Security & Trust

The security posture enterprise procurement reviews in one page.

AIGI is built for general counsels, chief AI officers, and chief privacy officers who cannot afford to forward a vendor questionnaire and wait two weeks for an answer. Everything procurement needs is below. Anything missing — email security@aigovbrief.com.

Certifications & attestations

SOC 2 Type II

Observation period in progress

Audit by an AICPA-licensed firm; covers Security, Availability, and Confidentiality trust criteria. The full Type II report is available under NDA to enterprise prospects in active evaluation — request it below.

GDPR DPA + standard MSA available on request. CCPA / CPRA-compliant by design.

Authentication & access control

SSO

SAML 2.0 and OIDC. Self-configurable from the tenant admin UI — upload IdP metadata XML or paste an OIDC discovery URL. Tested against Okta, Azure AD, Google Workspace, and Auth0.

SCIM 2.0

Full user lifecycle — create, update, deactivate — via your IdP. Bearer-token authentication; token rotation from the tenant admin UI.

Multi-factor authentication

TOTP (RFC 6238) for account owners on every plan; required for admin roles on Pro and above. Recovery codes generated at enrollment and stored hashed at rest.

Audit & observability

Every state-changing action is recorded in a tenant-scoped, append-only audit log. Sign-ins, exports, SCIM provisioning, SSO configuration changes, watchlist edits, API key issuance — all surfaced via REST and downloadable as CSV for ingestion into your SIEM.

  • Retention: 24 months minimum, indefinite on enterprise plans
  • Tamper-resistant: SQLite triggers reject UPDATE and DELETE
  • Export endpoint: GET /api/audit-log/export?format=csv

Data protection

Encryption

  • In transit: TLS 1.2 minimum; HSTS preload; certs via Let's Encrypt
  • At rest: AES-256 via Railway managed volume encryption
  • Secrets: HashiCorp Vault with short-lived tokens; no plaintext credentials in source

Tenant isolation

Every customer record carries a tenant_id; every SQL query is scoped at the application layer with a CI-enforced lint preventing un-scoped reads or writes. No tenant data is ever co-mingled in shared indexes or caches.

Retention & deletion

Customer data is deleted within 30 days of contract termination. Audit-log entries are retained for the contractually agreed period and then purged via the documented retention helper, which itself writes an audit entry.

Sub-processors

The third parties that may process customer data on AIGI's behalf. We post 30-day advance notice of any change to this list.

Infrastructure
Railway (US-East primary)
Email delivery
Google Workspace (Gmail API)
LLM enrichment
Google Cloud — Gemini API
Payments
Stripe
Observability
Langfuse, OpenTelemetry, Healthchecks.io
Compliance evidence
Drata or Vanta (continuous monitoring)

Vulnerability disclosure

Report a vulnerability to security@aigovbrief.com. We acknowledge within one business day and follow a 90-day coordinated disclosure timeline.

Request SOC 2 Type II report

We respond within one business day. The report is shared under a mutual NDA.