← AIDA

Public · Trust center

Built for teams

that take data seriously.

How we handle your data, our security controls, and our ongoing compliance posture.

01 · Locality

Where your data lives

  • Single-tenant region: all customer data lives in one region (you choose: EU or US).
  • Tenant isolation: every database row carries a tenant_id; Postgres row-level security policies prevent cross-tenant reads.

02 · Encryption

How we encrypt your data

  • In transit: TLS 1.3 on every public endpoint (Caddy + Let's Encrypt).
  • At rest: customer warehouse credentials are wrapped with envelope encryption (Fernet) before persistence.

03 · Identity

Authentication

  • Magic-link or SSO for the web app — no password auth. Magic-link tokens are SHA-256 hashed at rest, single-use, 15-minute TTL, atomic burn.
  • Workspace API keys for the public REST + MCP server. Revocable, prefix-indexed, SHA-256 hashed.

04 · Observability

Audit + observability

Every authenticated API request is recorded with timestamp, tenant, user (or API key), method, path, status, and IP. Audit retention: 90 days hot + 1 year cold. Application logs retained 30 days.

05 · Resilience

Backups + disaster recovery

Nightly logical Postgres backups, retained 30 days. Quarterly restore drill against a scratch environment.

  • RPO · 24 hours
  • RTO · 1 hour

06 · Vendors

Sub-processors

VendorPurposeAttestation
AnthropicLLM (agent answers)SOC 2 Type II
OpenAIEmbeddingsSOC 2 Type II
HetznerHostingISO 27001
GitHubSource control + PR-on-editSOC 2 Type II

07 · Compliance

Compliance posture

  • SOC 2 Type I: in progress, design controls in place. External auditor engagement scheduled for v1.1 (post-GA).
  • GDPR: data-processing agreement available on request.
  • HIPAA: not supported in v1.

08 · Contact

Reach us

For security issues, write to security@<DOMAIN>.

Last updated · 2026-05-15