Trust & Security.

Tenant Data Isolation

Every organisation's data is isolated at the database level using PostgreSQL Row-Level Security (RLS). This is not application-level filtering that a code bug could bypass. The database engine itself enforces tenant boundaries on every query, every time. Your projects, deliverables, and conversations are never visible to other customers.

Encryption

Data at rest is encrypted with AES-256. Data in transit is protected by TLS 1.3. If you bring your own LLM API keys, they are encrypted with per-tenant Fernet keys (AES-128-CBC + HMAC-SHA256) before storage and never stored in plaintext. Backups inherit the same encryption standards from our infrastructure providers.

Access Control

Role-based access control with four permission levels: Owner, Admin, Member, and Viewer. Authentication uses JWT tokens with secure session management and automatic refresh. API keys are SHA-256 hashed before storage, scoped by permission level and optionally by project, and revocable at any time. Every request is scoped to the authenticated user's organisation. Rate limiting is enforced across all endpoints.

AI Governance: Your Data Does Not Train AI

Calafai routes every engagement through enterprise or API contractual terms with model providers that prohibit training on tenant data. Your briefs, attachments, and outputs are not used to train Claude, GPT, Gemini, Grok, or any other model. EU hosting and PostgreSQL row-level tenant isolation enforce the same boundary at the infrastructure layer.

About the paperwork, plainly: most of our provider DPAs today are incorporated by reference — we accepted each provider's standard API Terms, which include the published DPA — rather than separately negotiated, counter-signed enterprise PDFs. That is normal for a seed-stage SaaS and is the standard contractual posture across the industry at our scale; we flag it here because procurement reviewers ask. xAI's counter-signed DPA is being closed. Google traffic moves from AI Studio Terms to a Vertex AI / Google Cloud DPA by 2026-05-21. Mistral AI is provisioned and ready to activate on the first Enterprise engagement contractually scoped to EU residency. Tenant data is not used for training on any provider regardless of paperwork form.

Need a specific provider excluded for internal policy reasons? That becomes a custom engagement — contact us to set up a call.

We select and route between models to optimise for quality; the specifics of which model handles which task are part of our proprietary methodology and not disclosed.

Infrastructure & Data Residency

Hosted on SOC 2 Type II certified infrastructure: Supabase (database and authentication), Vercel (web application), and Railway (compute). Production hosting is United States today; EU data residency is available on the Enterprise plan. All providers operate with encrypted-at-rest storage. Security headers are enforced platform-wide: Content Security Policy, HTTP Strict Transport Security, X-Frame-Options, Cross-Origin Resource Policy, and Permissions-Policy. Webhook deliveries to your systems are signed with HMAC-SHA256 for authenticity verification. ISO 27001 certification is in progress; we will publish the certificate on this page once issued.

Data Privacy & GDPR

Calafai B.V. is incorporated in the Netherlands and built with European data protection regulation from day one. Full data portability via one-click export. Right to deletion with cascade removal across all projects, deliverables, and run history, with audit trail anonymisation. Cookie consent management is built in. Data processing agreements are available on request for enterprise customers.

Audit Trail

Over 100 distinct action types are tracked: data access, configuration changes, authentication events, admin actions, API key usage, and project lifecycle events. Every record includes timestamp, user attribution, and metadata. Audit logs are tamper-evident and available to organisation owners.

Responsible AI Output

Every deliverable is quality-scored before it reaches you. Source claims are verified and graded by reliability. Conclusions are challenged for gaps, weak evidence, and unsupported assumptions. Financial assumptions are extracted and made testable. We hold AI-generated strategy work to the same standard a principal consultant would apply to their own team's output.

EU AI Act Compliance

Calafai is a limited-risk AI system under Regulation (EU) 2024/1689 (the AI Act). In plain English: every output we produce is marked as AI-generated. Every PDF carries machine-readable metadata. Every PPTX carries OOXML-property markers. Every conversational output in the Thinking Partner and the client portal carries an inline AI badge. Your readers always know what they are looking at. We use only model providers we actually route traffic to — published in full on our subprocessors page, with provider, location, and DPA status — and we update that page whenever the list changes. Calafai's outputs are advisory: a human reviews and decides, so we do not engage GDPR Article 22 on solely-automated decision-making, and we contractually require customers who republish to inform the public to perform their own human review under Article 50(4). For AI-Act-specific questions, including AI literacy under Article 4 or our limited-risk classification under Article 6, write to ai-act@calafai.com.

Incident Response

Security issues can be reported to security@calafai.com. We acknowledge reports within 24 hours and provide resolution timelines within 72 hours. Platform status and scheduled maintenance are communicated proactively. We do not currently operate a public bug bounty programme, but responsible disclosure is welcomed and credited.