Trust & Security
OpenTrain AI is the human data layer for AI. We treat the security and privacy of your data as foundational. This page summarizes our security posture and compliance program, and provides a CAIQ-Lite self-assessment for your security review.
Compliance program
Controls implemented and continuously monitored in our GRC program, with weekly timestamped evidence collection building the audit history.
Controls mapped to the HIPAA Security Rule safeguards (45 CFR §§ 164.308–316) in our GRC program; we sign Business Associate Agreements for qualifying healthcare workloads.
DPA with Standard Contractual Clauses available; records of processing maintained; data-subject erasure with verifiable proof-of-deletion.
Encryption
All traffic to the application and its APIs is served over HTTPS (TLS 1.2 or higher). Connections between application services and the managed PostgreSQL database use TLS.
Primary data is stored in managed PostgreSQL (Supabase), which encrypts data at rest with AES-256 using provider-managed keys.
Uploaded assets and files are stored in S3-compatible object storage that encrypts objects at rest with AES-256.
Sensitive application secrets (e.g. buyer-supplied API credentials) are never stored in plaintext. They are encrypted at rest with AES-256-GCM envelope encryption, carrying a key version and a non-reversible fingerprint so keys can be rotated and secrets can be verified without decryption.
Infrastructure-level encryption keys are managed by the underlying cloud providers (KMS). Application-level secret encryption uses a versioned master key held in the platform secret store, supporting rotation without re-enrolling users.
The managed database performs automated backups that are themselves encrypted at rest by the provider.
CAIQ-Lite self-assessment
A curated subset of the Cloud Security Alliance Consensus Assessments Initiative Questionnaire. For a full questionnaire or our latest reports, contact us below.
Data Security & Encryption
All traffic is served over HTTPS (TLS 1.2+). Service-to-database connections use TLS.
Database and object storage encrypt data at rest with AES-256 (provider-managed keys).
Sensitive secrets use AES-256-GCM envelope encryption with key versioning and non-reversible fingerprints; never stored in plaintext.
Identity & Access Management
TOTP-based MFA is supported for sensitive actions, with org-level MFA enforcement available to enterprise plans.
Access follows least-privilege via role-based access control across employer, labeler, admin, and API-token surfaces.
Enterprise plans can enforce an IP allowlist (CIDR) at both the session and API-token edges.
Single sign-on for enterprise workspaces is on the near-term roadmap.
Audit, Logging & Monitoring
Authentication, authorization, and security-configuration changes are recorded to an audit trail with request correlation.
Runtime errors and performance are monitored continuously; regressions are triaged and resolved.
Data Governance & Privacy
Data-subject erasure is supported and produces an immutable, independently-verifiable proof-of-deletion.
A DPA is available for customers processing personal data.
Controls are mapped to the HIPAA Security Rule safeguards (45 CFR §§ 164.308–316) in our GRC program; a Business Associate Agreement (BAA) is available for qualifying healthcare workloads.
Business Continuity & Resilience
The managed database performs automated backups that are encrypted at rest.
Hosted on established providers (Vercel, Supabase, Render, Cloudflare) with their own compliance certifications.
Application & Vulnerability Management
Static analysis (CodeQL) and dependency security audits run on a recurring schedule in CI.
Independent penetration testing is planned as part of the compliance program.
Subprocessors
Third parties that process customer data on our behalf. This list matches the vendor inventory in our compliance program and the subprocessor annex of our DPA.
Request compliance documents
The following are available to customers and qualified prospects under a mutual NDA. Email security@opentrain.ai — we'll send the NDA first, then the requested documents.
Security questions or reports
For any of the documents above, other security questions, or to report a vulnerability, email security@opentrain.ai. See also our Privacy Policy and Terms of Service.