Security
Last updated: April 4, 2026
How Deckary Works
Deckary is a PowerPoint add‑in that runs inside Microsoft 365. Your slide content stays within your Microsoft environment — we don't access or store it.
The add‑in only communicates with Deckary services for:
- Authentication tokens
- AI prompts (if you use AI features)
- Subscription status
- Excel link data (if you use Excel linking)
- Saved slides (if you use the slide library)
What We Collect
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account identification | Duration of account |
| Subscription status | Feature access | Duration of account |
| Basic usage analytics | Product improvement | 2 years |
| Saved slides (optional) | Slide library for reuse across presentations | Duration of account |
| Excel link data (optional) | Sync charts between Excel and PowerPoint | 24 hours (auto‑deleted) |
| AI prompts | Generate or edit slide content | Not stored by Deckary. 30‑day retention by Anthropic |
AI Features
If you use AI features (Slide Builder, Text Rewrite), your prompts are sent to Anthropic (Claude) via encrypted connection. We don't store prompts or responses.
- No training on your data: Anthropic does not use API inputs or outputs to train models.
- 30‑day retention: Anthropic automatically deletes API inputs and outputs within 30 days.
- Certifications: Anthropic holds SOC 2 Type II, ISO 27001, and ISO 42001.
Image Generation
If you use AI image generation, your text prompt is sent to Google (Gemini) via encrypted connection. No slide content or presentation data is sent — only the text description you provide. Google does not use API data to train models.
Excel Linking (Optional)
If you use Excel‑to‑PowerPoint chart linking:
- Selected cell data is temporarily stored on our servers to sync between Excel and PowerPoint.
- Data is encrypted in transit (TLS) and at rest (AES‑256).
- Expires and becomes inaccessible after 24 hours.
- Only accessible to your account.
If your data policies prohibit this, you can use Deckary without Excel linking — charts can be created with manual data entry instead.
Slide Library (Optional)
Users can save slides to a personal library for reuse across presentations. If you use this feature:
- Slide content (shapes, text, images) is stored on our servers linked to your account.
- Data is encrypted in transit (TLS) and at rest (AES‑256).
- Only accessible to your account.
If your data policies prohibit this, the slide library feature can be disabled. All other Deckary features work without it.
Offline License
Deckary offers an offline license for organisations that prohibit external AI processing or require minimal data transmission. With an offline license:
- No data sent to AI providers: AI features (Slide Builder, Text Rewrite, image generation) are fully disabled.
- Excel linking disabled by default: No cell data is transmitted to our servers. Can be optionally enabled if needed.
- Minimal connectivity: Only a brief authentication check is required once every 7 days to revalidate the license.
- Personal slide library disabled: Saving slides to your personal library requires server storage and is disabled with an offline license.
- Full feature set otherwise: Charts, templates, keyboard shortcuts, icons, and flags all work locally.
This makes the offline license suitable for air‑gapped environments, regulated industries, or any organisation where data leaving the Microsoft 365 environment is not permitted.
Infrastructure
Deckary relies on SOC 2 certified infrastructure providers for all data processing and storage.
| Provider | Purpose | Certification |
|---|---|---|
| Auth0 (Okta) | Authentication | SOC 2 Type II |
| Supabase | Database and file storage | SOC 2 Type II |
| Vercel | API hosting | SOC 2 Type II |
| Stripe | Payments | PCI DSS Level 1 |
| Anthropic | AI processing | SOC 2 Type II, ISO 27001 |
| Google (Gemini) | Image generation | SOC 2 Type II, ISO 27001 |
| Railway | WebSocket relay | SOC 2 Type II |
| Brevo | Transactional email | GDPR compliant |
Security Measures
- Encryption in transit: TLS 1.2+ for all connections.
- Encryption at rest: AES‑256 (managed by Supabase).
- Authentication: OAuth 2.0 via Auth0.
- Row‑Level Security: Database access policies ensure users can only access their own data.
- Security headers: HSTS, X‑Frame‑Options, X‑Content‑Type‑Options, strict Permissions‑Policy.
Incident Response
In the event of a confirmed data breach, we will notify affected customers within 72 hours.
Access Controls
Access to production systems and customer data is limited to founding engineers. We follow the principle of least privilege — team members only have access to the systems required for their role.
Data Protection
We are designed to align with GDPR data protection requirements:
- Data minimisation: we collect only what's needed.
- Right to access and deletion: email us at [email protected].
- Data Processing Agreement available on request.
Contact
For security questions, DPA requests, or to discuss your organisation's requirements: [email protected]