Security & Infrastructure

Security you can prove
to your insurance client.

Enterprise buyers and insurance carriers ask hard questions before they trust a platform with property data, policyholder contacts, and AI outreach at scale. This page answers those questions directly — no marketing language, no weasel words.

What we secure

Infrastructure, data layer, access control, and operational posture.

Data at rest

AES-256 encryption on all database volumes (Supabase / AWS RDS PostgreSQL 17)
Encryption keys managed by AWS KMS with automatic annual rotation
Storage buckets for documents and recordings encrypted with SSE-S3
Database secrets and API keys stored in encrypted vault — never in source code

Data in transit

TLS 1.3 on all public endpoints — TLS 1.0/1.1 disabled
HSTS enforced with preload on ai-storms.com
Internal service-to-service communication over private VPC with TLS
Certificate management via Let's Encrypt with automated renewal

Access control

Role-based access: 5 roles (super_admin → org_admin → manager → staff → readonly)
Row-Level Security on every database table — enforced at the PostgreSQL layer, not application layer
Multi-factor authentication required for admin system access
No shared credentials — every user, every service has its own identity

Audit logging

Immutable audit trail on every contact attempt: timestamp, channel, outcome, suppression reason
Platform-level audit log for all admin actions: login, config change, data export
Logs retained for 12 months minimum, exportable as CSV or via API
Sentry error tracking with source maps for application-layer observability

Backup strategy

Supabase managed daily backups with point-in-time recovery (7-day window on standard, 30-day on enterprise)
Application infrastructure snapshots via Hostinger VPS tooling
Redis AOF persistence for queue data durability
Backup restoration tested quarterly

DR targets

Recovery Time Objective (RTO): 4 hours for full platform restoration
Recovery Point Objective (RPO): 1 hour — maximum data loss window
Geographic redundancy: Supabase on AWS us-east-1, VPS on Hostinger EU-West
DR plan documented — tabletop test target Q3 2026 per SOC 2 roadmap

What we do not store

Explicit commitments — written here, enforced in the system.

Credit card numbers

We never touch raw card data. All payments are processed by Stripe. Card numbers, CVVs, and bank details flow directly to Stripe's PCI-DSS Level 1 certified vault — our servers never see them.

Voice recordings (beyond agent scope)

ElevenLabs voice agents are provisioned with data-retention disabled. Individual call transcripts are not stored on ElevenLabs infrastructure. AI-STORMS retains only the call outcome metadata (disposition, duration, opt-out signal) required for audit compliance.

Revoked opt-outs

Opt-outs are permanent. A contact who requests removal is suppressed in our internal opt-out ledger and is never re-enrolled — even across campaigns, customers, or organizations on the platform.

Compliance progress

Where we are today — and where we are headed. We do not claim certifications we do not hold.

SOC 2 Type I

In progress

Target: Q4 2026 — Type I report issued by auditor
GRC platform under evaluation: Vanta / Drata
Scope: CC1–CC9 (Security), A1 (Availability), C1 (Confidentiality)
Not yet certified — do not use in RFP responses claiming SOC 2

Full roadmap: ai-storms.com/compliance

Penetration Testing

Planned

Cadence: annual external penetration test
Scope: API endpoints, authentication, multi-tenant isolation, AI agent interfaces
First test targeted: September 2026 per SOC 2 roadmap
Reports available to enterprise customers under NDA

Important: AI-STORMS does not currently hold a SOC 2 report. We are in the pre-assessment phase. Enterprise customers requiring a current SOC 2 report should contact us to discuss our security controls under NDA. We will not misrepresent our certification status in any sales material or contractual commitment.

Sub-processors

The following third-party providers process customer data on our behalf. This list maps to Annex B of our Data Processing Agreement. Changes will be notified to enterprise customers 30 days in advance.

Processor	Category	Purpose	Location	Data Types
Supabase (AWS)	Database / Storage	PostgreSQL database hosting, file storage, authentication	USA (us-east-1)	All customer data, PII, property records
Stripe	Payments	Payment processing, subscription management	USA / Global	Billing contacts, payment tokens (never raw card data)
ElevenLabs	AI Voice	AI voice synthesis for inbound/outbound call agents	USA	Phone numbers, call scripts (no recordings retained per config)
Twilio	Telephony / SMS	SMS delivery, phone number provisioning, voice PSTN	USA	Phone numbers, SMS content, call metadata
SendGrid (Twilio)	Email Delivery	Transactional and campaign email delivery	USA	Email addresses, names, campaign content
ATTOM Data Solutions	Property Data	Property ownership records and address data	USA	Property addresses, APN identifiers, ownership names
BatchData	Skip Trace / Enrichment	Contact enrichment, skip tracing, DNC/deceased filtering	USA	Phone numbers, addresses, names
NOAA / NWS	Weather Intelligence	Storm event monitoring, severe weather alerts	USA (Federal)	No PII — weather data only
PostHog	Analytics	Product analytics and feature flag management	USA	Anonymized usage events, session metadata

Responsible disclosure

If you discover a security vulnerability in AI-STORMS, we want to hear from you. We ask that you follow coordinated disclosure so we can protect our customers before details are made public.

Contact

security@ai-storms.com

PGP encryption available on request. Please include a description of the issue, steps to reproduce, potential impact, and any proof-of-concept. We will acknowledge receipt within 2 business days and provide a resolution timeline.

