DATA PRACTICES
How we handle your data.
Plain-language summary of what we do with customer data, who we share it with, and what you can ask us for. We're an early-stage company — no formal certifications yet — so this page commits only to things we actually do today.
A NOTE ON CERTIFICATIONS
We don't yet hold SOC 2, HIPAA, or ISO 27001.
Formal certifications are expensive and time-consuming, and we'd rather be transparent about that than slap aspirational badges on this page. What we do offer is documented practices, named sub-processors, a real DPA, and direct lines to a small team that takes data handling seriously.
If you need a vendor with SOC 2 Type II or a signed BAA on day one, we're honest that we're not the right fit yet — talk to us about your timeline and we'll tell you what we can commit to.
PRACTICES
What we actually do.
Encryption
TLS 1.3 in transit. AES-256 at rest. Database-level field encryption for credentials and PII.
Access control
Role-based per workspace. Audit log captures every mutation. MFA available on all paid plans.
Zero-retention AI
Customer content sent to vendor LLMs under zero-retention API terms. We never use your content to train general models.
GDPR-aligned
Sub-processors named. DPA available on request. Standard Contractual Clauses for EEA / UK transfers.
Data residency
Default US. EU on request (Business+). Custom region available on Enterprise.
Backups
Daily, encrypted, rolling 30 days. Restoration tested periodically.
SUB-PROCESSORS
Who we share data with, and why.
We commit to 30 days' notice via email before adding any new sub-processor that handles customer content. Subscribe to changes at security@dendritesai.com.
| Provider | Purpose | Location |
|---|---|---|
| OpenAI | LLM inference (GPT-4o, GPT-4.1, embeddings) | US · zero-retention API terms |
| Anthropic | LLM inference (Claude Haiku, Sonnet) | US · zero-retention API terms |
| LLM inference (Gemini, Whisper) | US/EU · zero-retention API terms | |
| Groq | Low-latency LLM and Whisper inference | US |
| AWS | Hosting · object storage · regional residency | US default · EU on request · custom region on Enterprise |
| Cloudflare | CDN, DNS, edge, marketing-site hosting | Global |
| Stripe | Payments processing | US · global |
| Twilio | Phone and SMS (when used by voice features) | US |
| Microsoft | Azure AD · Microsoft Graph (SSO) | Customer-region |
| HubSpot | CRM, marketing automation | US/EU |
DATA HANDLING
Retention, deletion, export.
- Customer content
- Deleted on request or within 30 days after account closure. Customer can export at any time via the portal.
- Account data
- Retained for the life of your account, plus 7 years for tax and audit purposes.
- Server logs
- 90 days, then automatically purged. Used only for service operation and security investigations.
- Backups
- Rolling 30 days, encrypted at rest. Restoration tested periodically.
- AI training data
- We do not use your content to train general-purpose AI models. Vendor LLMs operate under zero-retention API terms.
DOCUMENTS YOU CAN REQUEST
What we can send your procurement team.
Data Processing Agreement (DPA)
GDPR-aligned template covering you as the data controller and us as the processor. Signable.
Sub-processor list (this page)
Already public above. We commit to 30 days' notice before adding new ones.
Privacy Policy
Lives at /legal/privacy. Covers what we collect, why, and your data-subject rights.
Acceptable Use Policy
Lives at /legal/acceptable-use. Covers permitted and prohibited uses.
To request a DPA or other document, email security@dendritesai.com.
INCIDENT RESPONSE
What we commit to if things go wrong.
If an incident affects customer data, we notify affected customers as quickly as we can — generally within 72 hours of confirmation, in line with GDPR Article 33 expectations.
Notifications come from security@dendritesai.com and include what happened, what data was involved, what we're doing about it, and what (if anything) you need to do.
REPORTING ISSUES
Found a security issue? Tell us.
Report any suspected vulnerability to security@dendritesai.com.
We read every report. We work with reporters in good faith and credit them when they want it. We don't yet have a formal bug-bounty program, but we acknowledge serious findings and prioritize fixes.
Need our DPA or have a security question?
We respond within one business day. Procurement-friendly: we'll pre-fill standard security questionnaire fields where the answer is "yes" or "n/a" so your review goes faster.