Security
How we keep borrower data safe.
The short version: encrypted in transit and at rest, tenant-isolated by default, audit-logged end-to-end, and not used to train models. The long version follows.
Practices
Encryption
TLS 1.3 in transit. AES-256 at rest. KMS-managed keys per environment. Customer-managed keys available on Enterprise.
Access control
OIDC / SAML SSO. Role-based access internally with least-privilege defaults. Production access is gated by short-lived credentials and recorded for review.
Tenant isolation
Per-org logical isolation in Postgres, MinIO, and Temporal workflows. Every query and storage path is scoped by `org_id` enforced at the BFF.
Audit logging
Structured events for every classification, extraction, approval, and outbound action. 13-month retention by default, extensible.
Backups
Point-in-time recovery on Postgres. Encrypted object snapshots on MinIO. Restoration drills run quarterly.
Vulnerability management
Dependabot + Snyk on every repo. Static analysis in CI. External penetration test annually with remediation SLAs.
Sub-processors
The vendors with access to your data.
We disclose every sub-processor and update this list at least 30 days before any addition takes effect.
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | us-east-1, us-west-2 |
| Cloudflare | Edge / DNS / WAF | Global |
| Resend | Transactional email | us-east-1 |
| Vercel | Marketing site hosting | Global edge |
| LlamaCloud | Document parsing inference | us-east-1 |
Vulnerability disclosure
Found a bug? Tell us first.
We acknowledge reports within 24 hours and triage within 72. Email security@adeft.ai with a description, reproduction, and your PGP key if you have one.
Incident response
We tell you fast.
If a security incident affects your data, you’ll hear from us within the regulatory window for your jurisdiction (and never later than 72 hours from confirmation).