Skip to content

Data flow and what gets logged

When you put a question into SUPERWISE Chat, it’s reasonable to ask exactly where that question goes, what touches it on the way to an answer, and what — if anything — is written down afterwards. This page answers that, end to end, in plain terms. It’s written for the person who has to vouch for the system to colleagues, auditors, or a security review: you, or the IT and compliance people who work with you.

The short answer is that every message follows a single, predictable path. It is authenticated, scoped to your organization, reviewed for safety on the way in and on the way out, answered, and recorded. Nothing skips a step, and nothing is invisible.

Follow one question from the moment you press send to the moment the answer appears. Each numbered stage is a real checkpoint in the system, in order.

  1. You’re identified. Before anything else happens, the request is checked against your sign-in. Chat confirms who you are, which organization (your “tenant”) you belong to, and what you’re allowed to do. A request that can’t prove all three is turned away. This is why you never see another organization’s data: your identity is stamped onto the request and travels with it the whole way.

  2. Your message is reviewed on the way in. The incoming question is screened for safety — for example, attempts to misuse the assistant. This is the first of the safety reviews, and it happens before any searching or reasoning begins.

  3. Chat gathers what it needs to answer. Depending on your question and the assistant you’re using, Chat may search your organization’s knowledge — the documents, notes, and memory your organization has chosen to make available — and, if your administrator has enabled it, the web. It does not reach into other organizations’ data; it can only see what belongs to yours.

  4. The evidence is filtered before it’s used. Anything Chat retrieves is reviewed again, piece by piece, before it’s allowed to inform the answer. This step is where sensitive or out-of-bounds content is screened out of the material the assistant reasons over.

  5. The full request is checked before the model runs. Once Chat has assembled your question together with the relevant context, that complete package is reviewed once more before the AI model is asked to produce anything. If this review can’t be completed, Chat holds the response rather than risk an unreviewed answer.

  6. The answer is generated, then reviewed before you see it. The model produces a reply, and that reply is reviewed one final time on the way out. If the output review can’t be completed, delivery is held. Only an answer that has passed this final check reaches your screen.

  7. What happened is recorded. Each safety review along the way writes a record of its decision, and administrative actions are logged separately. These records are what make the system auditable after the fact.

You may see a brief notice in the product letting you know a message was reviewed for safety — for example, “Your message was reviewed for safety compliance before processing.” That isn’t an error or a sign anything went wrong. It’s the system being transparent: safety review is a built-in part of how Chat works, and it’s disclosed to you rather than hidden.

Safety review is treated as an essential activity — it’s part of operating the service responsibly, the same way authenticating you is. For that reason it can’t be switched off for an individual message. Other processing that isn’t essential, such as remembering details across conversations or indexing documents you upload, is controlled separately and described in Your privacy.

Two different kinds of record are kept, for two different reasons. It helps to keep them separate in your mind.

Every safety review described above writes one record per check. Each record notes which checkpoint ran and the outcome — whether the content passed, was not applicable, was stopped, or couldn’t be evaluated — along with whether anything resembling personal data was detected. These records are tied to the specific conversation turn they relate to.

This is the trail your security and compliance reviewers use to answer questions like “was this conversation reviewed?” and “how often is content being stopped?” People with a governance or administrator role can read and export these records; ordinary users cannot.

Separately, changes to who can do what are recorded. When someone is given or removed from a role, or has access granted or revoked, that change is written to an administrative audit log with who did it, to whom, and when. Changes to your organization’s settings are recorded the same way.

These administrative records are deliberately hard to tamper with. The settings audit trail is append-only — entries can be added but not edited or deleted, by anyone, including administrators. Role-change records likewise cannot be deleted through the product; removing them requires database-level access that no normal administrator holds. This is intentional: an audit trail you can quietly edit isn’t an audit trail.

Different records are kept for different lengths of time, and your administrator can configure several of them. As a guide:

WhatKept forNotes
ConversationsIndefinitely, until deletedConfigurable per organization; you can delete your own
Operational request logsAbout 90 daysPurged automatically
Safety / governance review recordsRetained per your organization’s policyAvailable to governance and admin roles
Role-change and settings audit logsRetained per your organization’s policyAppend-only / non-deletable through the product
Sign-in sessionsShort-lived (hours)Expire automatically

For the authoritative, current retention values for your plan, ask your SUPERWISE representative or your administrator — retention can be tailored to your organization’s requirements.

Does my conversation get used to train a public AI model? No. Your conversations stay within your organization’s boundary and are not used to train public models.

Can another organization — or another team — see my messages? No. Every request is scoped to your organization from the first step, and Chat can only retrieve knowledge that belongs to your organization. See Tenant isolation and data residency for how that separation works.

Can an administrator read my conversations? Administrators manage access, settings, and the audit trail, and roles with governance permissions can review safety records. What any given administrator can see is governed by their role. The principle is least privilege: people get the access their job requires and no more.

Does the web search send my data outside? Web search is an optional capability your administrator chooses to enable, and it’s treated as a sensitive action that requires explicit approval to be available at all. When it is used, anything it brings back is reviewed by the same evidence filter as any other source before it informs an answer.

What happens if the safety review service has a problem? The early reviews are designed to let legitimate work continue rather than block it; the final reviews before an answer is delivered do the opposite and hold the response. Either way, the behavior is deliberate and predictable — the system never quietly delivers an answer that should have been held.