Products
Solutions
Resources
Partners
About Us
Company
LoginRequest a demo

Clarity Over Complexity: A Guide to Intellistack's AI and Your Data

Niya McCray-Walker
Privacy Counsel
March 12, 2026
Share

Your top 9 questions answered by our Privacy Counsel

It seems like so long ago, but this time last year the terms “AI” and “LLM” felt like forbidden fruit to some of our customers. In the past year, Intellistack has worked diligently, and in some cases feverishly, to usher in new tools and automations to streamline customer workflows, reduce manual processes, and free up more time for our customers to devote to the projects that are important to them. These innovations, understandably so, prompt questions. As we’ve worked to revolutionize workflows, customers have encouraged us to provide clarity in our messaging and contracting to confirm that we take data management and security seriously and are committed to safeguarding your data.

In this article, we’ll talk about the big-ticket questions we hear over and over—plainly, collaboratively, and without the legalese. Please note: this article is informational and not legal advice. If you need advice for your specific situation, please speak with your version of me i.e. counsel.

Q1: Are you training AI on our data?

The first question we unanimously hear is “Are you training AI on our data?” When we talk about AI/automation inside Intellistack’s portfolio of products, our approach is to design AI-enabled and AI-native features to do work for you without turning your information into someone else’s “fuel.” 

We do not train on your data. Instead, we use metadata (i.e., the name of a column within a form) and telemetry to get better at helping you. When you work with us, you can expect clear descriptions of what a feature does (dependent on your use case) and clear statements about how inputs/outputs are handled, whether you are visiting our help center, engaging with customer support, or speaking with myself. 

To be clear, your content remains your content and confidentiality obligations apply to AI-enabled processing the same way they apply to everything else. You shouldn’t have to, and don’t with Intellistack, trade away basic IP/confidentiality expectations just to get automation.

Q2: What does your AI actually touch?

The next question we hear often is “What data does the AI actually touch?” We understand you,“AI” can sound like it’s rummaging through everything. In reality, well-built workflows, like Intellistack’s Streamline workflows, only touch what we need, only when we need. We focus on:

  • Data minimization: the feature should only access the minimum content needed to produce the result

  • Purpose limitation: content is used to deliver the requested functionality, not wander off into side quests

  • Role-based access: features respect your permissions; AI doesn’t get an all-access pass to your data

If you’re evaluating a specific automation, including our own Intellistack products, it’s my recommendation that the practical way to assess it is to ask a combination of the following questions: (1) What’s the input?, (2) What’s the output?, (3) Where does it run (in-product vs. third-party)?, (4) How long is it retained?, and (5) Who can access it?

Q3: Can we turn AI off?

At Intellistack, we are equipped to answer those questions. In fact, we welcome them. During the AI rapidfire, we are also asked “Can we turn it off?” Our customers want the benefits of AI and control over their data, which is a reasonable ask. 

AI functionality varies by product. Intellistack Streamline is AI-native, meaning AI is built into the product’s core and cannot be disabled. 

In Formstack Forms, AI (known as “Forms AI”) is optional and can be turned on or off by an Org Admin in account settings. If you’re rolling out AI features gradually, we understand the need for phased adoption, which is why we have several tooling options that can support your needs.

Q4: Where does our data go, and who else touches it?

After customers identify whether our AI functionality complements their goals, they start to wonder “Where does our data go, and who else touches it?” This question is usually about third parties, including AI infrastructure and model providers. Typically, customers want to know:

  • Do you use subprocessors? Yes, and so does every other SaaS company.
  • Which ones and what do they do? For more information on that please visit our trust center.
  • Do they get our content, metadata, or both? We have contracts that limit what subprocessors can do with customer data.
  • Are there controls around onward disclosure? Our security expectations don’t drop just because a vendor is involved.

The standard we aim for is transparency. So, if your org has “no surprises” requirements (many do), we’re aligned.

Q5: How long do you keep inputs/outputs, and can we delete them?

In keeping with that transparency, we are often asked “How long do you keep inputs/outputs and can we delete them?” Retention is undoubtedly where trust either gets real or gets awkward (or sometimes a combination of the two. In AI-enabled workflows, there are typically multiple retention “buckets,” like:

  • Your primary records (what you store in Intellistack)

  • System logs/telemetry (needed for reliability and security)

  • AI feature artifacts (temporary processing, cached results, or outputs you choose to save)

We aim to provide retention that matches the purpose (there’s no “forever” by default), clear deletion behavior tied to your account/data lifecycle and, of course, our internal policies, and a straightforward explanation of what’s deletable versus what’s required for security/compliance logging. 

Q6: Can a human see our data? Does support see our data?

