Data encryption

• In transit: TLS 1.3 for all connections, HSTS enforced (1-year max-age + includeSubDomains).
• At rest (secrets): API keys, OAuth tokens, and integration credentials are encrypted with AES-256-GCM using per-deployment keys before being written to the database.
• At rest (database): full-disk encryption on the PostgreSQL volume.

Access controls

• Company-scoped tenant isolation — every query filters by companyId; cross-tenant data access is a prohibited API pattern.
• Role-based access within a company: owner (billing + delete),admin (manage team), member (use platform).
• Session tokens rotated on login; logout invalidates the session server-side.
• Internal access to production is limited to the founders; all production access is logged.

Authentication

• Password hashing: bcrypt, cost factor 10.
• Rate-limited login (5/15 min per IP) and registration (3/30 min per IP).
• reCAPTCHA v3 on registration and password-reset flows.
• Optional OAuth sign-in via Google, Apple, Facebook.
• SSO/SAML on the Enterprise roadmap — contact us if you need it before GA.

Application security

• HTTP security headers on every response: HSTS, X-Content-Type-Options, X-Frame-Options (denied except widget), Permissions-Policy, Referrer-Policy.
• Prompt-injection defenses: user-uploaded files and widget messages are wrapped in <untrusted_document> tags and the agent system prompt instructs the model to treat tagged content as data, not instructions.
• Per-user rate limits on LLM endpoints to cap runaway cost.
• Stripe webhook signatures verified on every event; duplicate events detected via unique stripeEventId.
• Dependencies reviewed and updated at least monthly.

Audit logging

Every administrative action (plan change, user role change, billing change, settings update, template edit, audit log export, account deletion) writes to an immutable audit log with timestamp, actor, resource, and change details. Admins can export the last 90 days as CSV.

Backups & disaster recovery

• Daily full database backups retained for 30 days.
• Point-in-time recovery (PITR) at the PostgreSQL level.
• Backup integrity verified on restore drills.
• Application hosted on Hetzner Cloud (Falkenstein, Germany) with automated failover for the application layer.

Sub-processors

The current list of sub-processors is published in our Data Processing Agreement. We give 14 days’ notice of any new sub-processor via email and this page.

Incident response

If we detect a confirmed data breach, we notify affected Controllers within 48 hours. Our notification includes what happened, what data was involved, what we are doing, and what you should do. Drill cadence: semi-annual tabletop exercises.

Report a security issue responsibly to security@aidra.live. We acknowledge within 24 hours and aim to remediate critical issues within 7 days.

Data residency

Primary data is stored in the EU (Germany). Some sub-processors (LLM providers, Stripe) operate globally; cross-border transfers are covered by Standard Contractual Clauses (SCCs 2021/914) and the UK IDTA as applicable.

US-only or EU-only data residency is available for Enterprise customers; contact hey@aidra.live to discuss.

Your controls

• Export all your data as a single archive from the dashboard.
• Delete your account immediately. Backups are wiped after 30 days.
• Per-agent and per-integration access controls.
• Turn off training on your data — Aidra NEVER uses customer data to train LLM models. Our LLM sub-processors are contractually prohibited from doing so.

Certifications & compliance

• GDPR / UK GDPR / PIPEDA: compliant. DPA available at aidra.live/dpa.
• SOC 2 Type II: on our 2026 roadmap. Target: Q4 2026.
• HIPAA: not currently supported — do not submit PHI to Aidra.
• ISO 27001: evaluating for 2027.

Questions

Security questions: security@aidra.live
Privacy / DPA requests: privacy@aidra.live
Legal / contracts: legal@aidra.live