πŸ”’ Security & Trust Centre

Your audit data.
Protected by design.

AssurAI is built for audit and compliance professionals who handle the most sensitive financial and operational data in their organisations. Here's exactly how we protect it.

All systems operational
Last updated: May 2026
πŸ›οΈ
SOC 2 Type II
Via Supabase
Our database infrastructure is hosted on SOC 2 Type II certified infrastructure. AssurAI-level certification planned for 2027.
πŸ‡ͺπŸ‡Ί
GDPR
Compliant
DPA signed with all sub-processors. EU data residency available on request.
πŸ”
Encryption
AES-256 + TLS 1.3
All data encrypted at rest and in transit. Zero plaintext storage.
πŸ“‹
AssurAI SOC 2
Planned Q1 2027
We will obtain our own SOC 2 Type II certification as we scale.
Infrastructure
Built on enterprise-grade infrastructure
AssurAI runs on AWS (via Supabase) and Netlify's global edge network β€” the same infrastructure used by thousands of enterprise SaaS platforms.
🌐

Cloudflare CDN + WAF

DDoS protection, web application firewall, bot mitigation, global edge caching across 300+ cities

LAYER 1
↓
⚑

Netlify Edge Network

Serverless functions, SSL/TLS termination, atomic deployments, zero-downtime updates. hosted on SOC 2 Type II certified infrastructure.

LAYER 2
↓
πŸ—„οΈ

Supabase PostgreSQL (AWS us-east-1)

Managed PostgreSQL with row-level security, point-in-time recovery, automated backups every 24h retained for 7 days. SOC 2 Type II, ISO 27001, HIPAA eligible.

LAYER 3
↓
πŸ€–

Anthropic Claude API

AI processing via Anthropic's API. Data sent for inference is not used for model training. Anthropic is hosted on SOC 2 Type II certified infrastructure.

LAYER 4
Encryption
End-to-end encryption β€” always on
Your data is encrypted at every stage β€” in transit, at rest, and in backups. There is no configuration option to disable encryption.
βœ“

TLS 1.3 in transit

All data between your browser and our servers is encrypted with TLS 1.3. Older protocols (TLS 1.0, 1.1) are rejected.

βœ“

AES-256 at rest

All database data is encrypted at rest using AES-256. This includes workpapers, findings, projects, and all user data.

βœ“

Encrypted backups

Automated daily backups are encrypted before storage. Point-in-time recovery available for the last 7 days.

βœ“

HTTPS everywhere

All AssurAI pages and APIs are served over HTTPS. HTTP requests are automatically redirected. HSTS enforced.

βœ“

Secrets management

API keys and secrets are stored as encrypted environment variables. They are never embedded in code or logs.

βœ“

Secure file storage

Evidence files and attachments are stored in Supabase Storage with per-object access controls and signed URLs.

Data Isolation
Your data is yours β€” completely isolated
AssurAI uses a multi-tenant architecture with strict row-level security. No customer can ever access another customer's data.
STARTER & PROFESSIONAL
Shared Database, Isolated Data
All customers share one database infrastructure, but your data is strictly isolated by organisation ID using PostgreSQL Row Level Security (RLS). Every query is automatically scoped to your organisation β€” it is architecturally impossible to query another organisation's data.
Standard SaaS model
ENTERPRISE
Dedicated Database Instance
Enterprise customers receive a dedicated PostgreSQL database instance. Your data is physically separated from all other customers at the infrastructure level. Available in US or EU region.
Available on request
ALL TIERS
Sandbox Environment
Every account includes a sandbox environment for testing. Sandbox and production data are completely separate β€” test data never touches your live audit records.
Included free
RLS
Row Level Security
PostgreSQL RLS policies enforce that every database query β€” without exception β€” is scoped to your organisation. This happens at the database engine level, not in application code.
ORG
Organisation Isolation
Every record in AssurAI carries an org_id. The database rejects any query that attempts to read or write data across organisation boundaries.
JWT
Token-bound Access
Every API request is authenticated by a short-lived JWT. Tokens expire after 1 hour. Refresh tokens are rotated on each use and can be revoked instantly.
Access Controls
Who can access what β€” and when
AssurAI operates on a strict need-to-know basis, both for your team members and for AssurAI staff.

Your team's access

βœ“

Role-based access control (RBAC)

Admin, Manager, Auditor, and Reviewer roles with granular permissions per module.

βœ“

Multi-factor authentication

MFA available for all users. Enterprise customers can enforce MFA organisation-wide.

