For your IT team
What runs the site. What to allowlist. Where your data goes.
Last updated: 2026-06-22
Bottom line
One apex (askdeck.ai) — allowlist *.askdeck.ai under Business / Productivity / SaaS. All traffic is HTTPS with TLS 1.2+. Data is stored in the United States (US-East), encrypted at rest. No model training on your content, ever. Security questionnaires answered at [email protected] within 3 business days.
1. Domains to allowlist
Allowlisting the apex with a wildcard covers everything: the marketing site, the app, and the API. All subdomains are HTTPS-only and TLS-only (HSTS).
- Wildcard:
*.askdeck.ai— category requested: Business / Productivity / SaaS. - Marketing:
askdeck.ai,www.askdeck.ai. - App:
app.askdeck.ai— authenticated workspace (deck library, brief form, brand kit). - API:
api.askdeck.ai— HTTPS REST, plus live deck-build progress streamed over a long-lived HTTPS response on port 443 (no WebSocket). Corporate proxies that terminate idle connections simply cause the progress view to reconnect — deck generation still completes on the server, independent of the client connection.
2. Subprocessors
Every third party that receives Customer Content or account data, described by function. The categories of subprocessors are set out in Annex III of our DPA; the current named list within each category is available to your security team on request at [email protected]. We give 30 days' written notice before adding or replacing a subprocessor (per DPA §6).
| Function | Provider (by category) | Data received |
|---|---|---|
| Hosting (compute) | Cloud compute provider — United States | Service traffic + ephemeral runtime state |
| Database | Managed relational database — United States, encrypted at rest | Accounts, briefs, decks, billing records |
| Object storage | Object storage — United States, encrypted at rest | .pptx files, audio recordings, brand-kit assets |
| Edge / CDN / DNS | CDN / edge-security provider | Traffic metadata + IP addresses |
| Authentication | Identity provider — passwordless / OAuth | Email + authentication identifiers (no passwords stored by us) |
| Payments | PCI-DSS Level 1 payment processor | Billing details + card data (the processor receives it; we do not) |
| LLM | Enterprise LLM provider | Brief text; contractually no model training on customer data |
| Voice | Telephony provider — inbound calls + voice agent | Phone numbers, call audio |
| SMS / iMessage / RCS | Messaging provider | Phone numbers, message content, delivery receipts |
| Voice agent runtime | Speech-to-text + voice-agent runtime provider | Call audio + transcripts |
| Transactional email | Transactional email provider — outbound + inbound parsing | Email addresses + message contents |
| Webhook delivery | Webhook delivery provider | Webhook payloads sent to customer endpoints |
| Product analytics | First-party product analytics, served from our own domain | Page-view + click events; opt-in session replay; GPC honored |
All processing is performed in the United States. EU customers: international transfers are governed by the EU SCCs incorporated into our DPA (Module Two).
3. Data residency, encryption, deletion
- Primary region — United States (US-East). Data at rest and compute are US-only.
- Encryption in transit — TLS 1.3 preferred, TLS 1.2 minimum. Modern cipher suites only. HSTS preload-ready.
- Encryption at rest — AES-256 on the database and on object storage.
- No model training on Customer Content — period. Contractually prohibited at every LLM and voice-agent vendor (see DPA Annex II).
- Deletion — initiate from
/app/settings → Delete account. Cascades to all owned briefs and decks; soft-deleted immediately, hard-purged within 30 days from primary storage and within 35 days from encrypted backups. - Backups — encrypted backups retained up to 35 days, then destroyed.
4. What we explicitly do NOT do
- We do not train AI models on your briefs or decks. We do not allow our LLM subprocessor to either.
- We do not sell, share, or rent personal data to advertisers.
- We do not run third-party browser trackers on
app.askdeck.aibeyond our own first-party analytics, served from our own domain so adblockers don't need to allowlist a third-party origin. GPC and DNT are honored. - We do not accept Protected Health Information (PHI). We are not a HIPAA Business Associate. Do not put PHI in a brief.
- We never see card data. Our PCI-DSS Level 1 payment processor handles all payment instruments (PCI scope is on the processor's side, not ours).
5. Forward this to your IT team
If askdeck.ai is blocked on your corporate network, the fastest path is for someone on the inside to ask IT for an exception — most allowlist requests are resolved within 24 hours when they come from a verified employee.
Suggested email
Hi — I'm trying to access askdeck.ai, an AI-powered tool that drafts editable PowerPoint decks from a short brief. Could you allowlist *.askdeck.aiunder the Business / Productivity / SaaS category? The vendor's full security posture — subprocessors, encryption, data residency, deletion — is published at https://askdeck.ai/trust. If you need a security questionnaire, DPA, or vendor risk profile, the vendor responds at [email protected] within 3 business days.
6. Web-gateway categorization
We've requested categorization with the major secure web gateways. If your gateway still shows us as Uncategorized, your IT can re-query the categorization database directly or submit a recategorization request — most vendors honor it within 1–3 business days. We can provide submission receipts on request.
- Cisco Talos / Umbrella — talosintelligence.com/reputation_center/support
- Palo Alto Networks PAN-DB — urlfiltering.paloaltonetworks.com
- Symantec / Broadcom WebFilter — sitereview.bluecoat.com
- Zscaler — csi.zscaler.com
- Fortinet FortiGuard — fortiguard.com/webfilter
- Forcepoint — csi.forcepoint.com/Submit
7. How to reach us
One inbox per topic. Quick security questions answered the same business day; full questionnaires and vendor reviews within three business days.
- Security & vendor review · [email protected]
- Privacy · [email protected]
- AI deck intake (email) · [email protected]
- AI deck intake (SMS / iMessage) · +1 (332) 239-0932
- Voice · +1 (743) 256-5873
- General · [email protected]
- Security disclosures (RFC 9116) · /.well-known/security.txt