Maintained by AITA

Trust & Security

This page is maintained by the AITA team to answer common security and privacy questions about the platform. It describes controls currently enabled in the product; it is not an independent audit or certification.

Access control

Every workspace is isolated through Postgres row-level security; users only see data their workspace role permits.

Roles (owner, admin, member) are enforced server-side. Administrative actions are recorded in an immutable activity log.

MFA is available for every account and required for admin roles. Optional single-session enforcement is available per workspace.

Encryption

Data is encrypted in transit (TLS 1.2+) on every connection and at rest in the underlying managed database and object storage.

Secrets and API keys are stored in a managed secret store and never committed to source control.

Data residency & retention

Customer data is hosted in EU or US regions of our infrastructure providers. Workspace admins can configure activity-log retention.

On workspace deletion, customer-identifiable data is purged from primary stores; backup expiry follows the provider PITR window (7 days).

Authentication

Email + password and Google sign-in. Passwords are hashed by our managed auth provider; leaked-password protection is enabled.

Sessions are bound to a single browser when single-session mode is enabled, and all sessions can be revoked by an admin.

Monitoring & incident response

The platform emits structured error events; an internal observability dashboard tracks error volume and runtime health.

Suspected incidents are triaged per our internal incident-response plan with a target customer-comms window of 30 minutes for declared SEV-1/2 events on the public status page.

Compliance roadmap

SOC 2 Type I: in progress — target Q1 2027 using a compliance-automation platform and an independent auditor.

SOC 2 Type II: targeted mid-2027 after the observation window closes.

ISO 27001: evaluated based on EU enterprise demand.

These are stated goals, not certifications. We will publish the report or certificate when issued.

Sub-processors

The third parties that process customer data on our behalf. We notify workspace admins at least 30 days before adding a new sub-processor that affects their data.

VendorPurposeRegionAttestation
SupabaseDatabase, auth, object storageEU / USSOC 2 Type II
CloudflareEdge runtime, WAF, DNSGlobalSOC 2 Type II, ISO 27001
LovableDev platform & AI gatewayEU / USSOC 2 Type II
OpenAILLM via AI gatewayUSSOC 2 Type II
Google (Gemini)LLM via AI gatewayUSSOC 2 Type II
StripePayments (no card data stored)EU / USPCI DSS L1, SOC 2
FirecrawlPublic web search for case-lawUS
ResendTransactional emailEU / USSOC 2 Type II

Contact

Security disclosures and questions: security@aita.tax. Privacy and data-subject requests: privacy@aita.tax. For our standard Data Processing Agreement, see /legal/dpa.