Security & Trust
The security posture enterprise procurement reviews in one page.
AIGI is built for general counsels, chief AI officers, and chief privacy officers who cannot afford to forward a vendor questionnaire and wait two weeks for an answer. Everything procurement needs is below. Anything missing — email security@aigovbrief.com.
Certifications & attestations
SOC 2 Type II
Planned — not yet under observationA SOC 2 Type II program covering the Security, Availability, and Confidentiality trust criteria is planned. We have not yet begun an observation period, no auditor is engaged, and no report is available. We will publish the observation-period start date here when it begins. In the meantime, we are happy to walk enterprise evaluators through our current controls and documentation — request it below.
For how a data subject can access, export, or delete their data, see Your rights below.
Authentication & access control
SSO
Built on SAML 2.0 and OIDC, compatible with Okta, Microsoft Entra ID, Google Workspace, and any standards-compliant provider. Available for enterprise agreements and enabled per tenant during onboarding — we verify your email domain and connect your IdP with you. It is not self-service today; email security@aigovbrief.com to scope it for your organization.
SCIM 2.0
Built on SCIM 2.0 for full user lifecycle — create, update, deactivate — driven by your IdP's directory. Available for enterprise agreements alongside SSO and enabled per tenant during onboarding; deprovisioned users lose access within 30 seconds. It is not self-service today — we configure it with you when your agreement includes it.
Multi-factor authentication
TOTP (RFC 6238) for account owners on every plan; required for admin roles on Pro and above. Recovery codes generated at enrollment and stored hashed at rest.
Audit & observability
Every state-changing action is recorded in a tenant-scoped, append-only audit log. Sign-ins, exports, SCIM provisioning, SSO configuration changes, watchlist edits, API key issuance — all surfaced via REST and downloadable as CSV for ingestion into your SIEM.
- Retention: 24 months minimum, indefinite on enterprise plans
- Tamper-resistant: SQLite triggers reject UPDATE and DELETE
- Export endpoint:
GET /api/audit-log/export?format=csv
Data protection
Encryption
- In transit: TLS 1.2 minimum; HSTS preload; certs via Let's Encrypt
- At rest: AES-256 via Railway managed volume encryption
- Secrets: HashiCorp Vault with short-lived tokens; no plaintext credentials in source
Tenant isolation
Every customer record carries a tenant_id; every SQL query is scoped at the application layer with a CI-enforced lint preventing un-scoped reads or writes. No tenant data is ever co-mingled in shared indexes or caches.
Retention & deletion
Customer data is deleted within 30 days of contract termination. Deletion is executed by the operator against every table holding your data, following a documented offboarding runbook. The audit log itself is append-only and tamper-resistant — there is no automated purge job that can silently alter or remove historical entries; audit records age out only under the contractually agreed retention window.
Your rights
A data subject can ask us to access, export, or delete the personal data we hold about them. Email privacy@aigovbrief.com with the request. After we verify the requester's identity, we act on it within 30 days.
- Access — a copy of the personal data on file
- Export — that data in a machine-readable format
- Deletion — removal of the account and its data, except records we are legally required to retain
Sub-processors
The third parties that may process customer data on AIGI's behalf. We post 30-day advance notice of any change to this list.
- Infrastructure
- Railway (US-East primary)
- Email delivery
- Resend
- LLM enrichment
- Google Cloud — Gemini API
- Payments
- Stripe
- Observability
- Langfuse, OpenTelemetry, Healthchecks.io
Subprocessor changelog
- 2026-07-11 — Corrected email delivery to Resend. Removed the compliance-evidence entry (Drata / Vanta were never engaged).
Vulnerability disclosure
Report a vulnerability to security@aigovbrief.com. We acknowledge within one business day and follow a 90-day coordinated disclosure timeline.
Request our security documentation
Tell us what your review needs and we'll respond with our current security documentation. A SOC 2 Type II report is not yet available.