Security at Expert AI Labs
We protect customer data with encryption, strict access controls, AI governance designed for restoration and franchise networks, and a public SOC 2 roadmap.
We are not SOC 2 certified today. Auditor is engaged; Type I attestation is targeted within 6 months of SPAR approval. Core controls (encryption, RLS, audit logging, RBAC, AI governance) are already operating in production. Full roadmap below.
Trust center last reviewed June 2026 · Privacy policy effective April 24, 2026
Controls in place today
These practices are operating now. They form the foundation for our SOC 2 audit work and any enterprise vendor review.
- TLS 1.3 in transit for every API request and page load
- AES-256 at rest for every database, backup, and file storage layer
- Automatic key rotation handled by Supabase and Vercel platforms
- Customer-supplied encryption keys (CMEK) available on enterprise plans
- Postgres Row-Level Security (RLS) on every tenant-owned table. One organization's data is never visible to another
- Role-based permissions: viewer, member, admin, owner
- Per-tenant API keys with scoped permissions, rotation, and immediate revocation
- Service-role keys isolated from user-facing surface; never exposed to the browser
- We do not train AI models on tenant data. Confirmed in writing in every customer contract and DPA
- All AI provider calls (Anthropic, OpenAI) use zero-data-retention API tiers where supported
- Tenant prompts are isolated; no cross-tenant context leakage
- Confidence scoring on AI-generated outputs that affect customer-facing decisions
- Human-in-the-loop required for any AI output destined for an insurer, claim file, or external customer
- Default 90-day retention for media (claim photos, recordings, transcripts); configurable per tenant
- Soft-delete with 90-day window before permanent purge for accidental-deletion recovery
- Right-to-erasure endpoint available to tenants. Completes within 30 days of request
- Full data-export available on demand for any tenant. JSON bundle of all records they own
- All data hosted in United States regions (Vercel + Supabase)
- Every state-changing action logged with actor, timestamp, IP, and correlation ID
- Immutable audit trail. Entries cannot be edited or deleted by tenants
- CSV export available to tenant admins via dashboard
- Audit data retained for 7 years to support insurance and regulatory requirements
- Hosted on Vercel (SOC 2 Type II) with Supabase database (SOC 2 Type II), both US regions
- Automated daily backups with 7-day point-in-time recovery
- Production deployments are signed, reviewed, and rolled back if regression detected
- Network DDoS protection and WAF at the edge via Cloudflare
SOC 2 timeline, published
We publish our roadmap because honesty about timing is more useful to vendor reviewers than a vague claim. Here is exactly where we are.
SOC 2-aligned controls already in place
Encryption, RLS, audit logging, RBAC, and AI governance practices align with SOC 2 Common Criteria. We have not yet completed a formal audit.
Vanta or Drata onboarding + readiness
Wire automated evidence collection (audit log, RBAC, encryption signals, vendor inventory). Complete vendor security questionnaires for prospective customers.
SOC 2 Type I report
Engage a third-party auditor (e.g., Prescient Assurance, Schellman, or Barr Advisory) for the Type I attestation.
SOC 2 Type II report
Complete the 12-month observation window and Type II attestation. Make report available to enterprise customers under NDA.
Annual penetration testing + DPA program
Third-party penetration test annually. GDPR / CCPA-compliant DPA available for any customer on request.
Who we use to deliver the service
We notify customers at least 30 days in advance of adding a new subprocessor that processes customer data. Email info@expertailabs.com to receive change notifications.
| Subprocessor | Purpose | Location | Compliance |
|---|---|---|---|
Vercel, Inc. | Application hosting, serverless compute, edge network, build pipeline | United States | SOC 2 Type IIISO 27001GDPR |
Supabase, Inc. | Primary database, authentication, file storage, row-level security | United States (us-east-1) | SOC 2 Type IIHIPAA-eligible plan available |
Anthropic, PBC | Large language model inference for content generation, classification, summarization We use Anthropic's zero-retention configuration. Tenant data is not used to train models. | United States | SOC 2 Type IIZero data retention API tier |
OpenAI, L.L.C. | Large language model inference, audio transcription (Whisper), embeddings, vision We use OpenAI's API zero-retention configuration where supported. Tenant data is not used to train models. | United States | SOC 2 Type IIZero data retention API tier |
Resend, Inc. | Transactional email delivery, deliverability monitoring, webhook event stream | United States | SOC 2 Type II |
Twilio, Inc. | SMS, voice, programmable messaging for lead-intake callback flows | United States | SOC 2 Type IIISO 27001HIPAA-eligible |
CallRail, LLC | Inbound call tracking, recording, transcription source | United States | SOC 2 Type IIPCI DSS |
Google LLC (Workspace, Ads, Maps Platform) | Email infrastructure (Workspace), conversion event reporting (Ads), business listing data (Maps), reCAPTCHA | United States | SOC 2 Type IIISO 27001ISO 27017ISO 27018 |
SemRush Inc. | SEO research, keyword ranking, competitive analysis | United States | SOC 2 Type II |
HeyGen Labs, Inc. | AI video generation from text scripts (per-franchise avatar configured manually) | United States | SOC 2 Type II |
Cloudflare, Inc. | DNS, CDN, DDoS protection, bot management for public marketing surface | Global edge | SOC 2 Type IIISO 27001PCI DSS |
We commit to 24-hour breach notification from the moment a security incident affecting customer data is confirmed.
Our incident response runbook covers: detection, containment, customer notification, regulator notification (where required), root-cause analysis, and post-incident review with corrective actions.
Customers receive a written incident report within 14 days of containment, with redactions only where legally required.
Report a security incidentWe welcome reports from security researchers and offer safe-harbor for good-faith research.
- Initial response within 2 business days
- Triage and remediation timeline within 7 days
- Public credit upon request after remediation
Reviewing us as a vendor?
We respond to security questionnaires within 5 business days. DPA available on request. Penetration test results and SOC 2 evidence shared under NDA once reports are issued.