Context data to improve the quality and relevance of AI responses for your specific VE project, but cannot use it for any other purposes, such as AI training.

Access to Project Context

Project Context data is not accessible to other Visual Expert customers or third parties. Access is restricted to users within your Visual Expert project (as determined by your account provisioning).

Deletion of Project Context

You can request deletion of Project Context data at any time by contacting Novalys support. Deletion procedures and timelines are described in the Retention & Deletion section below.

For detailed information about encryption, isolation, and access controls, please refer to the Security & Admin Hardening document.

Data Flow (At a Glance)

The following describes how data moves through the Visual Expert AI system:

1. VE Client to VE Cloud: When you trigger an AI request from a Visual Expert client (desktop or web), your request and a minimized code excerpt are transmitted to VE Cloud over an encrypted TLS connection.
2. VE Cloud to OpenAI: VE Cloud formats your request and calls the OpenAI API to obtain an AI-generated response.
3. Response Return: The AI response is transmitted back from OpenAI to VE Cloud, then from VE Cloud to your VE Client over encrypted connections.
4. Display and Storage: The AI result is displayed in your Visual Expert client interface. You can save the result locally or delete it. Project Context data may be retained in VE Cloud and at OpenAI as described above.

Retention & Deletion

VE Cloud (Customer Tenant)

• Retention period: Project Context elements (code excerpts, AI outputs, and derived representations) are retained in your VE Cloud tenant for as long as they are needed to support VE AI functionality and improve analysis quality for your project.
• Deletion process: All Project Context data stored in VE Cloud is deleted in the following circumstances:
  • Upon your explicit request to Novalys support
  • Automatically upon termination of your Visual Expert service agreement
  To request deletion, contact Novalys support and specify which Project Context data you wish to delete.

OpenAI

• Retention period: OpenAI retains data only for the duration necessary and only to provide AI services to your Visual Expert instance. Any other use by OpenAI is strictly forbidden by contract (DPA signed with Novalys).
• Deletion timeline: OpenAI deletes all retained data within a maximum of 30 days after receiving your deletion instruction (relayed by Novalys) or upon termination of your service agreement.

Customer Good Practices

• Submit Minimal Excerpts: When using VE AI features, submit only the minimal code excerpt necessary to answer your specific analysis question. Avoid including unrelated code or broader context than necessary.
• Avoid Including Secrets: Do not include secrets (passwords, API keys, access tokens, certificates) in code excerpts submitted to VE AI. If you discover that secrets have been embedded in analyzed code, rotate those secrets immediately according to your security policies.
• Track Usage (Optional): If required by your internal compliance or audit policies, you can track Visual Expert AI usage through your own network monitoring tools (such as proxy logs, firewall logs, or SIEM systems).

For detailed security controls (encryption at rest, isolation, identity and access management, vulnerability management), please refer to the Security & Admin Hardening document.

For connectivity requirements and allow-listing details, please refer to the Architecture & Network (Technical Guide) document.

Data Protection & Confidentiality — FAQ

C1. What exactly does Visual Expert AI send to the model?

VE AI transmits only your analysis request and a minimal code excerpt strictly required to answer that request.

C2. What is "Project Context" and why is it kept?

Project Context is a per-tenant knowledge layer consisting of code excerpts, AI outputs, and derived representations. It is kept to improve the accuracy and relevance of future AI responses within your specific project environment.

C4. Where is Project Context stored?

Project Context is stored in your dedicated VE Cloud tenant and at OpenAI to support improved analysis quality over time.

C5. Who can access our Project Context?

Project Context is inaccessible to other Visual Expert customers or third parties. Access is isolated by tenant and project and limited to your authorized users.

C6. Can we request deletion of Project Context?

Yes. You can request deletion of Project Context data in VE Cloud and at OpenAI at any time by contacting Novalys support.

C7. How long does OpenAI keep our data?

OpenAI deletes data within a maximum of 30 days after receiving your deletion instruction (relayed by Visual Expert) or upon termination of service.

C8. Does Visual Expert analyze production data or business records?

No. Visual Expert analyzes code structure and object definitions. It does not access or analyze production data or business records.

C9. Can we use Visual Expert without any AI features?

Yes. Visual Expert's static code analysis features operate independently of AI functionality. AI features are completely optional and designed to provide advanced analysis beyond static analysis capabilities.

C10. What good practices should we follow when submitting excerpts?

You should submit the smallest complete code excerpt necessary for your analysis and avoid including secrets (passwords, keys, tokens) in submitted code.

Glossary

• AES: Advanced Encryption Standard — a symmetric encryption algorithm used to protect data at rest
• API: Application Programming Interface — a set of protocols for software communication
• DPA: Data Processing Agreement — a legal contract governing data processing between parties
• TLS: Transport Layer Security — a cryptographic protocol for secure communication over networks

 

See Also:

• AI Service: explain the Business
• AI Service: explain the Logic 
• AI Service: generate comments
• AI Service: optimize your code
• AI Service: suggest a solution to a code inspection issue