In scope

ai-storms.com and all subdomains
API endpoints serving AI-STORMS platform
ElevenLabs AI voice agent endpoints
Customer portal and authentication flows

Out of scope

Denial of service attacks
Social engineering of employees
Physical attacks on infrastructure
Issues in third-party software outside our control

Platform status

Real-time uptime and incident history

status.ai-storms.com(coming soon)

What we secure

Infrastructure, data layer, access control, and operational posture.

Data at rest

AES-256 encryption on all database volumes (Supabase / AWS RDS PostgreSQL 17)
Encryption keys managed by AWS KMS with automatic annual rotation
Storage buckets for documents and recordings encrypted with SSE-S3
Database secrets and API keys stored in encrypted vault — never in source code

Data in transit

TLS 1.3 on all public endpoints — TLS 1.0/1.1 disabled
HSTS enforced with preload on ai-storms.com
Internal service-to-service communication over private VPC with TLS
Certificate management via Let's Encrypt with automated renewal

Access control

Role-based access: 5 roles (super_admin → org_admin → manager → staff → readonly)
Row-Level Security on every database table — enforced at the PostgreSQL layer, not application layer
Multi-factor authentication required for admin system access
No shared credentials — every user, every service has its own identity

Audit logging

Immutable audit trail on every contact attempt: timestamp, channel, outcome, suppression reason
Platform-level audit log for all admin actions: login, config change, data export
Logs retained for 12 months minimum, exportable as CSV or via API
Sentry error tracking with source maps for application-layer observability

Backup strategy

Supabase managed daily backups with point-in-time recovery (7-day window on standard, 30-day on enterprise)
Application infrastructure snapshots via Hostinger VPS tooling
Redis AOF persistence for queue data durability
Backup restoration tested quarterly

DR targets

Recovery Time Objective (RTO): 4 hours for full platform restoration
Recovery Point Objective (RPO): 1 hour — maximum data loss window
Geographic redundancy: Supabase on AWS us-east-1, VPS on Hostinger EU-West
DR plan documented — tabletop test target Q3 2026 per SOC 2 roadmap

What we do not store

Explicit commitments — written here, enforced in the system.

Credit card numbers

We never touch raw card data. All payments are processed by Stripe. Card numbers, CVVs, and bank details flow directly to Stripe's PCI-DSS Level 1 certified vault — our servers never see them.

Voice recordings (beyond agent scope)

Revoked opt-outs

Opt-outs are permanent. A contact who requests removal is suppressed in our internal opt-out ledger and is never re-enrolled — even across campaigns, customers, or organizations on the platform.

Compliance progress

Where we are today — and where we are headed. We do not claim certifications we do not hold.

SOC 2 Type I

In progress

Target: Q4 2026 — Type I report issued by auditor
GRC platform under evaluation: Vanta / Drata
Scope: CC1–CC9 (Security), A1 (Availability), C1 (Confidentiality)
Not yet certified — do not use in RFP responses claiming SOC 2

Full roadmap: ai-storms.com/compliance

Penetration Testing

Planned

Cadence: annual external penetration test
Scope: API endpoints, authentication, multi-tenant isolation, AI agent interfaces
First test targeted: September 2026 per SOC 2 roadmap
Reports available to enterprise customers under NDA

Sub-processors

Processor	Category	Purpose	Location	Data Types
Supabase (AWS)	Database / Storage	PostgreSQL database hosting, file storage, authentication	USA (us-east-1)	All customer data, PII, property records
Stripe	Payments	Payment processing, subscription management	USA / Global	Billing contacts, payment tokens (never raw card data)
ElevenLabs	AI Voice	AI voice synthesis for inbound/outbound call agents	USA	Phone numbers, call scripts (no recordings retained per config)
Twilio	Telephony / SMS	SMS delivery, phone number provisioning, voice PSTN	USA	Phone numbers, SMS content, call metadata
SendGrid (Twilio)	Email Delivery	Transactional and campaign email delivery	USA	Email addresses, names, campaign content
ATTOM Data Solutions	Property Data	Property ownership records and address data	USA	Property addresses, APN identifiers, ownership names
BatchData	Skip Trace / Enrichment	Contact enrichment, skip tracing, DNC/deceased filtering	USA	Phone numbers, addresses, names
NOAA / NWS	Weather Intelligence	Storm event monitoring, severe weather alerts	USA (Federal)	No PII — weather data only
PostHog	Analytics	Product analytics and feature flag management	USA	Anonymized usage events, session metadata

Responsible disclosure

If you discover a security vulnerability in AI-STORMS, we want to hear from you. We ask that you follow coordinated disclosure so we can protect our customers before details are made public.

Contact

security@ai-storms.com

In scope

ai-storms.com and all subdomains
API endpoints serving AI-STORMS platform
ElevenLabs AI voice agent endpoints
Customer portal and authentication flows

Out of scope

Denial of service attacks
Social engineering of employees
Physical attacks on infrastructure
Issues in third-party software outside our control

Security you can proveto your insurance client.

What we secure

Data at rest

Data in transit

Access control

Audit logging

Backup strategy

DR targets

What we do not store

Credit card numbers

Voice recordings (beyond agent scope)

Revoked opt-outs

Compliance progress

SOC 2 Type I

Penetration Testing

Sub-processors

Responsible disclosure

In scope

Out of scope

Platform status

Security you can proveto your insurance client.

What we secure

Data at rest

Data in transit

Access control

Audit logging

Backup strategy

DR targets

What we do not store

Credit card numbers

Voice recordings (beyond agent scope)

Revoked opt-outs

Compliance progress

SOC 2 Type I

Penetration Testing

Sub-processors

Responsible disclosure

In scope

Out of scope

Platform status

Security you can prove
to your insurance client.

Security you can prove
to your insurance client.