Security
How we keep borrower data safe.
The short version: encrypted in transit and at rest, tenant-isolated by default, audit-logged end-to-end, and not used to train models. The long version follows.
Practices
Encryption
TLS 1.3 in transit. AES-256 at rest. KMS-managed keys per environment. Customer-managed keys available on Enterprise.
Access control
OIDC / SAML SSO. Role-based access internally with least-privilege defaults. Production access is gated by short-lived credentials and recorded for review.
Tenant isolation
Per-org logical isolation in Postgres, MinIO, and Temporal workflows. Every query and storage path is scoped by `org_id` enforced at the BFF.
Audit logging
Structured events for every classification, extraction, approval, and outbound action. 13-month retention by default, extensible.
Backups
Point-in-time recovery on Postgres. Encrypted object snapshots on MinIO. Restoration drills run quarterly.
Vulnerability management
Dependabot + Snyk on every repo. Static analysis in CI. External penetration test annually with remediation SLAs.
Vulnerability disclosure
Found a bug? Tell us first.
We acknowledge reports within 24 hours and triage within 72. Email security@adeft.ai with a description, reproduction, and your PGP key if you have one.
Incident response
We tell you fast.
If a security incident affects your data, you’ll hear from us within the regulatory window for your jurisdiction (and never later than 72 hours from confirmation).