Security & trust
Your decisions are sensitive. We take security seriously.
Data isolation & architecture
Multi-tenant architecture with row-level security (RLS). Each workspace's data is logically isolated and encrypted. We use PostgreSQL with strict access controls.
Encryption
All data is encrypted in transit using TLS 1.3. Data at rest is encrypted using AES-256. Encryption keys are managed by AWS KMS.
Access controls
Role-based access control (RBAC) within workspaces. Admin, member, and viewer roles. All API requests are authenticated and authorized.
Logging & audit trails
All significant actions are logged: decision creation, updates, deletions, and access. Logs are retained for 90 days (configurable for Enterprise).
Privacy posture
Private by default. No auto-ingestion of messages or meetings. All capture actions are user-invoked and explicit. Human-confirmed decisions only.
Subprocessors & infrastructure
Hosted on AWS (US region). Payment processing by Stripe. We do not sell or share your data with third parties for marketing purposes.
Data retention
- •You control your data. Delete decisions anytime.
- •Deleted data is permanently removed within 30 days.
- •Enterprise customers can configure custom retention policies.
Compliance & certifications
- •SOC 2 Type II in progress (expected Q2 2026)
- •GDPR-compliant data handling
- •Data Processing Agreement (DPA) available for Enterprise
Incident response
- •24/7 monitoring and alerting
- •Incident response plan with escalation procedures
- •We notify affected customers within 72 hours of any breach
Questions about security?
We're happy to discuss our security practices, provide additional documentation, or answer specific questions for Enterprise customers.
Contact security team