Trust centre
Security and privacy at AI Partner.
We build for procurement teams. This page is the public mirror of our internal security playbook — refreshed in lockstep with the product.
Data residency
Production data is stored in EU (Frankfurt) for EU tenants and US (Iowa) for US tenants. Region is set at company creation; we never replicate across boundaries without explicit consent.
Encryption in transit
TLS 1.3 everywhere. HSTS preload enforced on the apex domain. Webhook deliveries reject HTTP and any redirect.
Encryption at rest
Database volumes are encrypted with AES-256 (provider-managed keys). Application-level AES-256-GCM wraps secrets we have to store but never re-display (TOTP, SCIM, webhook secrets).
Audit trail
Every state-changing action emits an immutable audit row with the actor, payload (redacted), IP hash, and trace id. Logs are retained for 365 days; tenants can export their slice via the public API.
Access control
Workforce SSO via Google Workspace, MFA mandatory. Application RBAC enforced per-action with row-level conditions; least-privilege defaults for every role.
Vendor management
Every sub-processor is contractually bound to GDPR Art. 28 obligations. New additions require a DPA addendum and 30-day notice.
Sub-processors
Vendors that process customer data on our behalf. Machine-readable JSON is available at /api/v1/sub-processors.
Security disclosures
Found a vulnerability? Email security@aipartner.example with a clear description, reproduction steps, and your contact details. We respond within one business day and credit reporters in our hall of fame on request.