Security & Compliance
Last updated: June 26, 2026
1. Infrastructure & Hosting
CBlindspot.ai is hosted on enterprise-grade cloud infrastructure:
- Application hosting: Vercel — global edge network with automatic SSL/TLS termination.
- Database: MongoDB Atlas — fully managed, encrypted, with automatic backups and point-in-time recovery.
- Cloud infrastructure: AWS — leveraging SOC 2, ISO 27001, and FedRAMP-certified data centers.
- CDN & DDoS protection: Cloudflare enterprise-grade protection and caching.
2. Data Protection
- Encryption at rest: All data is encrypted using AES-256 encryption.
- Encryption in transit: All communications are secured with TLS 1.3.
- Data isolation: Each organization's data is logically isolated with strict access controls.
- No AI training on your data: We never use your workflow data, stack configurations, or decisions to train AI models. Your data is yours.
- Backup & recovery: Automated daily backups with geo-redundant storage and tested recovery procedures.
3. Authentication & Access Control
- Authentication: Email/password, social login (Microsoft, Google), passkeys, and two-factor authentication today; enterprise SAML 2.0 / OIDC single sign-on in development.
- Two-Factor Authentication (2FA): TOTP-based 2FA available for all accounts.
- Role-Based Access Control (RBAC): Granular permissions with admin, editor, and viewer roles.
- Session management: Configurable session timeouts, concurrent session limits, and device tracking.
- API security: API keys with scoped permissions and automatic rotation capabilities.
4. AI & LLM Usage
CBlindspot uses AI to power features like IRIS (our AI advisory layer) and workflow recommendations:
- Model provider: Claude by Anthropic — chosen for its safety-first architecture and enterprise data handling policies.
- Session-scoped processing: All AI interactions are session-scoped. Data is processed in real-time and not persisted by the model provider.
- No model training: Your prompts, responses, and data are never used to train or fine-tune any AI models.
- Transparency: AI-generated recommendations are clearly labeled. Every recommendation includes the data sources and reasoning used.
- Human-in-the-loop: Critical decisions always require human approval. AI provides recommendations, not automated actions.
5. Compliance
- GDPR: Full compliance with the EU General Data Protection Regulation. Data Processing Agreements (DPA) available upon request.
- SOC 2: Security controls implemented (security, availability, and confidentiality principles); a formal Type II audit/report is not yet pursued.
- Data residency: EU data residency available for European customers. Data processing within EEA boundaries.
6. Audit Trail
Every action on the CBlindspot platform is logged with immutable timestamps:
- Decision logging: Every comparison, scoring change, and vendor decision is recorded with user attribution.
- Workflow history: Complete execution history for all automated workflows including inputs, outputs, and error states.
- Access logs: Login events, data exports, and permission changes are tracked and available for review.
- Immutable records: Audit logs cannot be modified or deleted, ensuring compliance with regulatory requirements.
- Export capability: Audit logs can be exported in CSV and JSON formats for external compliance tools.
7. Incident Response
We maintain a documented incident response plan that includes:
- 24-hour notification to affected customers for confirmed data breaches.
- 72-hour notification to relevant supervisory authorities as required by GDPR.
- Post-incident review and remediation reports shared with affected parties.
8. Contact
For security inquiries or to report a vulnerability:
- Security team: security@cblindspot.ai
- Legal & DPA requests: legal@cblindspot.ai
- Data Protection Officer: dpo@cblindspot.ai