When we start the retention discussion, the next question that follows is generally “Can a human see our data/what about support?” This one is more about the truth of real-world operations. As a customer, you want products to be secure and supportable when something breaks at 4:57pm on a Friday (because it’s always a Friday). 

Our north star at Intellistack is:

  • Least privilege, which means access only when needed

  • Auditable access, meaning access that is traceable

  • Process controls, which are approvals, role separation, and tight operational guardrails

Q7: What security controls are in place?

Your use of AI features doesn’t infringe on the rights and security that you expect from us. To that end, it’s not uncommon for customers to probe in asking, “What security controls are in place?” 

At Intellistack, we take privacy seriously, and that’s my actual job as the Privacy Counsel. Sometimes customers frame this as “Are you SOC 2?” Sometimes it’s “Do you encrypt everything?” Sometimes it’s just a long inhale followed by: “Talk to me about ________ (fill in the blank with incident response, data transfers, business continuity, data residency, etc.).”

The easiest way to think about Intellistack’s security posture is by layers:

  • Encryption (in transit and at rest)

  • Access controls (SSO/MFA, RBAC, least privilege)

  • Secure development (testing, review, change management)

  • Monitoring (detection, alerting, audit trails)

  • Response readiness (documented incident procedures and timelines)

When you want the flow-state dive into Intellistack security, our InfoSec leader and CIO is the right person to talk through technical security posture in detail—especially for security questionnaires and risk reviews. Contact your account Intellistack representative for details on how you can learn more about our technical security posture. 

Once you’ve opened the security floodgates, generally your people (such as lawyers) want to talk to our people–myself, as privacy counsel, and our corporate legal counsel. 

Q8: We need contracting clarity, and a DPA, PAA, or partnership agreement. Can you help?

Intellistack’s sales team will ferret us this question straight from the customer “We need contracting clarity: DPA, HIPAA/BAA, and partnership complexity?” To be honest, this is probably my favorite question because DPAs, BAAs and all flavors of security addenda are my bread and butter. 

This theme comes up a lot: customers aren’t just buying a tool…they’re searching for that seamless solution that plugs into their privacy and compliance ecosystems.

From my side, here are the big contracting pain points we’ve been working to address more cleanly:

Data Processing Agreements (DPAs)

A DPA should clearly cover:

  • roles (controller/processor where applicable)
  • subprocessors
  • incident notification expectations
  • cross-border transfer mechanisms (when relevant)
  • security measures

HIPAA / Business Associate Agreements (BAAs)

For healthcare customers, the big questions tend to be:

  • what PHI in the workflow
  • permitted uses/disclosures
  • Safeguards
  • breach reporting
  • subcontractor/flow-down obligations

I have been actively refining language here to make it operationally accurate and customer-friendly. It’s important to us because it’s important to our customers.

Multi-tier partnerships 

A recurring reality: one party signs, another configures, another uses, and a fourth audits. Traditional DPAs are often written for a simple customer to vendor relationship. But modern implementations can (and do) involve:

  • Resellers
  • implementation partners
  • embedded workflows
  • shared environments or delegated admin

We’re working toward clearer structures that reflect those realities. Complexity doesn’t mean that responsibilities get lost in the shuffle.

Q9: What will you keep doing? What can I expect next?

Once these major questions are handled and you’ve happily integrated Intellistack products into your processes, the questions don’t stop. The unwritten question that you should always be asking is “What will you keep doing/what can I expect next?” 

In addition to this article and our Trust Center, we are committed to providing you with clarity in documentation and contracting, with security-first design that doesn’t slow you down, with practical controls that match how enterprises actually govern emerging technology, and with direct answers when you ask direct questions (radical concept, we know).

If you’re currently considering our AI-enabled products and AI-native Intellistack Streamline platform, and you have a list of questions (or a spreadsheet), send them to your primary Intellistack contact. We’d rather collaborate early than do the “late-stage contract panic sprint” later. 

Intellistack was founded on curiosity and innovation, so it comes as no surprise to us that our customers share those traits. We aim to exceed your needs while working hand-in-hand to create a seamless suite of products that allow you to dream, do, and be better. 

Still, we acknowledge that innovation only works when trust is built. That’s why our commitment isn’t just to push new AI-native products, but rather to push them with the same rigor you expect everywhere else in your program: clear documentation, transparent data handling, practical controls, and contract language that matches reality. 

If you’ve ever pushed us for more clarity, more guardrails, or more specificity: thank you. That feedback has made the product stronger, and it’s made our partnership better. As you explore what’s next, whether you’re piloting a single workflow or reimagining an entire process, we want you to feel confident in two things: what the products can do for your organization and how your data is protected while it's being used. Keep the questions coming and we’ll keep answering them.

Related

All Blog Posts →
No items found.