TRUST CENTER

Security you can
actually verify

SOC 2 Type II certified. HIPAA compliant. GDPR ready. We don't just claim to be secure — we have the audits to back it up.

Talk to our security team Request SOC 2 report →

SOC 2Type II Certified

Independent auditors verified that our security, availability, and confidentiality controls are operating effectively. Full report available to Enterprise customers.

HIPAACompliant

We sign Business Associate Agreements (BAAs) and implement the technical safeguards required for healthcare organizations handling PHI.

GDPRReady

Our Data Processing Agreement (DPA) is available on request. We support data deletion requests within 30 days and EU data residency for Enterprise accounts.

HOW WE PROTECT YOUR DATA

Security practices

Your data is never used for AI training

The content of your sessions, agent outputs, and extracted data stays yours. We never use it to train any model — ours or anyone else's.

Every session runs in isolation

Each browser session runs in its own container. Sessions cannot access each other's data, cookies, or network traffic — even within the same account.

Encryption at every layer

TLS 1.3 in transit, AES-256 at rest. API keys are stored with bcrypt hashing. Secrets never appear in logs.

No persistent browser state by default

Cookies, cache, and local storage are destroyed when a session ends. Persistent auth profiles require explicit opt-in and are stored encrypted.

Tamper-evident audit logs

Enterprise plans get full audit logs for all API calls, agent runs, and session activity. Logs are immutable and exportable for your SIEM.

Granular access control

Fine-grained RBAC lets you control exactly who can create agents, view outputs, manage sessions, or access billing — per team member.

Annual third-party pen tests

We hire external security firms to attempt to break our systems every year. Results are available to Enterprise customers under NDA.

Responsible disclosure program

Security researchers can report vulnerabilities to security@airtapai.com. We acknowledge within 24 hours and remediate critical issues within 72 hours.

FAQ

Common questions

Where is data stored?

Session data is processed in US-based AWS infrastructure (us-east-1). EU data residency is available for Enterprise customers on request.

Do you share data with third parties?

We do not sell or share your data. We use sub-processors necessary to operate the service — a current list is included in our DPA.

How long is session data retained?

Session recordings and logs are retained for 30 days by default. Enterprise plans can configure custom retention windows.

Can I get a BAA?

Yes. Enterprise and custom plan customers can request a Business Associate Agreement for HIPAA workflows. Email compliance@airtapai.com.

How do I request data deletion?

Email privacy@airtapai.com. We will delete all associated data within 30 days and send a written confirmation.

Questions about security or compliance?

Our security team responds within one business day.

security@airtapai.com Enterprise plan →

Security you canactually verify