Skip to content
AIovert
EU AI Act:Check your exposure →

Trust center

Security by architecture, not by policy.

AIovert is designed so there is minimal sensitive data to protect in the first place. Classification happens entirely on-device; we receive only event metadata.

0

Raw content transmitted

5 fields

Event metadata only

EU

Data residency

TLS 1.3

Encryption in transit

Certifications

Certifications & architecture.

Our SOC 2 Type II audit is underway. The on-device architecture reduces the attack surface before any certification is needed.

SOC 2TYPE II

SOC 2 Type II

In progress

Audit is underway. The full report is available to prospects under NDA on request.

On-device classification

Active

Detection runs entirely inside the browser extension. Zero raw content is ever transmitted or stored.

EU data residency

Active

All event metadata stored in EU-region infrastructure. Classification stays within EU jurisdiction.

Security practices

How we protect what we hold.

We hold only classification metadata. These are the technical and organizational controls that govern it.

Data minimization

  • Classification runs entirely on-device. Raw text never leaves the browser.
  • Only 5 fields transmitted: label, domain, action, timestamp, SHA-256 hash
  • AIovert cannot reconstruct any original content from what it receives

Infrastructure

  • Data stored in EU-region infrastructure (AWS eu-central-1, Frankfurt)
  • Encryption in transit via TLS 1.3; encryption at rest via AES-256
  • Row-level security isolates each organization's data at the database layer

Application security

  • Chrome Manifest V3 extension: no remote code execution, strict CSP enforced
  • Extension reviewed under Google's Chrome Web Store security policies
  • No network proxies, no certificate installation, no traffic interception required

Access controls

  • Least-privilege access to production systems; no standing admin sessions
  • MFA enforced across all team members and critical service accounts
  • Production access audit logs retained; quarterly access reviews performed

Incident response

  • GDPR breach notification initiated within 72 hours of confirmed discovery
  • Named security lead with a documented escalation path
  • Post-incident reviews shared with affected customers including root-cause analysis

Organizational

  • Background checks for all employees and contractors with system access
  • Annual security awareness training for the full team
  • Vendor risk assessments required before engaging any new sub-processor

Sub-processors

Third-party services we use.

All sub-processors are engaged under written terms no less protective than our DPA. None receive raw content, only the metadata described in our Privacy Policy.

Service

Supabase

Database & authentication

EU · Frankfurt (AWS eu-central-1)

Vercel

Web hosting & edge CDN

EU edge / US origin

Stripe

Payment processing

US (PCI-DSS Level 1)

Resend

Transactional email delivery

US

Google

OAuth sign-in · Chrome Web Store distribution

Global

For the current list or advance notice of changes, email dpo@aiovert.com.

Documents

Policies & agreements.

All documents are publicly available. A signed DPA can be requested from dpo@aiovert.com.

Privacy Policy

What we collect and how we use it

Terms of Service

Contract terms governing use of AIovert

Data Processing Agreement

GDPR Art. 28 processor obligations

Compliance overview

GDPR, EU AI Act & DPIA article mapping

Security contact

Report a vulnerability.

If you believe you have found a security issue in AIovert, please disclose it responsibly. We acknowledge all reports within 48 hours and aim to resolve critical issues within 7 days.

security@aiovert.com

Data protection

Privacy & DPO enquiries.

For data-subject rights requests, DPA sign-offs, sub-processor lists, or any GDPR enquiry, contact our data protection team. We respond within 5 business days.

dpo@aiovert.com