Skip to content
DAskDeck

For your IT team

What runs the site. What to allowlist. Where your data goes.

Last updated: 2026-06-22

Bottom line

One apex (askdeck.ai) — allowlist *.askdeck.ai under Business / Productivity / SaaS. All traffic is HTTPS with TLS 1.2+. Data is stored in the United States (US-East), encrypted at rest. No model training on your content, ever. Security questionnaires answered at [email protected] within 3 business days.

1. Domains to allowlist

Allowlisting the apex with a wildcard covers everything: the marketing site, the app, and the API. All subdomains are HTTPS-only and TLS-only (HSTS).

  • Wildcard: *.askdeck.ai — category requested: Business / Productivity / SaaS.
  • Marketing: askdeck.ai, www.askdeck.ai.
  • App: app.askdeck.ai — authenticated workspace (deck library, brief form, brand kit).
  • API: api.askdeck.ai — HTTPS REST, plus live deck-build progress streamed over a long-lived HTTPS response on port 443 (no WebSocket). Corporate proxies that terminate idle connections simply cause the progress view to reconnect — deck generation still completes on the server, independent of the client connection.

2. Subprocessors

Every third party that receives Customer Content or account data, described by function. The categories of subprocessors are set out in Annex III of our DPA; the current named list within each category is available to your security team on request at [email protected]. We give 30 days' written notice before adding or replacing a subprocessor (per DPA §6).

FunctionProvider (by category)Data received
Hosting (compute)Cloud compute provider — United StatesService traffic + ephemeral runtime state
DatabaseManaged relational database — United States, encrypted at restAccounts, briefs, decks, billing records
Object storageObject storage — United States, encrypted at rest.pptx files, audio recordings, brand-kit assets
Edge / CDN / DNSCDN / edge-security providerTraffic metadata + IP addresses
AuthenticationIdentity provider — passwordless / OAuthEmail + authentication identifiers (no passwords stored by us)
PaymentsPCI-DSS Level 1 payment processorBilling details + card data (the processor receives it; we do not)
LLMEnterprise LLM providerBrief text; contractually no model training on customer data
VoiceTelephony provider — inbound calls + voice agentPhone numbers, call audio
SMS / iMessage / RCSMessaging providerPhone numbers, message content, delivery receipts
Voice agent runtimeSpeech-to-text + voice-agent runtime providerCall audio + transcripts
Transactional emailTransactional email provider — outbound + inbound parsingEmail addresses + message contents
Webhook deliveryWebhook delivery providerWebhook payloads sent to customer endpoints
Product analyticsFirst-party product analytics, served from our own domainPage-view + click events; opt-in session replay; GPC honored

All processing is performed in the United States. EU customers: international transfers are governed by the EU SCCs incorporated into our DPA (Module Two).

3. Data residency, encryption, deletion

  • Primary region — United States (US-East). Data at rest and compute are US-only.
  • Encryption in transit — TLS 1.3 preferred, TLS 1.2 minimum. Modern cipher suites only. HSTS preload-ready.
  • Encryption at rest — AES-256 on the database and on object storage.
  • No model training on Customer Content — period. Contractually prohibited at every LLM and voice-agent vendor (see DPA Annex II).
  • Deletion — initiate from /app/settings → Delete account. Cascades to all owned briefs and decks; soft-deleted immediately, hard-purged within 30 days from primary storage and within 35 days from encrypted backups.
  • Backups — encrypted backups retained up to 35 days, then destroyed.

4. What we explicitly do NOT do

  • We do not train AI models on your briefs or decks. We do not allow our LLM subprocessor to either.
  • We do not sell, share, or rent personal data to advertisers.
  • We do not run third-party browser trackers on app.askdeck.aibeyond our own first-party analytics, served from our own domain so adblockers don't need to allowlist a third-party origin. GPC and DNT are honored.
  • We do not accept Protected Health Information (PHI). We are not a HIPAA Business Associate. Do not put PHI in a brief.
  • We never see card data. Our PCI-DSS Level 1 payment processor handles all payment instruments (PCI scope is on the processor's side, not ours).

5. Forward this to your IT team

If askdeck.ai is blocked on your corporate network, the fastest path is for someone on the inside to ask IT for an exception — most allowlist requests are resolved within 24 hours when they come from a verified employee.

Suggested email

Hi — I'm trying to access askdeck.ai, an AI-powered tool that drafts editable PowerPoint decks from a short brief. Could you allowlist *.askdeck.aiunder the Business / Productivity / SaaS category? The vendor's full security posture — subprocessors, encryption, data residency, deletion — is published at https://askdeck.ai/trust. If you need a security questionnaire, DPA, or vendor risk profile, the vendor responds at [email protected] within 3 business days.

6. Web-gateway categorization

We've requested categorization with the major secure web gateways. If your gateway still shows us as Uncategorized, your IT can re-query the categorization database directly or submit a recategorization request — most vendors honor it within 1–3 business days. We can provide submission receipts on request.

7. How to reach us

One inbox per topic. Quick security questions answered the same business day; full questionnaires and vendor reviews within three business days.