Trust & Security
This page is maintained by the AITA team to answer common security and privacy questions about the platform. It describes controls currently enabled in the product; it is not an independent audit or certification.
Every workspace is isolated through Postgres row-level security; users only see data their workspace role permits.
Roles (owner, admin, member) are enforced server-side. Administrative actions are recorded in an immutable activity log.
MFA is available for every account and required for admin roles. Optional single-session enforcement is available per workspace.
Data is encrypted in transit (TLS 1.2+) on every connection and at rest in the underlying managed database and object storage.
Secrets and API keys are stored in a managed secret store and never committed to source control.
Customer data is hosted in EU or US regions of our infrastructure providers. Workspace admins can configure activity-log retention.
On workspace deletion, customer-identifiable data is purged from primary stores; backup expiry follows the provider PITR window (7 days).
Email + password and Google sign-in. Passwords are hashed by our managed auth provider; leaked-password protection is enabled.
Sessions are bound to a single browser when single-session mode is enabled, and all sessions can be revoked by an admin.
The platform emits structured error events; an internal observability dashboard tracks error volume and runtime health.
Suspected incidents are triaged per our internal incident-response plan with a target customer-comms window of 30 minutes for declared SEV-1/2 events on the public status page.
SOC 2 Type I: in progress — target Q1 2027 using a compliance-automation platform and an independent auditor.
SOC 2 Type II: targeted mid-2027 after the observation window closes.
ISO 27001: evaluated based on EU enterprise demand.
These are stated goals, not certifications. We will publish the report or certificate when issued.
Sub-processors
The third parties that process customer data on our behalf. We notify workspace admins at least 30 days before adding a new sub-processor that affects their data.
| Vendor | Purpose | Region | Attestation |
|---|---|---|---|
| Supabase | Database, auth, object storage | EU / US | SOC 2 Type II |
| Cloudflare | Edge runtime, WAF, DNS | Global | SOC 2 Type II, ISO 27001 |
| Lovable | Dev platform & AI gateway | EU / US | SOC 2 Type II |
| OpenAI | LLM via AI gateway | US | SOC 2 Type II |
| Google (Gemini) | LLM via AI gateway | US | SOC 2 Type II |
| Stripe | Payments (no card data stored) | EU / US | PCI DSS L1, SOC 2 |
| Firecrawl | Public web search for case-law | US | — |
| Resend | Transactional email | EU / US | SOC 2 Type II |
Contact
Security disclosures and questions: security@aita.tax. Privacy and data-subject requests: privacy@aita.tax. For our standard Data Processing Agreement, see /legal/dpa.