§ Trust

Security

How Aktara handles your data. Honest about what we do today, time-bounded about what's in progress.

§ Compliance

SOC 2 Type I — in progress

We’re pursuing SOC 2 Type I certification, target Q3 2026. Until certification is complete, we don’t claim it. Email security@aktara.ai for our current audit posture or to request our security questionnaire.

§ Data handling

Encryption in transit

All traffic between your browser, our infrastructure, and our subprocessors (Neon, Vercel, Anthropic, OpenAI, Inngest, Resend, Upstash, Stripe) is protected by TLS 1.2+.

Encryption at rest

Your account, workspace, decision runs, and outcomes are stored in Neon (serverless Postgres) with AES-256 at rest. Uploaded files live in Vercel Blob with AES-256 at rest. Application-level secrets (API keys) are additionally encrypted with AES-256-GCM before insert.

AI provider terms

Classification + chat inference runs through Anthropic; the decision engine’s reasoning composer runs through OpenAI. Per both providers’ commercial terms, your prompts and completions are not used for model training.

Data retention

Uploads, decision runs, and outcomes are retained as long as your workspace exists. Delete the workspace to remove all associated data — honored within 30 days. Background-job records (Inngest) are auto-pruned within 90 days.

Subprocessors

Neon (database), Vercel (hosting + Blob storage), Anthropic (file classification & chat), OpenAI (reasoning composer), Inngest (background jobs), Resend (email), Upstash (rate limiting), Stripe (billing). Full list and DPA on request.

§ Vulnerability disclosure

Found a security issue? Email security@aktara.ai with a proof of concept. We respond within 48 hours and won’t pursue legal action against good-faith research.

Out of scope: social engineering, DDoS, physical attacks, third-party services we don’t control.