Visual Expert AI FAQ

Security & Hardening — FAQ

S1. What does VE access in our environment?

Visual Expert accesses only code and database object definitions that you explicitly select for analysis.

S2. Does VE modify our code or databases?

No. Visual Expert operates in read-only mode and does not modify your code or databases.

S3. What data leaves our environment when using VE AI?

Only a predefined macro request and a minimal code excerpt necessary for your analysis are transmitted.

S4. Is anyone but us allowed to view our excerpts or outputs?

No. Access is limited to your users unless you authorize Novalys support staff.

S5. Are inputs or outputs used to train AI models?

No. Inputs and outputs are not used to train or fine-tune AI models.

S6. How is data protected in transit and at rest?

Data is protected with TLS encryption during transmission and AES encryption at rest.

S7. How is isolation enforced between customers and projects?

Isolation is enforced through tenant segregation in VE Cloud and project-level data silos.

S8. How long do you keep vulnerability fixes open?

Critical vulnerabilities: 7 days; High-severity: 30 days; others per policy.

S9. What are our responsibilities in the shared security model?

Limit analysis scope, avoid secrets in code, control access, and manage data deletion.

Data Protection & Confidentiality — FAQ

C1. What exactly does Visual Expert AI send to the model?

VE AI transmits only your analysis request and a minimal code excerpt strictly required to answer that request.

C2. What is "Project Context" and why is it kept?

Project Context is a per-tenant knowledge layer consisting of code excerpts, AI outputs, and derived representations. It is kept to improve the accuracy and relevance of future AI responses within your specific project environment.

C4. Where is Project Context stored?

Project Context is stored in your dedicated VE Cloud tenant and at OpenAI to support improved analysis quality over time.

C5. Who can access our Project Context?

Project Context is inaccessible to other Visual Expert customers or third parties. Access is isolated by tenant and project and limited to your authorized users.

C6. Can we request deletion of Project Context?

Yes. You can request deletion of Project Context data in VE Cloud and at OpenAI at any time by contacting Novalys support.

C7. How long does OpenAI keep our data?

OpenAI deletes data within a maximum of 30 days after receiving your deletion instruction (relayed by Visual Expert) or upon termination of service.

C8. Does Visual Expert analyze production data or business records?

No. Visual Expert analyzes code structure and object definitions. It does not access or analyze production data or business records.

C9. Can we use Visual Expert without any AI features?

Yes. Visual Expert's static code analysis features operate independently of AI functionality. AI features are completely optional.

C10. What good practices should we follow when submitting excerpts?

Submit the smallest complete code excerpt necessary and avoid including secrets such as passwords, keys, or tokens.

Architecture & Network — FAQ

A1. Which domains must be allow-listed for outbound traffic?

You must allow outbound HTTPS traffic to ai.visual-expert.com.

A2. Which protocol and port are required?

HTTPS/TLS over TCP port 443 is required for outbound traffic.

A3. Which direction do network connections flow during normal operation?

All connections are outbound from your environment. The VE Client connects to VE Cloud over TLS, and VE Cloud connects to OpenAI's API over TLS.

A4. What DNS requirements apply to workstations or servers running VE?

Corporate DNS infrastructure (or DNS over HTTPS) must be able to resolve subdomains of ai.visual-expert.com.

A5. What proxy rules are required if we use an HTTP proxy?

Your proxy must allow the CONNECT method to ai.visual-expert.com and preserve TLS certificate chain validation. Do not perform SSL/TLS interception for this domain.

A6. How can we disable AI usage during a pilot or audit phase?

Request that Novalys set your VE AI credits to zero for the relevant repositories or teams. You can also block outbound traffic to ai.visual-expert.com at your network perimeter.

TOP 10 FAQ — Security, Confidentiality, and Technical Matters

U1. What does VE analyze and does it modify our systems?

VE analyzes only selected code and database object definitions and does not modify systems because it operates read-only.

U2. What exactly is sent to AI when we run a macro?

Only your question and the strictly necessary code excerpt are sent to AI.

U4. What is Project Context and where is it kept?

Project Context is a per-tenant knowledge layer kept in your VE Cloud tenant and may be retained by OpenAI (via API) to improve future answers.

U5. Can we request deletion and how long does OpenAI keep data?

You can request deletion at any time, and OpenAI deletion occurs within 30 days after instruction or at end of service.

U6. Are inputs or outputs used to train AI models?

No, inputs and outputs are not used to train or fine-tune AI models.

U7. How is the data protected end-to-end?

Data is protected by TLS in transit and AES encryption at rest with tenant and project isolation in VE Cloud.

U8. Which network prerequisites must we enforce?

You must allow outbound HTTPS 443 to ai.visual-expert.com with DNS resolution for both domains.

U9. Can we operate VE without AI or temporarily block AI features?

Yes, VE works without AI and you can block AI by setting VE AI credits to zero and denying outbound to ai.visual-expert.com.

U10. What are our responsibilities in the shared model?

You should limit analysis scope, avoid secrets in excerpts, control who runs AI macros, and request deletion of project context when needed.

See Also:

• AI Service: explain the Business
• AI Service: explain the Logic 
• AI Service: generate comments
• AI Service: optimize your code
• AI Service: suggest a solution to a code inspection issue