Trust & Security

OpenTrain AI is the human data layer for AI. We treat the security and privacy of your data as foundational. This page summarizes our security posture and compliance program, and provides a CAIQ-Lite self-assessment for your security review.

Compliance program

SOC 2 Type II
In progress

Controls implemented and continuously monitored in our GRC program, with weekly timestamped evidence collection building the audit history.

HIPAA
HIPAA-ready · BAA available

Controls mapped to the HIPAA Security Rule safeguards (45 CFR §§ 164.308–316) in our GRC program; we sign Business Associate Agreements for qualifying healthcare workloads.

GDPR / CCPA
Supported

DPA with Standard Contractual Clauses available; records of processing maintained; data-subject erasure with verifiable proof-of-deletion.

Encryption

Data in transit
TLS 1.2+ everywhere

All traffic to the application and its APIs is served over HTTPS (TLS 1.2 or higher). Connections between application services and the managed PostgreSQL database use TLS.

Data at rest — database
AES-256 managed encryption

Primary data is stored in managed PostgreSQL (Supabase), which encrypts data at rest with AES-256 using provider-managed keys.

Data at rest — object storage
AES-256 managed encryption

Uploaded assets and files are stored in S3-compatible object storage that encrypts objects at rest with AES-256.

Application secrets
Envelope encryption (AES-256-GCM), key-versioned

Sensitive application secrets (e.g. buyer-supplied API credentials) are never stored in plaintext. They are encrypted at rest with AES-256-GCM envelope encryption, carrying a key version and a non-reversible fingerprint so keys can be rotated and secrets can be verified without decryption.

Key management
Provider-managed KMS + versioned app keys

Infrastructure-level encryption keys are managed by the underlying cloud providers (KMS). Application-level secret encryption uses a versioned master key held in the platform secret store, supporting rotation without re-enrolling users.

Backups
Encrypted automated backups

The managed database performs automated backups that are themselves encrypted at rest by the provider.

CAIQ-Lite self-assessment

A curated subset of the Cloud Security Alliance Consensus Assessments Initiative Questionnaire. For a full questionnaire or our latest reports, contact us below.

Data Security & Encryption

Yes
Is data encrypted in transit?

All traffic is served over HTTPS (TLS 1.2+). Service-to-database connections use TLS.

Yes
Is data encrypted at rest?

Database and object storage encrypt data at rest with AES-256 (provider-managed keys).

Yes
Are application secrets protected at rest?

Sensitive secrets use AES-256-GCM envelope encryption with key versioning and non-reversible fingerprints; never stored in plaintext.

Identity & Access Management

Yes
Is multi-factor authentication supported?

TOTP-based MFA is supported for sensitive actions, with org-level MFA enforcement available to enterprise plans.

Yes
Is role-based access control enforced?

Access follows least-privilege via role-based access control across employer, labeler, admin, and API-token surfaces.

Yes
Can access be restricted to approved networks?

Enterprise plans can enforce an IP allowlist (CIDR) at both the session and API-token edges.

In progress
Is SSO (SAML/OIDC) available?

Single sign-on for enterprise workspaces is on the near-term roadmap.

Audit, Logging & Monitoring

Yes
Are security-relevant events logged?

Authentication, authorization, and security-configuration changes are recorded to an audit trail with request correlation.

Yes
Is application error and performance monitoring in place?

Runtime errors and performance are monitored continuously; regressions are triaged and resolved.

Data Governance & Privacy

Yes
Do you support the right to erasure (GDPR / CCPA)?

Data-subject erasure is supported and produces an immutable, independently-verifiable proof-of-deletion.

Yes
Is a Data Processing Addendum (DPA) available?

A DPA is available for customers processing personal data.

Partial
Do you support HIPAA workloads?

Controls are mapped to the HIPAA Security Rule safeguards (45 CFR §§ 164.308–316) in our GRC program; a Business Associate Agreement (BAA) is available for qualifying healthcare workloads.

Business Continuity & Resilience

Yes
Are backups performed and encrypted?

The managed database performs automated backups that are encrypted at rest.

Yes
Is infrastructure hosted on reputable cloud providers?

Hosted on established providers (Vercel, Supabase, Render, Cloudflare) with their own compliance certifications.

Application & Vulnerability Management

Yes
Is automated code and dependency scanning performed?

Static analysis (CodeQL) and dependency security audits run on a recurring schedule in CI.

In progress
Has an independent penetration test been performed?

Independent penetration testing is planned as part of the compliance program.

Subprocessors

Third parties that process customer data on our behalf. This list matches the vendor inventory in our compliance program and the subprocessor annex of our DPA.

VercelApplication hosting & edge networkUnited States
SupabaseManaged PostgreSQL database & object storageUnited States
RenderBackend services & scheduled jobsUnited States
CloudflareCDN, DNS, security & object storage (R2)Global (edge)
StripePayment processingUnited States
AnthropicLLM inference for assistive platform featuresUnited States
OpenAILLM inference for assistive platform featuresUnited States
IntercomCustomer support messagingUnited States
GitHubSource code hosting & CIUnited States
Google WorkspaceBusiness email & collaborationUnited States
SentryError & performance monitoringUnited States

Request compliance documents

The following are available to customers and qualified prospects under a mutual NDA. Email security@opentrain.ai — we'll send the NDA first, then the requested documents.

Data Processing Addendum (DPA)GDPR Art. 28 terms with SCCs and subprocessor annex
Business Associate Agreement (BAA)For workloads containing protected health information
Security OverviewArchitecture, encryption, data-handling and program status
Full CAIQ self-assessmentComplete Cloud Security Alliance questionnaire
Security policies & control mappingsExports from our GRC program (SOC 2 / HIPAA / GDPR)

Security questions or reports

For any of the documents above, other security questions, or to report a vulnerability, email security@opentrain.ai. See also our Privacy Policy and Terms of Service.