Support

Security

How AIM protects your data and what you can expect from our security posture.

Scope & Data Model

AIM is a recommendations and project-tracking tool. We do not need PII/PHI/PCI to operate. Please avoid entering sensitive data; if it is entered, it is protected by the controls below.

  • Expected data: system names, constraints, vendors, modernization metadata.
  • Not expected: PII, PHI, payment data. Keep it out of free-text fields and uploads.

Boundary:

  • AIM Application - Core app logic and APIs
  • Supabase - Database, authentication, file storage (SOC 2 Type II)
  • Vercel - Application hosting (SOC 2 Type II)
  • Anthropic - LLM inference only, server-side; API data not used for model training (Security)

• Data encrypted at rest (AES-256) and in transit (TLS 1.2+)

• Data residency: US regions (Supabase, Vercel)

• DPAs available with Supabase and Vercel upon request

Shared Responsibility

  • You: Control what data you enter; avoid sensitive data; manage org membership; report issues.
  • AIM: Enforces auth, org scoping, RLS, validation, headers/CSP, server-only AI calls, and auditability.
  • Vendors: Supabase (data/auth, encryption, RLS), Vercel (hosting, TLS), AI providers (model processing). We rely on their security attestations.

Key Controls

  • Supabase Auth + organization scoping + Row Level Security on data.
  • Secrets in environment variables; no service-role keys on the client.
  • TLS in transit; encryption at rest via Supabase; security headers/CSP via Next.js + middleware.
  • Input validation (Zod) and prohibition of eval/Function/innerHTML with untrusted input.
  • AI model calls server-side only; no client-side key exposure.
  • Pulse public embeds: sanitized data, token-based access, domain allowlist.
  • Audit logging for critical actions (in progress) and least-privilege access reviews.

Compliance Posture

  • SOC 2 Type I → Type II: in progress; evidence collection and control mapping underway.
  • NIST CSF: maintaining a crosswalk to show coverage and gaps.
  • Vendor attestations: leverage Supabase, Vercel, and AI provider security reports in a shared-responsibility model.

Questions?

If you have questions about our security practices or need additional documentation for compliance purposes, please reach out.

Contact: [email protected]