Security & Data Protection
Your company's knowledge should stay your company's knowledge.
KeyPersonAI is built for sensitive business knowledge — the kind of judgment, context, and relationships that don't belong on the open internet. The architecture below describes how we protect that material today and what's available when an engagement requires more.
Last updated April 2026. We update this page as the architecture evolves; we don't claim certifications we haven't earned.
Foundation
Built on infrastructure that already meets enterprise security standards.
KeyPersonAI runs on a stack of vendors that hold the certifications most enterprise buyers ask about. Their controls are inherited by anything we build on top.
Cloudflare
Hosting & edge infrastructure
SOC 2 Type II, ISO 27001, ISO 27018, PCI DSS Level 1. HIPAA-eligible services available for engagements that require a Business Associate Agreement.
Anthropic Claude
AI processing
SOC 2 Type II. Captured material is processed under enterprise API terms that prohibit using your data to train models. Zero-retention configuration available on request.
Resend
Transactional email
SOC 2 Type II. Used only for engagement-related communications you've opted into.
Controls
What's protecting your data, in plain English.
Encryption in transit
All traffic uses TLS 1.3. There is no plaintext path to or from KeyPersonAI services.
Encryption at rest
Captured material, documents, and backups are encrypted at rest using AES-256 by the underlying storage providers.
Tenant isolation
Each customer's captured knowledge is logically isolated. One customer's data is never accessible to another customer.
Customer-controlled access
Your company decides who can see which captured material. Sensitive topics can be flagged, restricted to specific roles, or excluded entirely.
Review before publish
Captured material is reviewed and approved by your team before broader access is granted. Nothing reaches a wider audience without explicit sign-off.
No training on your data
Your captured knowledge is never used to train AI models. This is contractually committed by our AI vendors and reinforced by our own engagement terms.
Engagement-only use
Captured material is used only for the engagement you commissioned. We don't sell data, share it with advertisers, or use it for any other purpose.
Confidentiality
Anyone on our team with access to captured material is bound by confidentiality agreements. Access is granted on a need-to-know basis.
Authenticated access
Customer access is gated behind authenticated, audited sessions. Multi-factor authentication is supported and recommended.
Data export and deletion
Your captured knowledge belongs to you. You can export it at any time, and you can request deletion at the end of an engagement.
For Regulated Industries
Formal arrangements for engagements that require them.
Some engagements need more than baseline controls. The arrangements below are scoped during the engagement rather than offered by default — if you need one, raise it in the first conversation and we'll build it into the agreement.
Law firms & professional services
Engagement structures aligned with confidentiality obligations and applicable state-bar guidance on third-party AI. Privileged or sensitive matter material can be excluded, redacted, or held under specific access restrictions.
Medical & healthcare
Engagements involving Protected Health Information are scoped to require a Business Associate Agreement before any PHI is processed. We use HIPAA-eligible infrastructure for these engagements.
Enterprise & family offices
Dedicated tenancy, customer-specific data residency, on-premise review, and formal third-party security attestation can be scoped for engagements that require them.
What We Don't Do
The promises that matter most are the ones written in the negative.
- We don't sell your data. Captured knowledge is not a product line. It is not packaged, anonymized, sold, or licensed to anyone.
- We don't train AI models on your data. Your captured material is processed under enterprise terms that prohibit using it for model training. This is contractually committed.
- We don't share captured knowledge outside the engagement. The only people who see your captured material are the people you authorize and the small team supporting the engagement.
- We don't claim certifications we haven't earned. Where the security model relies on a vendor's certification, we say so. Where formal attestation is on the roadmap rather than completed, we say that too.
Have a specific security question for your situation?
Most engagements have a security question or two that's worth a direct conversation. We'd rather answer in plain English than send a generic SOC 2 link.