Answer across private Confluence pages and restricted spaces from your own session — no Forge app, no admin install. Sidenote for Confluence.
Security & compliance
Secure, private document AI — by design.
Sidenote reads sensitive documents — Confluence runbooks, SharePoint files, contracts, research — so security isn't a footnote. Your content is stored in the UK, isolated per account, never used to train AI models, and read from your own browser session rather than crawled by a server. Here is exactly how it works.
How your documents are protected
Six commitments, not a trust-us.
UK data residency
Your documents are stored in the United Kingdom — the eu-west-2 (London) region on Supabase — not shipped to a US data centre by default.
Never used to train AI
Sidenote never fine-tunes models on your content, and the model and embedding providers it uses (Anthropic and Voyage AI) run with no-training defaults on the tiers we use.
Isolated per account
Every account's content sits behind row-level security and is encrypted at rest, so no two accounts can ever read each other's documents or chunks.
Read-only connectors
Connected accounts use least-privilege, read-only scopes (read-only Microsoft Graph for SharePoint & OneDrive), granted per document. Disconnecting one deletes its tokens immediately.
You control retention
Choose per document: Store keeps it indexed while your account is open; Discard purges it within 24 hours. Delete anything from your library at any time.
Runs in your browser
Sidenote reads the page you already have open, on your own logged-in session — so private pages are read locally, not crawled by a server-side bot with broad credentials.
The honest answer
“Is it safe to upload documents to AI?”
It depends entirely on what the tool does with your documents — where they go, who can read them, and whether they train a model. Most “chat with your PDF” tools upload your file to a server you don't control. Sidenote was built the other way around: it reads the document in your browser, and the only thing it keeps is what you choose to store, in your own isolated, UK-hosted account.
We wrote the full checklist — Is it safe to upload documents to AI? What to check — so you can evaluate any tool, not just ours.
Compliance & data protection
Built for teams that have to answer to someone.
UK GDPR & data residency
Sidenote is a UK sole trader and processes personal data under UK GDPR, with data stored in the eu-west-2 (London) region. The privacy policy sets out what's collected, how it's stored, and how to have it deleted. For a data-processing agreement or specific procurement documentation, email support.
Certifications, honestly
Sidenote is an independent, solo product and is not yet SOC 2 certified. It already applies the controls such an audit looks for — encryption at rest, per-account isolation, least-privilege read-only connectors and no model training — and a formal attestation is on the roadmap. To report a vulnerability, see the security & disclosure policy.
For sensitive sources
Private wikis and drives, without a server-side crawl.
Because Sidenote reads what your browser renders, it answers across the tools that hold your most sensitive content — without an admin granting a server-side integration broad access to everything.
Read-only Microsoft Graph scopes, granted per document — never a blanket crawl of your tenant. Sidenote for SharePoint.
Chat across your Notion workspace from the page you're on, cited to the source block. Sidenote for Notion.
FAQ
Security & compliance — common questions.
Sidenote is built to minimise exposure. It runs inside your browser and reads the page you already have open, so private pages — a Confluence runbook, a SharePoint file — are read from your own logged-in session rather than crawled on a server. Anything you do ingest is stored in a UK region with per-account isolation, encrypted at rest, and never used to train AI models. You can also choose Discard mode, which purges a document within 24 hours.
In the United Kingdom. Sidenote's database runs in the eu-west-2 (London) region on Supabase, with row-level security isolating every account so no two users can read each other's content.
No. Sidenote never fine-tunes models on your content, and the model and embedding providers it uses (Anthropic and Voyage AI) run with no-training defaults on the API tiers Sidenote uses. Your documents are used only to answer your own questions.
Sidenote is a UK sole trader and processes personal data under UK GDPR. Your data is stored in the UK (eu-west-2), encrypted at rest, isolated per account, and deletable on request; connected accounts use read-only, per-document scopes and disconnecting one deletes its tokens immediately. The full detail is in the privacy policy — and for any specific data-processing questions, email support@getsidenote.app.
Not currently. Sidenote is an independent, solo UK product and hasn't yet been through a formal SOC 2 audit. It already applies the controls such an audit looks for — UK data residency, encryption at rest, least-privilege read-only connectors, per-account isolation and no model training — and a formal attestation is on the roadmap as the product grows. If your procurement process needs specific documentation, get in touch.
Yes. Because Sidenote reads what your browser renders on your own session, it never needs broad server-side OAuth scopes or an admin-approved crawl of your wiki. For SharePoint and OneDrive it uses read-only Microsoft Graph scopes, per document. Permissions stay exactly where Confluence or SharePoint put them — if you can't open a page, neither can Sidenote.
You choose, per document. Store mode keeps a document indexed for as long as your account is open, so you can come back to it; Discard mode purges it within 24 hours. You can delete anything from your library at any time.
Read securely
Private by default. Cited by design.
Add Sidenote to Chrome and ask your sensitive documents a question — read from your own session, stored in the UK, never used to train a model.
UK-hosted · No model training · Per-document retention control