# FAQ > Frequently asked security and compliance questions about GoSmarter - data residency, AI, encryption, and access control. **URL:** https://www.gosmarter.ai/docs/content/faq/ **Date:** 0001-01-01 --- ## Frequently asked questions ### Data residency **Where is my data stored?** Core persistent customer data is hosted in Azure UK regions. See [Data Residency](data-residency). **Can I choose a different region?** GoSmarter follows a standard hosted model. Region options can be discussed as part of enterprise scoping. **Does any data leave the UK?** Some supporting processing may use EU regions where required by platform capability. We do not transfer customer data outside UK/EU operating boundaries for service delivery. **Is my data subject to US law / the CLOUD Act?** GoSmarter is delivered on Microsoft Azure under Microsoft's contractual and compliance framework. Data residency and transfer controls are documented in [Data Residency](data-residency). ### AI and document processing **Does GoSmarter use AI?** Yes. AI is used for defined document-processing tasks. Non-AI algorithmic processing is also used where appropriate. See [AI Security](ai-security). **Is my data used to train AI models?** No. Microsoft contractually commits that your data is not used to train, retrain, or improve their AI models. See [Microsoft's data privacy commitments](https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy). **What AI services does GoSmarter use?** GoSmarter uses Microsoft Azure AI services appropriate to the workload. Service-level and regional details can be shared under NDA during a security review. **Does the optimisation solver use AI?** No. The cutting optimisation service is a pure algorithmic solver using heuristic and genetic algorithm techniques. It makes no external AI or API calls. ### Authentication and access **How do users sign in?** Via GoSmarter's Microsoft Entra External ID. Supported sign-in options include organisational and consumer identity methods. **Does GoSmarter support MFA?** Yes. MFA is supported and can be enforced in line with our access control policy. **Can a user in Company A see Company B's data?** No. Every API request validates that the authenticated user's Entra ID group claims include the target company. Requests for companies the user doesn't belong to are rejected. ### Encryption **Is data encrypted at rest?** Yes. AES-256 encryption on all storage (Azure SQL with TDE, Blob Storage with SSE, Key Vault). **Is data encrypted in transit?** Yes. TLS 1.2 minimum enforced on all services. HTTP connections are rejected. **Can I bring my own encryption keys?** Not currently. All encryption uses platform-managed keys. Customer-managed keys (BYOK/CMK) are not available. ### Infrastructure **Do you use shared or dedicated infrastructure?** GoSmarter runs on managed Azure platform services with isolation controls between workloads. **Is there a public status page?** Service status and incident communications are handled through customer support and account channels. **What is your uptime SLA?** Availability commitments are provided contractually based on your service agreement. ### Compliance **Do you have SOC 2 Type II?** GoSmarter runs on Azure, which maintains SOC 2 Type II attestation for relevant platform services. Azure reports are available via the [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/). **Do you have ISO 27001?** Azure maintains ISO 27001 certification for relevant platform services. See [Certifications](certifications). **Do you conduct penetration testing?** Security testing is performed as part of our security programme. High-level outcomes and evidence can be shared under NDA where appropriate. **Can I get a copy of your DPA?** Yes. DPA information is available on request. **Can we get detailed architecture and control evidence?** Yes. Detailed technical documentation and assurance artefacts are available under mutual NDA. ### Still have questions? [Email us](mailto:talktous@gosmarter.ai), [contact us online](https://gosmarter.ai/contact), or [book a compliance call](https://calendly.com/gosmarter-demo) to request the NDA pack.