Trust Center

Security & Compliance

Name: Aditya Labs AI Agent Platform
Author: Aditya Labs

We publish what is live, what is planned, and where human review is required so customers can make informed decisions.

Data Processing Agreement Privacy Policy Security Policy System Status

Human Oversight Commitment

Aditya Labs is designed for authorised, human-supervised customer operations. It helps teams coordinate workflows, respond faster, and keep clear records, but it does not replace human judgment. Outputs, recommendations, and automations may be incomplete, delayed, or mistaken and must be reviewed by authorised personnel before reliance in legal, financial, operational, security, or customer-impacting contexts.

Human review is required before any action that may materially affect production systems, customer data, regulated workflows, billing, external communications, access permissions, or legal rights.

✓Production system changes
✓Customer data handling or disclosure
✓Regulated workflows
✓Billing and refunds
✓External communications
✓Access control and permission changes
✓Actions that may affect legal rights or obligations

Plain-English Promise

We do not use fake reviews, fabricated claims, or misleading performance statements.

The service is provided on an as-available basis. We aim for reliability and continuous improvement, but we do not represent that the service will be uninterrupted, error-free, fully accurate, or suitable for every purpose.

Compliance Posture

GDPR

Designed For

Platform designed to support GDPR requirements (data rights, DPA, breach notification). Not independently audited.

Since: 2024

EU AI Act

Designed For

AI transparency and disclosure built in. Limited-risk classification. Not independently audited.

Since: 2025

CCPA / CPRA

Designed For

Platform supports CCPA/CPRA rights (access, deletion, no data sale). Not independently audited.

Since: 2024

PCI DSS

Via Stripe

Payment processing handled entirely by Stripe (PCI DSS Level 1 certified). Aditya Labs does not store card data.

Since: N/A

SOC 2 Type II

Not Certified

Aditya Labs is not independently SOC 2 certified. This remains a roadmap item under evaluation.

Since: N/A

ISO 27001

Planned

Information security management system — roadmap item, not currently certified

Since: Roadmap

HIPAA

Not Certified

Platform is not HIPAA certified and we do not sign BAAs. Our dental product avoids storing PHI.

Since: N/A

ISO 42001

Planned

AI management system — roadmap item aligned with EU AI Act principles

Since: Roadmap

Security Practices

Data Encryption

✓AES-256 encryption at rest via Supabase (AWS)
✓TLS 1.3 for all data in transit via Vercel
✓Database-level encryption managed by Supabase
✓Automated backups via Supabase

Access Control

✓Role-based access control (RBAC) for dashboard users
✓Google OAuth authentication via Supabase Auth
✓API key management
✓Session management via Supabase Auth and application-level controls

Infrastructure

✓Hosted on Vercel Edge Network (AWS-backed)
✓Supabase PostgreSQL with Row Level Security
✓Network-layer protection via Vercel-managed infrastructure
✓Infrastructure availability depends on Vercel and Supabase service levels

AI Safety

✓Built-in PII Firewall — detects and redacts 13+ sensitive data patterns
✓Data Loss Prevention (DLP) engine for real-time scanning
✓AI disclosure in all chatbot conversations (EU AI Act transparency)
✓Knowledge-base-grounded responses to reduce hallucination
✓Jailbreak and prompt injection detection

Monitoring & Incident Response

✓Automated infrastructure monitoring via Vercel and Supabase
✓Audit logs for data access and modifications
✓Incident response procedures designed to support applicable notification timelines
✓Documented escalation and review procedures

Data Privacy

✓Data hosted in US (Supabase/AWS). EU residency planned.
✓Right to deletion / data portability supported
✓Data processing agreements (DPA) available on request
✓Aditya Labs does not use customer content to train models operated by Aditya Labs
✓90-day chat data retention with auto-purge

Operational Safeguards

We avoid vague promises like “self-healing” on their own. Instead, we document the concrete safeguards we aim to implement and maintain.

✓Automatic retries for transient failures

✓Health checks and heartbeat monitoring

✓Idempotent command handling where feasible

✓Audit logs for runs, approvals, and changes

✓Manual approval gates for sensitive actions

✓Rollback or safe requeue paths where feasible

✓Safe defaults and least-privilege access

✓Alerting on drift, failures, or degraded service

✓Staged rollout for high-risk changes

✓Human confirmation for sensitive actions

Certification Roadmap

We share roadmap direction here, but we avoid publishing certification dates as guarantees.

Phase 1: Control Review

In ProgressCurrent

Reviewing existing controls, documentation, and operational gaps.

Phase 2: Readiness Work

PlannedRoadmap

Implementing additional controls and evidence collection where needed.

Phase 3: External Assessment

PlannedRoadmap

Engaging outside assurance support when the programme is ready.

Phase 4: Audit Window

PlannedRoadmap

Beginning a formal audit only after readiness work is complete.

Phase 5: Publication

PlannedAfter completion

Publishing status only when a report has actually been issued.

Sub-processors

Provider	Purpose	Location
Vercel	Application hosting and edge network	US / Global CDN
Supabase	Database, authentication, real-time subscriptions	US (AWS)
OpenAI	AI model provider for chatbot responses	US
Stripe	Payment processing and billing	US / EU
Resend	Transactional email delivery	US
Twilio	SMS and WhatsApp message delivery	US / Global
Meta (Facebook)	Instagram DM and Messenger APIs	US / EU
Telegram	Telegram Bot API	Global

Security Questions?

Our security team is happy to answer questions, provide documentation, or discuss your specific compliance requirements.

Contact Security Team Download DPA