DDeck-Agent

For your IT team

What runs the site. What to allowlist. Where your data goes.

Last updated: 2026-05-24

Bottom line

One apex (askdeck.ai) — allowlist *.askdeck.ai under Business / Productivity. All traffic is HTTPS with TLS 1.2+. Data lives in AWS US-East (Postgres on Neon, object storage on Tigris). No model training on your content, ever. Security questionnaires answered at security@askdeck.ai within 3 business days.

1. Domains to allowlist

Allowlisting the apex with a wildcard covers everything: the marketing site, the app, the API, and the webhook surface. All subdomains are TLS-only (HSTS), share one Let's Encrypt cert chain via Cloudflare, and resolve to either Vercel/Fly (compute) or Cloudflare (edge).

  • Wildcard: *.askdeck.ai — category requested: Business / Productivity / SaaS.
  • Marketing: askdeck.ai, www.askdeck.ai — Next.js on Fly.io (iad), behind Cloudflare.
  • App: app.askdeck.ai — authenticated workspace (deck library, brief form, brand kit).
  • API: api.askdeck.ai — HTTPS REST + Server-Sent Events (SSE) for live deck-build progress. No WebSocket. SSE re-uses port 443 with a long-running response; corporate proxies that terminate idle connections under 60s simply cause the progress UI to reconnect — deck generation itself still completes (it's a durable Temporal workflow on the server, decoupled from the client connection).
  • Webhook ingress: pm-inbound.askdeck.ai (Postmark inbound shim, runs on Cloudflare Workers). Inbound mail only — no end-user traffic.
  • Short links: dckg.co — short URLs used in voice/SMS replies (separate apex, also Cloudflare).

2. Subprocessors

Every third party that receives Customer Content or account data. This list mirrors Annex III of our DPA — if the two ever disagree, the DPA is authoritative. We give 30 days' written notice before adding or replacing a subprocessor (per DPA §6).

FunctionVendorData received
Hosting (compute)Fly.io, Inc. — primary region iad (US-East)Service traffic + ephemeral runtime state
DatabaseNeon, Inc. — Postgres on AWS US-East-2, encrypted at restAccounts, briefs, decks, billing records
Object storageTigris Data, Inc. — S3-compatible on AWS, encrypted at rest.pptx files, audio recordings, brand-kit assets
Edge / CDN / DNSCloudflare, Inc.Traffic metadata + IP addresses
AuthenticationClerk, Inc. — passwordless / OAuthEmail + authentication identifiers (no passwords stored by us)
PaymentsStripe, Inc. — Checkout + BillingBilling details + card data (Stripe receives it; we do not)
LLMAnthropic, PBC — Claude modelsBrief text; contractually no model training on customer data
Voice + SMSTwilio Inc. — voice number +1 (743) 256-5873 + A2P 10DLC SMSPhone numbers, call audio, SMS content
Voice agent runtimeElevenLabs, Inc. — speech-to-text + agent runtime (BYO-LLM proxy back to Anthropic)Call audio + transcripts
Transactional emailWildbit, LLC (Postmark) — outbound + inbound parsingEmail addresses + message contents
Webhook deliverySvix, Inc.Webhook payloads sent to customer endpoints
Product analyticsPostHog (reverse-proxied via /ingest on our domain)Page-view + click events; opt-in session replay; GPC honored

All vendors are US-incorporated. EU customers: international transfers are governed by the EU SCCs incorporated into our DPA (Module Two). EU residency option is available on enterprise plans on request.

3. Data residency, encryption, deletion

  • Primary region — AWS US-East (Neon Postgres, Tigris object storage) and Fly.io iad (compute).
  • Encryption in transit — TLS 1.3 preferred, TLS 1.2 minimum. Modern cipher suites only. HSTS preload-ready.
  • Encryption at rest — AES-256 on the database (Neon) and on object storage (Tigris).
  • No model training on Customer Content — period. Contractually prohibited at every LLM and voice-agent vendor (see DPA §3.3).
  • Deletion — initiate from /app/settings → Delete account. Cascades to all owned briefs and decks; soft-deleted immediately, hard-purged within 30 days from primary storage and within 90 days from encrypted backups.
  • Backups — encrypted Postgres backups retained 90 days (Neon PITR + Cloudflare R2 offsite), then destroyed.

4. What we explicitly do NOT do

  • We do not train AI models on your briefs or decks. We do not allow our LLM subprocessor to either.
  • We do not sell, share, or rent personal data to advertisers.
  • We do not run third-party browser trackers on app.askdeck.ai beyond our own first-party analytics (PostHog, reverse-proxied through /ingest on our domain so adblockers don't need to allowlist a third-party origin). GPC and DNT are honored.
  • We do not accept Protected Health Information (PHI). We are not a HIPAA Business Associate. Do not put PHI in a brief.
  • We never see card data. Stripe handles all payment instruments (PCI scope on Stripe's side, not ours).

5. Forward this to your IT team

If askdeck.ai is blocked on your corporate network, the fastest path is for someone on the inside to ask IT for an exception — most allowlist requests are resolved within 24 hours when they come from a verified employee.

Suggested email

Hi — I'm trying to access askdeck.ai, an AI-powered tool that drafts editable PowerPoint decks from a short brief. Could you allowlist *.askdeck.ai under the Business / Productivity / SaaS category? The vendor's full security posture — subprocessors, encryption, data residency, deletion — is published at https://askdeck.ai/trust. If you need a security questionnaire, DPA, or vendor risk profile, the vendor responds at security@askdeck.ai within 3 business days.

6. Web-gateway categorization

We've requested categorization with the major secure web gateways. If your gateway still shows us as Uncategorized, your IT can re-query the categorization database directly or submit a recategorization request — most vendors honor it within 1–3 business days. We can provide submission receipts on request.

7. How to reach us

One inbox per topic. Security questions answered the same day, vendor reviews within three business days.