Security
Last updated: February 22, 2026
GetDemand.ai is built with security at every layer. Your sales data, customer information, and business intelligence are protected by enterprise-grade security controls and privacy-first operating practices.
Encryption
- •TLS 1.3 encryption for all data in transit
- •AES-256 encryption for data at rest
- •Encrypted database backups stored in geographically separate regions
Infrastructure
- •Hosted on Vercel (provider publishes security attestations, including SOC reports)
- •Database on Supabase (provider security controls plus row-level security support)
- •All infrastructure runs on AWS with ISO 27001 certification
- •Automatic failover and redundancy across availability zones
Access Control
- •Role-based access control (RBAC) for team members
- •Tenant-level data isolation — your data is never accessible to other accounts
- •Session management with automatic timeout and single-session enforcement
- •OAuth 2.0 and email/password authentication via Supabase Auth
Monitoring & Audit
- •Real-time monitoring of platform health and security events
- •Audit logs for account access and data changes
- •Automated alerting for anomalous access patterns
- •Regular dependency scanning for known vulnerabilities
Compliance
- •SOC 2-aligned security practices and controls
- •GDPR-ready privacy workflows and data processing terms support
- •HIPAA-ready safeguards for protected health information use cases (see HIPAA page)
- •Standard Contractual Clauses (SCCs) available/used where applicable for cross-border transfers
Incident Response
- •Documented incident response plan with defined escalation procedures
- •Target notification timelines based on applicable law and contract obligations (including GDPR timelines where applicable)
- •Post-incident review and remediation for every security event
- •Regular tabletop exercises to test response procedures
AI Data Processing
- •AI agent processing uses OpenAI and Anthropic APIs with data processing agreements in place.
- •Your data is not used to train third-party AI models. Both providers offer zero data retention for API usage.
- •AI-generated content (emails, quotes, research) is stored in your account and is not shared across tenants.
Third-Party Subprocessors
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Application hosting and CDN | United States |
| Supabase | Database, authentication, storage | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| OpenAI | AI agent processing | United States |
| Anthropic | AI agent processing | United States |
Vulnerability Reporting
If you discover a security vulnerability, please report it responsibly:
- •Email: security@getdemand.ai
- •Include a description of the vulnerability, steps to reproduce, and potential impact.
- •We will acknowledge receipt within 48 hours and provide a remediation timeline.
- •Please do not publicly disclose the vulnerability until we have addressed it.