βœ“

SSO / SAML 2.0

Connect your identity provider (Okta, Azure AD, Google Workspace) for centralised access control.

βœ“

Audit trail

Every action β€” view, create, edit, approve, export β€” is logged with timestamp, user, and IP address.

AssurAI staff access

βœ“

Support access by consent only

AssurAI staff can only access your data with your explicit written consent β€” for example, to diagnose a support issue you've reported.

βœ“

Logged and time-limited

Any support access is logged, time-limited, and immediately revoked when the issue is resolved.

βœ“

No AI training on your data

Your data is never used to train AI models β€” by AssurAI or by Anthropic. AI inference is stateless.

Data Residency
Your data stays where you need it
Choose where your data is stored to meet local regulatory requirements, including GDPR data residency obligations for European customers.
πŸ‡ΊπŸ‡Έ

United States β€” AWS us-east-1

Default region for all customers. Data centre in Northern Virginia. Suitable for US customers and those without specific data residency requirements.

Default β€” Active
πŸ‡©πŸ‡ͺ

European Union β€” AWS eu-central-1

Frankfurt, Germany. GDPR-compliant data residency for EU/EEA customers. Data never leaves the EU. Available for Professional and Enterprise plans.

Available on request
πŸ‡¬πŸ‡§

United Kingdom β€” AWS eu-west-2

London. Post-Brexit UK data residency for customers with UK GDPR requirements. Planned for rollout Q3 2026.

Planned Q3 2026
🌏

Asia Pacific β€” AWS ap-southeast-1

Singapore. For customers in APAC region with local data residency requirements. Planned for rollout Q4 2026.

Planned Q4 2026
Sub-processors
Third parties that process your data
We maintain a complete list of sub-processors who may process your data. We will notify you of any changes 30 days in advance.
Provider Purpose Data processed Location Certifications
Supabase Database, Authentication, Storage All customer data AWS us-east-1 (US) / eu-central-1 (EU) SOC 2 Type II Β· ISO 27001 Β· HIPAA eligible Β· GDPR
Anthropic AI / LLM inference Prompts submitted for AI analysis United States SOC 2 Type II Β· No training on customer data
Netlify Application hosting, CDN, Functions Request logs, function execution Global edge (AWS + GCP) SOC 2 Type II Β· GDPR
Cloudflare CDN, DDoS protection, WAF Request metadata (no content) Global edge network SOC 2 Type II Β· ISO 27001 Β· GDPR
Resend Transactional email Email address, notification content United States SOC 2 Type II Β· GDPR
Stripe Payment processing Billing information only United States PCI DSS Level 1 Β· SOC 2 Β· ISO 27001
Incident Response
What happens if something goes wrong
We have a documented incident response procedure. In the event of a confirmed data breach, we will notify affected customers within 72 hours β€” meeting GDPR Article 33 requirements.
1

Detection

Automated monitoring alerts on anomalous access patterns, failed authentication spikes, or unusual data export volumes. Sentry monitors application errors in real-time.

Continuous monitoring
2

Containment

On confirmed incident, affected accounts are immediately suspended and access tokens revoked. The attack surface is isolated within minutes.

Within 1 hour of detection
3

Assessment

We determine what data was accessed, by whom, and for how long. We assess whether it constitutes a personal data breach under GDPR Article 4(12).

Within 24 hours
4

Customer notification

Affected customers are notified with a plain-language summary of what happened, what data was affected, what we've done, and what they should do.

Within 72 hours β€” meeting GDPR Article 33
5

Remediation & review

Root cause analysis, patch deployment, and a post-incident report published to affected customers. Process improvements implemented.

Within 30 days
Vulnerability Disclosure
Found a security issue? Tell us.
We take security reports seriously. If you discover a vulnerability in AssurAI, please report it responsibly and we will respond within 48 hours.
βœ‰

Report to us

Email security@getassurai.com with details of the vulnerability. We will acknowledge within 48 hours and keep you informed of our progress.

βœ“

Safe harbour

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, following responsible disclosure principles.

⏱

Our commitment

We aim to patch critical vulnerabilities within 24 hours, high severity within 7 days, and medium severity within 30 days of confirmed report.

πŸ™

Recognition

Verified reporters are acknowledged in our security hall of fame (with permission). We do not currently offer a paid bug bounty programme.

Security questions? Talk to us directly.

We're happy to complete vendor security questionnaires, provide our sub-processor list, or discuss your specific compliance requirements.

Contact security team View privacy policy