Outwright is built for IB, PE, and VC compliance teams that don't have room for "trust us" software. MNPI-restricted by default. Your inbox, your deals, your data — never read, never shared, never used to train AI. Architectural, not a policy.
Three commitments, each verified at the code level — not just in our terms of service. If you're a compliance officer evaluating this, the architecture is what matters.
Gmail integration uses the compose-only OAuth scope — the API is physically incapable of reading your messages. Outlook drafts are created via Microsoft Graph; the platform never issues a read request against your mailbox. We see drafts going out, never replies coming in.
Customer Data is never sold, leased, or shared with third parties for marketing. It is processed only to provide the service to you. Each organization is fully isolated — every database query is scoped to your organizationId. One firm cannot see another firm's data, ever.
We don't fine-tune, train, or condition any model on customer data. Anthropic and OpenAI — our AI subprocessors — both contractually do not train on API customer data. Your AI gets smarter — only for you. The improvement engine that learns from your team's edits is org-scoped: nothing crosses the wall between firms.
Every new organization is created in MNPI Restricted mode — the safest tier, designed for firms handling material non-public information. Application data access by Outwright support is blocked at the application layer, regardless of any grant, override, or admin request.
Support quality without sacrificing privacy. Most issues are resolved without anyone at Outwright touching your data — and when deeper access is needed, you choose what to expose, for how long, and to whom.
The Diagnostic Report generates a JSON file with system configuration, version info, counts, connection status, and usage counters — and explicitly excludes campaign names, prospect data, email content, research, knowledge base content, API keys, and OAuth tokens. You review the full content in your browser before deciding whether to share it. The In-App Troubleshooter runs eight automated health checks against your deployment with pass / warning / fail status. Resolves ~80% of common support issues without ever opening a ticket.
From Settings → Support Access, your admin can grant Outwright support a 72-hour, read-only view of your organization's configuration, user list, billing summary, AI usage counters, feature flags, error logs, and audit log. This view never includes deal data (campaigns, prospects, research, sequences, email content, knowledge base content), API keys, or OAuth tokens. You can revoke at any time. The grant auto-expires.
Hands-on debugging where Outwright support can view your actual application data is only possible if you have explicitly downgraded your organization to Standard tier. The downgrade requires the admin to type a 17-word confirmation phrase that explicitly acknowledges the change, and is logged in the audit trail. For IB / PE / VC / advisory firms, the safe default is the only setting that matters: this tier is unreachable.
The infrastructure baseline you'd expect from a platform you'll show to your compliance team — and a few things you wouldn't.
organizationId filter is mandatory)Some things we want to be on the record about, in plain language, so a compliance officer reading this page knows exactly where the line is.
By default, AI inference runs through master API keys held by Outwright. You may optionally provide your own Anthropic and OpenAI keys (Bring Your Own Keys) for additional control over your subprocessor relationships.
The questions a vendor risk reviewer will ask are documented above. The Vendor Risk Review pack is the same content packaged as a single document you can save as a PDF and forward to your security or compliance team — no follow-up call required.
Direct answers to the questions that come up in vendor risk reviews from finance customers.
No. The improvement engine that learns from your team's edits is strictly org-scoped — every database query is filtered by your organizationId. Best examples and edit patterns are pulled only from users in your own organization. There is no cross-org learning, model fine-tuning, or shared training data, anywhere in the platform.
Not by default. Every new organization is created in MNPI Restricted mode, which hardcoded-blocks application data access at the application layer regardless of any grant. To enable hands-on debugging support, an admin would have to explicitly downgrade to Standard tier by typing a 17-word confirmation phrase. The downgrade is logged in your audit trail and is reversible at any time.
No. The Gmail integration uses the compose-only OAuth scope, which is read-incapable by API design. The Outlook integration uses Microsoft Graph and only issues create draft requests; the application never issues read requests against your mailbox. We see drafts going out — we never see replies coming in. If you want to track replies, you mark them as replied yourself in the Outwright queue.
You retain access for the remainder of your billing period and have a 30-day window to export everything. After that, all Customer Data — campaigns, prospects, research, knowledge base content, email drafts, AI usage logs — is permanently deleted from our systems. We don't retain copies, summaries, or derivative data for our own use.
Yes — the Desktop edition runs as a single-user Electron application on your machine with a local SQLite database. AI inference still requires an outbound connection to Anthropic / OpenAI (or your own API keys via BYOK), but otherwise your data is stored locally and is physically inaccessible to Outwright under any circumstance.
From inside the platform: Settings → Support Access. You'll see every support_access.* event applied to your organization, with timestamp, actor, action, and IP. The audit log is immutable. Every superadmin action against your org is recorded — and visible to you in real time.
If your compliance team has more questions, we'd rather answer them than have you guess. Get in touch — or start the trial and see the architecture from the inside.