Content AI privacy

At Tiptap we value your privacy. So when using Tiptap Content AI that topic may raise some questions which we like to address in detail below.

Cloud integration

The Tiptap Content AI Cloud Version acts as a proxy between your client (the Tiptap Editor) and OpenAI. This is done to protect your OpenAI secret from the client, as it is an anti-pattern to share secrets publicly and user-facing.

When using our cloud service, you’ll need to enter your OpenAI secret in your AI settings page. This key is then encrypted and stored in our database. We use this key to perform requests against the OpenAI API on your behalf.

Data Flow

The general flow of data looks like this:

  1. Your client (the Editor) performs an AI command like translate
  2. The AI extension sends a request to our backend service
  3. The backend performs a lookup of your given App ID and ensures that the provided token (the generated JWT) is valid and continuous the request or aborts with an error code
  4. After the authorization process the backend builds a prompt based on the desired command and uses your OpenAI API key to send the request to the OpenAI API
  5. Once the request is processed, the response is send back to the client

What we record

During the process described above, we record the following data on a regular basis to ensure that our services works correctly and reliable:

  • HTTP logs including timestamps, a correlation ID, the referrer, user agent and IP including the relevant request headers and portion of the request body in order to ensure that the service is operational and prevent any abuse
  • Performed operation mapped to your team including the timestamp, the correlation ID, the command (e.g. “translate”) and a timestamp in order to track the usage of your plan limits

To be able to help you in case there’s something off, we implemented a mechanism called “enhanced logging”.

Only when asked to do so (e.g. for debugging) and with your permission we may enable enhanced logging. To be clear: This is NOT the default. However, this leads to the following additional fields recorded:

  • Input text and options, the built prompt of our backend and the response of OpenAI

Those data points help us to trace errors on each side and help you sort out any issues you may experience. After debugging is complete, we immediately disable the enhanced logging.

Encryption

As mentioned above, we’re storing the following values encrypted in our database:

  • Your OpenAI API Key
  • Your JWT Secret

Those secrets are only decrypted when needed to authorize or fulfill a request.

All traffic between the client, the backend and OpenAI is encrypted using the latest SSL standards.

On your premises

The on-premise version works technically the same as the cloud version. It acts as a proxy between the client and OpenAI, too.

Some things are different for obvious reasons:

  • The OpenAI API key is stored in your desired location and is never sent to us
  • We do not get any usage information on the performed requests
  • The logs are sent to stdout and you’re able to use them as you’d need and like

Therefore, the on-prem version gives you full control over the gathered data and metrics.