Data residency
Wisteria is hosted on Vercel (US-East default) with a Supabase database (configurable region). AI services (Anthropic Claude, OpenAI Whisper, Resend email) run in the US.
This page is honest about what crosses borders, why, and the options for customers with stricter requirements.
Primary data storage
- Database: Supabase (Postgres). Region currently:
us-east-1(Virginia, USA). - File storage: Supabase Storage. Same region as the database.
- Application servers: Vercel. Edge functions run in multiple regions; the primary functions execute in
iad1(US East).
AI services
Wisteria sends data to three external AI providers:
- Anthropic Claude — for card generation, quiz generation, ambient scanner evaluation, oral grading. Runs in the US.
- OpenAI Whisper — for transcribing oral quiz answers. Runs in the US.
- Resend — for transactional email. Runs in the US.
When you write a flashcard, save a quiz, run a scan, or take an oral question, data is transmitted to these providers. The data is used to produce the immediate response (a generated card, a transcript, an email) and is not retained by the AI provider for training, per their published policies.
EU customers
The current setup means data from EU customers transits to the US for AI processing. If you have GDPR-related residency requirements, this affects you.
What we can offer today:
- A signed DPA — available on request.
- The legal basis — we rely on Anthropic’s, OpenAI’s, and Resend’s published transfer mechanisms (SCCs).
- A note on transcription — Whisper data is processed and immediately discarded; transcripts are stored only in your Wisteria workspace database.
What’s on the roadmap:
- EU-region database hosting — Supabase supports
eu-west-1(Ireland). Switching new EU workspaces to this is straightforward. - EU-region AI processing — Anthropic doesn’t currently expose a regional endpoint. We’ll switch when they do.
- Self-hosted option for very high-sensitivity customers — under exploration.
If you have an EU-residency requirement that blocks adopting Wisteria, talk to us at hello@getwisteria.com. We’re prioritising based on customer demand.
APAC customers
For customers in Singapore, Malaysia, Japan, Korea:
- Database is currently US East. Latency from APAC is ~200ms — acceptable but not great.
- EU/APAC region migration — same roadmap item as above.
- Feishu (China) users: data still transits to US infrastructure for AI processing. Lark/Feishu app credentials are stored in Wisteria’s US database. If you have strict in-China-only requirements, contact us.
Data Wisteria stores per workspace
Inside the US-region database:
- User profiles — name, email, role, department, password hash (bcrypt), session tokens
- Course content — flashcards, quizzes, course metadata
- Quiz attempts — every learner’s answers, scores, timestamps
- Audit log — every consequential change in the workspace
- Integration tokens — encrypted at rest (see Token storage per provider)
- AI Training Profile text — used as context for Claude
The data is stored as long as your workspace exists. When you delete a user, their personal data cascades; when you delete a workspace entirely, all data is purged within 30 days (some backup retention may apply — talk to support for specifics).
Data leaving the database
A few categories of data leave the Wisteria database in normal operation:
| Destination | What | When | Retained? |
|---|---|---|---|
| Anthropic Claude | Flashcard content, quiz text, source documents, AI Training Profile | On generation/evaluation | No |
| OpenAI Whisper | Oral quiz audio | On submission | No |
| Resend | Email headers + body | On send | Per Resend’s policy |
| Browser (your team) | Page content over HTTPS | On every request | Browser’s local cache |
| Your IT admin’s email | IT handoff magic links | On send | Until the link expires |
Backups
Wisteria’s database is backed up by Supabase daily. Backups are stored in the same region as the primary database.
Point-in-time recovery is available for the last 7 days on standard plans, longer on enterprise plans.
If you delete data and need it restored within the recovery window, contact support@getwisteria.com.
Where data is NOT stored
Wisteria does NOT store:
- Files from your team’s integrated provider — those stay in OneDrive / Google Drive / Lark Drive. Wisteria reads them to evaluate; it doesn’t copy them locally beyond temporary in-memory processing.
- Your AI provider’s API keys (if you eventually use BYOK) — stored encrypted at rest, never logged.
- Your Slack workspace tokens — Wisteria only knows your Slack webhook URL, not credentials.
Right to know
Per GDPR and several US state privacy laws, you can request a copy of all data Wisteria holds about you. Email privacy@getwisteria.com from the email address on your account. We respond within 30 days.
Right to delete
You can ask for your personal data to be deleted. Email privacy@getwisteria.com. We delete within 30 days, subject to legal hold (e.g. audit log entries authored by a deleted user remain for compliance purposes with the user’s name replaced by “Unknown” — see Users).