Security & Trust Center
Last Updated: April 15, 2026
At Smalt AI, security is foundational to everything we build. Our platform handles sensitive financial data and business-critical workflows, and we take that responsibility seriously. This page provides transparency into our security practices, compliance posture, and data protection measures.
1. Infrastructure Security
Cloud Infrastructure
- Provider: Amazon Web Services (AWS) - leveraging their world-class physical and infrastructure security
- Region: Data hosted in AWS regions with appropriate compliance certifications
- Redundancy: Multi-availability zone deployment for high availability
- Network: Virtual Private Cloud (VPC) with strict security group rules and network ACLs
- DDoS Protection: AWS Shield for distributed denial-of-service protection
Encryption
| Layer | Standard | Details |
|---|---|---|
| Data in Transit | TLS 1.2 / 1.3 | All communications encrypted via HTTPS. HSTS enforced. |
| Data at Rest | AES-256 | All stored data encrypted using AWS KMS-managed keys. |
| Database | AES-256 | Encrypted at the storage layer with automated key rotation. |
| Backups | AES-256 | All backups encrypted with separate encryption keys. |
2. Application Security
Authentication & Access Control
- Authentication: Secure authentication via Supabase Auth, with Google SSO support
- Session Management: Server-side sessions with automatic expiration and signed session IDs
- Access Control: Account-level data isolation ensuring users only access their own data
- API Security: Token-based authentication with rate limiting on sensitive endpoints
Secure Development Practices
- Input validation and output encoding to prevent injection attacks
- CSRF protection on state-changing operations
- SSRF protection against internal network and metadata endpoint access
- Security headers including X-Frame-Options, X-Content-Type-Options, HSTS
- Dependency scanning for known vulnerabilities
- Code review required for all production changes
3. Data Protection
Your Data Principles
| Principle | Our Commitment |
|---|---|
| Ownership | You own your data. We never claim ownership of your inputs or outputs. |
| No Model Training | We do NOT use your data to train, fine-tune, or improve any AI models. Your financial data stays your financial data. |
| Tenant Isolation | Each customer's data is logically isolated. No cross-tenant access is possible. |
| Data Minimisation | We collect only what is necessary to provide the Service. |
| Right to Delete | You can delete your data at any time. Upon account termination, data is deleted within 30 days. |
| Data Portability | Export your data in standard formats at any time. |
AI Data Flow
When you use Smalt AI, here is how your data flows:
- Input: Your query or document is sent over TLS-encrypted connection to our servers.
- Processing: We construct a prompt and send it to our LLM provider (Anthropic or Google) via their enterprise API with data processing agreements in place.
- No Retention by LLM Providers: Our agreements with LLM providers ensure they do not retain your data or use it for training.
- Output: The response is returned to you and stored in your conversation history (which you control).
- Logging: We log metadata (timestamps, token counts) for billing and monitoring. We do not log the content of your queries or outputs.
4. Compliance
| Framework | Status | Details |
|---|---|---|
| GDPR | Compliant | Full compliance with EU General Data Protection Regulation. DPA available on request. |
| UK Data Protection Act 2018 | Compliant | Compliant with UK GDPR and Data Protection Act 2018. |
| CCPA / CPRA | Compliant | California Consumer Privacy Act compliance for US customers. |
| SOC 2 Type II | Planned 2026 | Audit planned. Security controls aligned with SOC 2 Trust Service Criteria. |
| ISO 27001 | On Roadmap | Information security management system certification on our compliance roadmap. |
5. Incident Response
- Detection: Automated monitoring and alerting for security anomalies 24/7
- Response: Documented incident response procedures with defined severity levels
- Notification: We will notify affected customers of confirmed data breaches within 72 hours, in compliance with GDPR requirements
- Post-Incident: Root cause analysis and preventive measures for all security incidents
6. Business Continuity
- Backups: Automated daily backups with point-in-time recovery capability
- Disaster Recovery: Multi-AZ deployment with defined RTO and RPO targets
- Uptime: See our Service Level Agreement for uptime commitments
7. Vendor Security
We carefully evaluate all third-party vendors and sub-processors:
- Security assessments before onboarding any vendor that handles customer data
- Data Processing Agreements (DPAs) with all sub-processors
- Regular review of vendor security posture
- See our Sub-processors List for a complete inventory
8. Responsible Disclosure
We welcome responsible security research. If you discover a vulnerability:
- Provide a clear description of the vulnerability and steps to reproduce
- Allow reasonable time for us to investigate and remediate before public disclosure
- Do not access, modify, or delete other users' data
9. Security FAQs for Enterprise Buyers
Q: Where is my data stored?
A: Your data is stored on AWS infrastructure. We can discuss specific region requirements for enterprise deployments.
Q: Do you use my data to train AI models?
A: No. We have explicit agreements with our LLM providers (Anthropic, Google) that prohibit the use of customer data for model training.
Q: Can I get a copy of your SOC 2 report?
A: Our SOC 2 Type II audit is planned for 2026. In the interim, we can provide our security questionnaire responses and a detailed overview of our controls.
Q: Do you offer self-hosted / on-premise deployment?
A: Enterprise customers can discuss deployment options. Contact support@smaltai.com for details.
Q: Can I sign a DPA?
A: Yes. Our standard DPA is available, and we can accommodate custom DPA requirements for enterprise customers.
10. Contact
Privacy Team: support@smaltai.com
Enterprise Sales: support@smaltai.com