§ Trust
How Aktara handles your data. Honest about what we do today, time-bounded about what's in progress.
§ Compliance
SOC 2 Type I — in progress
We’re pursuing SOC 2 Type I certification, target Q3 2026. Until certification is complete, we don’t claim it. Email security@aktara.ai for our current audit posture or to request our security questionnaire.
§ Data handling
Encryption in transit
All traffic between your browser, our infrastructure, and our subprocessors (Neon, Vercel, Anthropic, OpenAI, Inngest, Resend, Upstash, Stripe) is protected by TLS 1.2+.
Encryption at rest
Your account, workspace, decision runs, and outcomes are stored in Neon (serverless Postgres) with AES-256 at rest. Uploaded files live in Vercel Blob with AES-256 at rest. Application-level secrets (API keys) are additionally encrypted with AES-256-GCM before insert.
AI provider terms
Classification + chat inference runs through Anthropic; the decision engine’s reasoning composer runs through OpenAI. Per both providers’ commercial terms, your prompts and completions are not used for model training.
Data retention
Uploads, decision runs, and outcomes are retained as long as your workspace exists. Delete the workspace to remove all associated data — honored within 30 days. Background-job records (Inngest) are auto-pruned within 90 days.
Subprocessors
Neon (database), Vercel (hosting + Blob storage), Anthropic (file classification & chat), OpenAI (reasoning composer), Inngest (background jobs), Resend (email), Upstash (rate limiting), Stripe (billing). Full list and DPA on request.
§ Vulnerability disclosure
Found a security issue? Email security@aktara.ai with a proof of concept. We respond within 48 hours and won’t pursue legal action against good-faith research.
Out of scope: social engineering, DDoS, physical attacks, third-party services we don’t control.