Security & Compliance

Infrastructure

All Robot ITL products are hosted on Vercel (application layer) and Supabase (database, authentication, and file storage). All traffic is encrypted in transit via HTTPS/TLS 1.2+. Data at rest is encrypted using AES-256 with KMS-managed keys. Automatic backups and point-in-time recovery protect all project files, documents, and metadata.

Access Control and Tenant Isolation

• Supabase Row Level Security (RLS) enforces strict tenant isolation — every query is scoped to the authenticated user's organization.
• Document processing runs in isolated serverless functions; uploads are never shared across tenants.
• Organization roles (owner, admin, member, viewer) control access to billing, usage data, and administrative functions.
• Administrative access to production systems is restricted to authorized personnel, protected by multi-factor authentication, and audited.

Encryption and Key Management

• All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
• BYOK (Bring Your Own Key) API keys are encrypted using AES-256-GCM with a dedicated encryption key and are only decrypted in memory during API calls.
• Cloud-integration OAuth tokens (Google Drive, SharePoint) are stored encrypted and scoped to the individual user account.
• Stripe handles all payment card data — full card numbers never touch our servers.

Document Processing

• Uploaded files are stored in private, organization-scoped buckets with signed URLs for access.
• Document parsing (Word, PDF, Excel, plain text) occurs within our serverless infrastructure.
• AI processing sends only the relevant document context to the configured language-model provider — full files are not transmitted wholesale.
• Temporary processing artifacts are purged after use; only structured metadata and parsed content remain in your project workspace.

AI and Chat Safeguards

• AI responses are grounded in your document context; the system is designed to cite sources and minimize hallucination.
• You control which AI provider processes your data via organization settings or BYOK configuration.
• We do not use your documents, prompts, or AI responses to train any models.
• AI provider selection and BYOK keys can be changed or revoked at any time from your organization settings.

Authentication and Session Security

• Authentication is managed by Supabase Auth with support for email/password and OAuth providers (Google, GitHub).
• Session tokens are stored in secure, httpOnly cookies scoped to the .iamtherobot.io domain.
• Sessions expire automatically and are invalidated on sign-out.
• Multi-factor authentication (MFA/TOTP) is supported and can be required at the organization level.

Audit Logging

Security-relevant actions are recorded in audit logs, including user authentication events, organization membership changes, billing operations, and administrative actions. Logs include the action type, user identifier, IP address, and timestamp. Audit logs are retained for up to 2 years and are accessible to organization admins.

Business Continuity

• Daily automated backups with multi-region redundancy.
• Incident response plan with defined internal SLAs.
• Status updates communicated via the in-app dashboard banner during any service disruption.

Compliance

• Working toward SOC 2 Type II certification.
• HIPAA Business Associate Agreements (BAAs) are available for enterprise customers and require a separate agreement.
• GDPR: users may exercise data access, correction, deletion, and portability rights by contacting support@iamtherobot.io.
• Google API Services User Data Policy: our use of Google user data complies with Google's Limited Use requirements. See our Privacy Policy, Section 5 for details.
• We do not use personal data for advertising, retargeting, or sale to third parties.

Responsible Disclosure

If you discover a security vulnerability in any Robot ITL product, please report it to security@iamtherobot.io. We take all reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.