Security

Enterprise-grade security, by design.

Built multi-tenant from day one – every workspace isolated, every role enforced on the server, every provider SOC 2 certified. Your data is protected by the same infrastructure that powers the world's leading software companies.

SOC 2 Infrastructure
All providers certified
GDPR Compliant
EU data protection
AES-256 / TLS 1.3
End-to-end encryption
PCI DSS Level 1
Via Stripe

How we protect your data

Built secure from the ground up.

Encryption

AES-256 encryption at rest, TLS 1.2+ in transit. All data encrypted end-to-end.

Authentication

Multi-factor authentication (TOTP), OAuth sign-in, and short-lived JWT sessions. Our own admin surfaces require MFA – and the check fails closed, never open.

Tenant isolation

Row-Level Security on every table. Each workspace's data is scoped to its organization, and each brand's data to its profile – in the product and in the data warehouse alike.

Team permissions, enforced in the API

Owner, admin, manager, and member roles are checked on the server for every operation – billing, data sources, configuration. A hidden button is never the security boundary.

Credentials & payments

Platform connections run through SOC 2 OAuth brokers – for proxied connections, tokens are injected server-side and your passwords never pass through us. Card data never touches our servers (Stripe, PCI DSS Level 1).

Data feeds & deletion

Webhook ingestion authenticates every request with a per-source secret key, and repeated events never double-count. Your imports stay yours: every batch is listable and deletable, and full account deletion is a request away.

Infrastructure

SOC 2 Certified Partners

We build on enterprise-grade infrastructure from providers that maintain the highest security certifications.

Vercel
Railway
Supabase
ClickHouse Cloud
Cloudflare
Stripe
Nango
Pipedream
OpenRouter
OpenAI
Anthropic
Google Cloud
Replicate
Resend
PostHog

GDPR

Full regulatory compliance.

  • Data Processing Agreement (DPA) available
  • Standard Contractual Clauses (SCCs) for transfers
  • Data subject rights fully supported
  • 72-hour breach notification commitment
  • DPO contactable at dpo@theaicmo.com

Documentation

Available on request.

Security questions?

Our team is ready to answer your security questionnaires and provide detailed documentation.