Security at acipta.ai

Evidence retention — 5 years, standard on every tier

Evidence is retained for 5 years on every tier, including Early Access. Each verdict is stored as a self-contained pack — verdict, source-artifact reference, pipeline state, and cryptographic seal. Need longer? Business+ tier includes 7-year retention by default; Enterprise includes 7- to 10-year by negotiation. Below those tiers, extended retention — including HIPAA's 6-year requirement and custom 7- or 10-year horizons — is available as an add-on. This is separate from operational backups, which are retained 30 days for disaster recovery.

Independently verifiable — no proprietary viewer

Replay artifacts are sealed with open primitives — Ed25519, RFC 3161, SHA-256. An auditor, opposing counsel, or a forensic examiner can verify integrity with standard cryptographic tools, without acipta's cooperation and without a proprietary viewer.

SOC 2 Type 2

SOC 2 Type 2 and HIPAA certifications are targeted for August 23, 2026, with the compliance program in flight today. Framework coverage on the acipta platform does not constitute framework compliance for your organization — your auditor is the regulated party and accepts the evidence we generate, not the framework certification.

GDPR Compliance

acipta.ai fully complies with the General Data Protection Regulation (GDPR). We maintain data processing agreements with all customers, provide data subject access rights, and support data portability requests. Customer data is never used to train AI models.

HIPAA Readiness

Our architecture is certified for HIPAA compliance. We support Business Associate Agreements (BAAs), maintain audit trails for healthcare data, implement role-based access controls, and provide encryption for protected health information (PHI).

ISO 27001

We are pursuing ISO 27001 certification in 2026 to demonstrate comprehensive information security management across all operational processes.

Secure Software Development Lifecycle (SDLC)

Every line of code goes through rigorous security review. We follow OWASP Top 10 standards and perform threat modeling on all new features. All developers complete security training annually.

Customer Data Isolation

Each customer's data is logically isolated with row-level security controls. Database-level encryption ensures data remains encrypted even if storage is compromised. No cross-customer data access is possible.

Data Retention & Deletion

Customer data is retained only as long as necessary for compliance audits and regulatory requirements. Customers can request deletion of their data at any time. Deletion requests are processed within 30 days and verified with cryptographic hashing to confirm complete removal.

No Training on Customer Data

Customer data is never used to train or improve our AI models. Our compliance agents are trained on publicly available compliance frameworks and industry best practices. Customer-specific configurations remain confidential.

Data Sharing

We do not share, sell, or disclose customer data to third parties except as required by law. All third-party processors are bound by data processing agreements with equivalent security requirements. Customers maintain full control over their data.

24-Hour Notification

In the event of a security incident affecting customer data, we commit to notifying all affected customers within 24 hours of discovery. Notifications include the scope of impact, steps taken to remediate, and recommended actions for customers.

Post-Incident Review

Every security incident triggers a comprehensive post-incident review. We document root causes, implement preventive measures, and update our security practices. Findings are shared with affected customers in a detailed incident report.

Communication Plan

Clear, transparent communication throughout incident lifecycle. Dedicated incident response team available 24/7. Customer can designate a primary security contact for incident notifications.

Incident Response Team

Our security team includes incident response specialists with experience in detection, containment, and forensics. We maintain relationships with external security firms for third-party investigation when needed.

Security Vulnerability Reporting

If you discover a security vulnerability in acipta.ai, please report it to [email protected] with details of the vulnerability, affected components, and reproduction steps. Do not publicly disclose the vulnerability until we've had time to investigate and patch.

Responsible Disclosure Program

We commit to:

• Acknowledging receipt of security reports within 24 hours
• Providing initial assessment within 5 business days
• Releasing security patches within 15 business days of confirmation
• Crediting researchers in our security advisories (with permission)

We maintain a responsible disclosure program and encourage security researchers to help us improve our security posture. Researchers who discover vulnerabilities through responsible disclosure will not face legal action.

Scope of Responsible Disclosure

Responsible disclosure applies to vulnerabilities in acipta.ai's infrastructure, applications, and services. DoS attacks, account enumeration, and social engineering attempts are out of scope and may result in legal action.