Security
Last updated: February 22, 2026
GetDemand.ai is built with security at every layer. Your sales data, customer information, and business intelligence are protected by enterprise-grade security controls and privacy-first operating practices.
Encryption
- โขTLS 1.3 encryption for all data in transit
- โขAES-256 encryption for data at rest
- โขEncrypted database backups stored in geographically separate regions
Infrastructure
- โขHosted on Vercel (provider publishes security attestations, including SOC reports)
- โขDatabase on Supabase (provider security controls plus row-level security support)
- โขAll infrastructure runs on AWS with ISO 27001 certification
- โขAutomatic failover and redundancy across availability zones
Access Control
- โขRole-based access control (RBAC) for team members
- โขTenant-level data isolation โ your data is never accessible to other accounts
- โขSession management with automatic timeout and single-session enforcement
- โขOAuth 2.0 and email/password authentication via Supabase Auth
Monitoring & Audit
- โขReal-time monitoring of platform health and security events
- โขAudit logs for account access and data changes
- โขAutomated alerting for anomalous access patterns
- โขRegular dependency scanning for known vulnerabilities
Compliance
- โขSOC 2-aligned security practices and controls
- โขGDPR-ready privacy workflows and data processing terms support
- โขHIPAA-ready safeguards for protected health information use cases (see HIPAA page)
- โขStandard Contractual Clauses (SCCs) available/used where applicable for cross-border transfers
Incident Response
- โขDocumented incident response plan with defined escalation procedures
- โขTarget notification timelines based on applicable law and contract obligations (including GDPR timelines where applicable)
- โขPost-incident review and remediation for every security event
- โขRegular tabletop exercises to test response procedures
AI Data Processing
- โขAI agent processing uses OpenAI and Anthropic APIs with data processing agreements in place.
- โขYour data is not used to train third-party AI models. Both providers offer zero data retention for API usage.
- โขAI-generated content (emails, quotes, research) is stored in your account and is not shared across tenants.
Third-Party Subprocessors
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Application hosting and CDN | United States |
| Supabase | Database, authentication, storage | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| OpenAI | AI agent processing | United States |
| Anthropic | AI agent processing | United States |
Vulnerability Reporting
If you discover a security vulnerability, please report it responsibly:
- โขEmail: security@getdemand.ai
- โขInclude a description of the vulnerability, steps to reproduce, and potential impact.
- โขWe will acknowledge receipt within 48 hours and provide a remediation timeline.
- โขPlease do not publicly disclose the vulnerability until we have addressed it.