Security Policy

Last updated: 2025-01-29

Airi.chat is committed to protecting the confidentiality, integrity, and availability of customer data through layered technical and organizational controls.

1. Data Protection

Data is encrypted in transit (TLS 1.2+) and at rest where supported by our providers. Access is restricted based on role and least-privilege principles.

2. Multi-Tenant Data Isolation

Airi.chat is a multi-tenant SaaS platform. We implement strict data isolation to ensure that customer data is protected from unauthorized access by other customers:

Workspace-level isolation: All queries and operations are scoped to workspace identifiers to prevent cross-customer data access.
Database-level controls: Row-level security policies and application-level filtering ensure customers can only access their own data.
Widget analytics isolation: Analytics data collected through our web widget is tagged with workspace/company identifiers and filtered at query time to ensure complete isolation between customers.
Authorization checks: All API requests verify user permissions against workspace membership before returning data.

3. Authentication and Access

We employ robust authentication, session management, and audit controls:

User authentication: Strong password policies and secure session management.
Administrative access: Protected by multi-factor authentication (MFA) and monitored through audit logs.
Role-based access control (RBAC): Internal personnel access to customer data is restricted based on job function and necessity.
Audit logging: All data access by Airi.chat personnel is logged and can be reviewed upon request.

4. Vulnerability Management

We regularly patch dependencies, monitor for vulnerabilities, and address issues based on severity and risk.

5. Incident Response

We maintain an incident response process to detect, contain, and remediate security events and to notify affected parties as required by law.

6. Compliance

We follow industry best practices and align with common standards relevant to our size and risk profile. Formal certifications may be pursued as we grow.

7. Data Access by Airi.chat Personnel

Authorized Airi.chat personnel may access customer data for legitimate business purposes including:

Platform operations and infrastructure maintenance
Customer support and troubleshooting
Security monitoring and incident response
Product improvement and analytics (using aggregated, anonymized data where possible)

All access is subject to strict internal policies, role-based permissions, and audit logging. We do not sell customer data or share it with third parties except as required to provide our services or as required by law.

8. Contact

Report a security issue or contact us at support@airi.chat.

2. Multi-Tenant Data Isolation

Airi.chat is a multi-tenant SaaS platform. We implement strict data isolation to ensure that customer data is protected from unauthorized access by other customers:

Workspace-level isolation: All queries and operations are scoped to workspace identifiers to prevent cross-customer data access.

Database-level controls: Row-level security policies and application-level filtering ensure customers can only access their own data.

Widget analytics isolation: Analytics data collected through our web widget is tagged with workspace/company identifiers and filtered at query time to ensure complete isolation between customers.

Authorization checks: All API requests verify user permissions against workspace membership before returning data.

3. Authentication and Access

We employ robust authentication, session management, and audit controls:

User authentication: Strong password policies and secure session management.

Administrative access: Protected by multi-factor authentication (MFA) and monitored through audit logs.

Role-based access control (RBAC): Internal personnel access to customer data is restricted based on job function and necessity.

Audit logging: All data access by Airi.chat personnel is logged and can be reviewed upon request.

7. Data Access by Airi.chat Personnel

Authorized Airi.chat personnel may access customer data for legitimate business purposes including:

Platform operations and infrastructure maintenance

Customer support and troubleshooting

Security monitoring and incident response

Product improvement and analytics (using aggregated, anonymized data where possible)