AI Control Center

Appearance

Synced from the central trust source (devplane/trust/trust-center.md) on 2026-06-25. Do not edit here — update the central source and re-run scripts/sync-trust-docs.mjs.

Trust Center

Status: DRAFT · Last reviewed: 2026-06-24

Publishing note (internal): publish gated / noindex. Customer-facing copy only — no internal-only detail, no [CONFIRM] markers. Where a fact is still pending, it is phrased as "available on request."

Security and trust, built into the product

We build governed analytics and AI products for HR and the enterprise. Security and data governance are core to how our platform works — not bolted on. Access control, approvals, and audit are first-class features of the product, which means the same controls that protect your data are the controls we sell.

This page summarizes our security posture and points you to the documents your team needs to evaluate us.

Our security posture

  • Access control. Role-based, least-privilege access. Identity, single sign-on, and MFA via Clerk, with enterprise SSO (SAML/OIDC) available. Service and API access is key-gated and scoped; AI-agent access is scoped per consumer.
  • Data isolation. Multi-tenant data is isolated using Postgres row-level security and per-service schemas. Tenant context is resolved server-side, and one tenant cannot access another tenant's data.
  • Encryption. TLS/HTTPS is enforced everywhere in transit. Data is encrypted at rest (AES-256) via our managed database and cloud providers.
  • Secrets. Credentials are held in an encrypted vault and injected server-side. Secrets are never placed in prompts, search payloads, public logs, or marketing systems.
  • Auditability. Actions resolve to audit and evidence records (actor, action, decision, result, timing), giving a clear trail across the platform.
  • Trusted infrastructure. Applications run on Vercel; data is stored in managed Postgres (Supabase on AWS). These providers maintain their own SOC 2 / ISO attestations covering physical and infrastructure controls.

AI governance — our differentiator

We treat AI risk as a first-class control surface:

  • Governed AI actions. An execution-time policy and human-in-the-loop approval layer gates sensitive actions before they run.
  • No training on your data. We do not use customer data to train our models. Content sent to LLM providers for inference is processed under their API terms and is not used to train their models.
  • Regulatory readiness. Our AI risk posture is aligned to ISO/IEC 42001 and EU AI Act readiness (readiness, not a claim of automatic compliance).

Compliance status (stated honestly)

We align our program to SOC 2, ISO/IEC 27001, and ISO/IEC 42001. These certifications are in progress — we do not claim certifications before they are issued. Current status and reports are available under NDA as they complete. Penetration testing, formal incident response, and continuous evidence are being established as part of this program.

We inherit physical, hosting, and infrastructure controls from certified subprocessors (Vercel, Supabase on AWS, Clerk, Stripe), which maintain their own SOC 2 / ISO reports.

Privacy and data protection

  • We process customer business and people data as a processor.
  • A Data Processing Agreement (DPA) with Standard Contractual Clauses is available on request.
  • We do not sell customer or personal data.
  • Our subprocessor list is maintained current, and customers are notified of material changes per the DPA.

Documents and resources

  • Security whitepaper — our hand-to-buyer security overview (available on request / under NDA).
  • Subprocessor list — third parties that may process customer data on our behalf.
  • Privacy policy — how we handle personal data.
  • Data Processing Agreement (DPA) — DPA with SCCs, available on request.
  • Security packet / SOC 2 — our detailed security packet and SOC 2 materials are available under NDA.

Request our security packet

To request our security whitepaper, DPA, subprocessor details, or SOC 2 materials (under NDA), or to report a security concern, contact our security and trust team. Responsible disclosure is welcomed.

Security / trust contact: available on request.