Trust center
AIDA is built for teams that take data security seriously. This page summarizes how we handle your data, our security controls, and our ongoing compliance posture.
Where your data lives
- Single-tenant region: all customer data lives in one region (you choose: EU or US).
- Tenant isolation: every database row carries a
tenant_id; Postgres row-level security (RLS) policies prevent cross-tenant reads.
How we encrypt your data
- In transit: TLS 1.3 on every public endpoint (Caddy + Let's Encrypt).
- At rest: customer warehouse credentials are wrapped with envelope encryption (Fernet) before persistence.
Authentication
- SSO-only for the web app (Google, Microsoft) — no password auth.
- Workspace API keys for the public REST + MCP server. Revocable, prefix-indexed, SHA-256 hashed.
Audit + observability
Every authenticated API request is recorded with timestamp, tenant, user (or API key), method, path, status, and IP. Audit retention: 90 days hot + 1 year cold. Application logs retained 30 days.
Backups + disaster recovery
Nightly logical Postgres backups, retained 30 days. Quarterly restore drill against a scratch environment. RPO: 24 hours. RTO: 1 hour.
Sub-processors
| Vendor | Purpose | Attestation |
|---|---|---|
| Anthropic | LLM (agent answers) | SOC 2 Type II |
| OpenAI | Embeddings | SOC 2 Type II |
| Hetzner | Hosting | ISO 27001 |
| GitHub | Source control + PR-on-edit | SOC 2 Type II |
Compliance
- SOC 2 Type I: in progress, design controls in place. External auditor engagement scheduled for v1.1 (post-GA).
- GDPR: data-processing agreement available on request.
- HIPAA: not supported in v1.
Contact
For security issues, write to security@<DOMAIN>.
Last updated: 2026-05-14.