Security & Updates

Table of Content

Table of Content

Table of Content

Security & Incidents

How we secure your data and how we respond to breaches or incidents.

Purpose of this page

This page describes how AIM protects your data and how we respond to security incidents. It complements Data & Sources, Purposes & Legal Bases, Retention, Recipients & Transfers, and Consent & Cookies.

Security principles

  • Minimize — collect and retain only what’s necessary.

  • EncryptTLS in transit and encryption at rest across our managed infrastructure.

  • Least-privilege — access is limited by role, workspace, and need-to-know.

  • Segregate & monitor — isolate data paths; log and alert on anomalies.

  • Fail safely — backups with short, automated rotation; disaster recovery used only when needed.
    Bubble: Minimal data, maximal protection.

Data protection by design

Encryption & key handling

  • In transit: TLS (modern ciphers; TLS 1.2+ with preference for TLS 1.3).

  • At rest: encryption via our cloud providers and Supabase data stores.

  • Secrets: hardened environment storage and provider KMS where applicable; rotation when risk warrants.

Authentication & account security

  • Sign-in options: Google, Apple, or email + password via Supabase Auth.

  • Passwords: hashed with industry-standard algorithms (e.g., bcrypt/argon2) via Supabase Auth; never stored in plaintext.

  • Sessions & tokens: secured cookies/local tokens with best-practice flags; expire per lifecycle.

  • MFA: planned (coming to supported accounts).

Access control & isolation

  • Workspace-scoped permissions and role-based access.

  • Administrative access is tightly restricted, logged, and periodically reviewed.

  • Enterprise configurations can constrain available models or connectors; those rules are applied automatically for that workspace.

Secure development & dependency hygiene

  • Code changes touching auth, storage, or cross-tenant boundaries get mandatory review.

  • Supply-chain controls: dependency pinning, CVE alerts, and secret scanning pre-merge.

  • Targeted static/dynamic checks on critical flows.

  • Security-relevant paths in staging mirror production controls.

Infrastructure & vendor security

  • Hosting & storage: Supabase (authentication, databases, backups).

  • Payments: Stripe (card numbers never touch AIM).

  • Support & analytics: Intercom (optional, consent-based load) and Google Analytics/Google Ads (non-essential; consent-based).

  • Observability: may include Sentry, Datadog, New Relic depending on environment.

  • Edge protections: perimeter/WAF/CDN controls may be used depending on environment.

  • Model providers: routing to OpenAI, Anthropic, Google, DeepSeek, Flux, Perplexity, Meta, Mistral, Moonshot, Qwen and others under contractual safeguards; training opt-out is honored and propagated where supported.

  • International transfers: protected by SCCs and supplementary measures (see Recipients & Transfers).

Monitoring, logging & detection

  • Telemetry: minimal but sufficient for reliability and abuse detection.

  • Anomaly detection: automated safeguards for spam/abuse and suspicious bursts (temporary by default; human review on request).

  • Audit trails: privileged actions and security-relevant events are logged and periodically reviewed.

  • Retention: logging windows follow Retention (we do not promise a “total purge”).

Backups & disaster recovery

  • Backups: encrypted, short automated rotation; not restored to production except for disaster recovery.

  • Recovery: rapid recovery with short, automated backup rotation; specific RTO/RPO targets available to Enterprise customers on request.

Penetration testing & vulnerability management

  • Pen-testing: external penetration tests may be conducted periodically under defined scope and controls.

  • Remediation: issues are triaged and addressed under a risk-based process aligned with severity and exposure.

  • Third-party advisories: credible vendor notices are reviewed promptly and mitigations applied.

Incident response

How to report a security issue

  • Email: support@aim-ai.tech

  • Include: description, reproduction steps, timestamps, and any request IDs (avoid sending sensitive data).

How we triage & respond

  • Triage & containment: we assess severity, contain impact, and activate on-call responders.

  • If a personal-data breach is confirmed (GDPR/UK GDPR/nFADP):

    • notify the relevant authority within 72 hours where required;

    • notify affected users without undue delay if there is high risk to their rights and freedoms.

  • US state laws (e.g., CPRA): we follow applicable state notification rules.

  • Post-incident: concise summary of what happened, what data (if any) was impacted, and what we changed.

Law-enforcement & third-party requests

We require valid legal process, scope minimization, and internal legal/security review. We challenge over-broad requests and disclose only what the law requires.

Responsible disclosure (researchers)

We welcome good-faith vulnerability reports at support@aim-ai.tech. Safe-harbor applies when testing is responsible and avoids data exfiltration, service disruption, or privacy harm.
Thank-you reward: for a validated, non-exploited security vulnerability reported responsibly, we offer one month of AIM’s standard subscription (eligibility and jurisdictional limits apply). This is not a public bug bounty program.

Conclusion

AIM protects data with encryption in transit (TLS) and encryption at rest, least-privilege access, and environment-appropriate edge protections. Accounts run on Supabase; Stripe processes payments (card numbers never touch AIM). Non-essential tooling such as Google Analytics/Google Ads and optional Intercom loads only with consent; observability may include Sentry/Datadog/New Relic. We monitor with logging, anomaly detection, rate-limits and audit trails, back up with a short, automated rotation, and support rapid recovery. For incidents, we triage, contain, and—when required—notify authorities within 72 hours and affected users without undue delay. Responsible disclosure is welcome at support@aim-ai.tech; validated, responsibly reported vulnerabilities may receive one month of AIM’s standard subscription. Model routing to providers (e.g., OpenAI, Anthropic, Google, DeepSeek, Flux, Perplexity, Meta, Mistral, Moonshot, Qwen) is contractually safeguarded, and your training opt-out is honored and propagated where supported. Log retention follows our Retention page (no “total purge” promise; aged logs may move to restricted archives).

Versioning

Effective date: {YYYY-MM-DD} • Last updated: {YYYY-MM-DD}

Sensitive Data & Minors

Sensitive Data & Minors

Sensitive Data & Minors

Updates

Updates

Updates

Get Template for free

Get Template for free

Get Template for free

Create a free website with Framer, the website builder loved by startups, designers and agencies.