Security & Trust Center
Last Updated: May 5, 2026
At Smalt AI, security is foundational to everything we build. Our platform handles sensitive financial data and business-critical workflows, and we take that responsibility seriously. This page provides transparency into our security practices, current compliance posture, and the work in progress for our 2026 SOC 2 Type I readiness.
For a dated view of what is implemented today, what we are hardening, and what is on the roadmap, see our Compliance Roadmap.
1. Infrastructure Security
Cloud Infrastructure
- Provider: Amazon Web Services (AWS) and Supabase — leveraging their physical and infrastructure security.
- Region: Singapore (Asia Pacific -
ap-southeast-1). Customer data, including authentication and application storage, is processed and stored in Singapore by default. - Redundancy: Multi-availability zone deployment in
ap-southeast-1for high availability. - Network: Virtual Private Cloud (VPC) with strict security group rules and network ACLs.
- DDoS Protection: AWS Shield for distributed denial-of-service protection.
Encryption
| Layer | Standard | Details |
|---|---|---|
| Data in Transit | TLS 1.2 / 1.3 | All communications encrypted via HTTPS. HSTS enforced. |
| Data at Rest | AES-256 | All stored data encrypted using AWS KMS-managed keys. |
| Database | AES-256 | Encrypted at the storage layer with automated key rotation. |
| Backups | AES-256 | All backups encrypted with separate encryption keys. |
2. Application Security
Authentication & Access Control
- Authentication: Identity provided by Supabase Auth, with Google SSO support and email/password backup.
- Session Management: Sessions expire and rotate automatically. We are migrating session tokens from browser storage to
HttpOnlysecure cookies as part of our 2026 SOC 2 hardening; see the Compliance Roadmap. - Access Control: Account-scoped data isolation enforced at the database layer; cross-account access is prevented by row-level authorisation checks.
- API Security: Token-based authentication with rate limiting on sensitive endpoints.
Secure Development Practices
- Input validation and output encoding to prevent injection attacks.
- CSRF protection on state-changing operations; remaining legacy exemptions are being removed in our 2026 hardening pass.
- SSRF protection against internal network and metadata endpoint access.
- Security headers including X-Frame-Options, X-Content-Type-Options, and HSTS.
- Dependency scanning for known vulnerabilities.
- Code review required for all production changes.
3. Data Protection
Your Data Principles
| Principle | Our Commitment |
|---|---|
| Ownership | You own your data. We never claim ownership of your inputs or outputs. |
| No Model Training | We do NOT use your data to train, fine-tune, or improve any AI models. Your financial data stays your financial data. |
| Tenant Isolation | Each customer's data is logically isolated. No cross-tenant access is possible. |
| Data Minimisation | We collect only what is necessary to provide the Service. |
| Right to Delete | You can delete your data at any time. Upon account termination, data is deleted within 30 days. |
| Data Portability | Export your data in standard formats at any time. |
AI Data Flow
When you use Smalt AI, here is how your data flows:
- Input: Your query or document is sent over TLS-encrypted connection to our servers.
- Processing: We construct a prompt and send it to our LLM provider (Anthropic or Google) via their enterprise API with data processing agreements in place.
- No Retention by LLM Providers: Our agreements with LLM providers ensure they do not retain your data or use it for training.
- Output: The response is returned to you and stored in your conversation history (which you control).
- Logging: We log metadata (timestamps, token counts) for billing and monitoring. We do not log the content of your queries or outputs.
4. Compliance
| Framework | Status | Details |
|---|---|---|
| GDPR | Compliant | Full compliance with EU General Data Protection Regulation. DPA available on request. |
| UK Data Protection Act 2018 | Compliant | Compliant with UK GDPR and Data Protection Act 2018. |
| CCPA / CPRA | Compliant | California Consumer Privacy Act compliance for US customers. |
| SOC 2 Type I | In Progress | Type I audit underway in 2026 for the Security, Availability, and Confidentiality Trust Services Criteria. See the Compliance Roadmap for scope and target timeline. |
| SOC 2 Type II | On Roadmap | Pursued after Type I, once the controls have been operating for the required observation period. |
| ISO 27001 | Under Evaluation | Information security management system certification under evaluation for 2027 and beyond. |
5. Incident Response
- Detection: We monitor application health and key security signals; alerting coverage is being expanded as part of our 2026 SOC 2 readiness work.
- Response: Documented incident response procedures with defined severity levels.
- Notification: We will notify affected customers of confirmed data breaches within 72 hours, in compliance with GDPR requirements.
- Post-Incident: Root cause analysis and preventive measures for all security incidents.
6. Business Continuity
- Backups: Automated daily backups with point-in-time recovery capability
- Disaster Recovery: Multi-AZ deployment with defined RTO and RPO targets
- Uptime: See our Service Level Agreement for uptime commitments
7. Vendor Security
We carefully evaluate all third-party vendors and sub-processors:
- Security assessments before onboarding any vendor that handles customer data
- Data Processing Agreements (DPAs) with all sub-processors
- Regular review of vendor security posture
- See our Sub-processors List for a complete inventory
8. Responsible Disclosure
We welcome responsible security research. Machine-readable contact details are published at /.well-known/security.txt per RFC 9116.
- Provide a clear description of the vulnerability and steps to reproduce.
- Allow reasonable time for us to investigate and remediate before public disclosure.
- Do not access, modify, or delete other users' data, and do not run automated scans that degrade the Service.
- We will not pursue legal action against researchers who follow this policy in good faith.
9. Security FAQs for Enterprise Buyers
Q: Where is my data stored?
A: Customer data is stored on AWS and Supabase infrastructure in Singapore (Asia Pacific - ap-southeast-1). This applies to authentication, primary application data, and uploaded files. Some AI model providers operate from other regions — see our Sub-processors List for the full hosting map and the cross-border transfer safeguards in place. Pinned-region deployments for other jurisdictions can be discussed for enterprise customers.
Q: Do you use my data to train AI models?
A: No. We have explicit agreements with our LLM providers (Anthropic, Google) that prohibit the use of customer data for model training.
Q: Can I get a copy of your SOC 2 report?
A: Our SOC 2 Type I audit is underway in 2026, scoped to the Security, Availability, and Confidentiality Trust Services Criteria. While the Type I report is in progress, we can share our security questionnaire response and control overview under NDA. See the Compliance Roadmap for the latest status, or email support@smaltai.com to request documents.
Q: Do you offer self-hosted / on-premise deployment?
A: Enterprise customers can discuss deployment options. Contact support@smaltai.com for details.
Q: Can I sign a DPA?
A: Yes. Our standard DPA is available, and we can accommodate custom DPA requirements for enterprise customers.
10. Contact
Privacy Team: support@smaltai.com
Enterprise Sales: support@smaltai.com