Security and compliance,
built in — not bolted on.
Know your customer is the floor we build on. We verify who you are, keep your data isolated to you, mask personal information before it ever reaches the model, and gate every door behind permission. Trust isn't a badge at the bottom of the page — it's the foundation this page documents.
Certifications & Compliance
UK GDPR Compliant
Autara Ltd is registered with the Information Commissioner's Office under the Data Protection Act 2018. ICO Registration: ZC108838. Registration expires March 2027.
PCI DSS — via Stripe
Payment card data is never processed or stored on Autara infrastructure. All billing is handled exclusively by Stripe, a certified PCI DSS Level 1 service provider.
Cyber Essentials Plus
Autara is actively pursuing Cyber Essentials Plus certification under the NCSC/IASME scheme — the UK government's standard for cyber security baseline controls.
ISO 27001 Aligned
Our security controls, access management, and incident response procedures are aligned to ISO 27001:2022 principles. Formal certification is on our roadmap.
Data Protection
EU Data Residency
All customer data is stored and processed within the European Union. Database: Supabase EU (Ireland). Workflow compute: Hetzner EU (Germany). No data is transferred outside the EU/UK without explicit contractual controls.
No AI Training Data Use
Customer conversation messages, contact data, and business content are never used to train AI models. Our AI provider contracts (via OpenRouter) explicitly prohibit use of customer data for model training or improvement.
ICO Registered
Autara Ltd — ICO Registration ZC108838, Data Protection Act 2018. Expires March 2027.
Data Processing Agreement
A Data Processing Agreement (DPA) is available on request for customers who require formal Article 28 documentation. Email: legal@autara.co
GDPR Breach Notification
In the event of a personal data breach, Autara will notify the ICO within 72 hours of becoming aware, and affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.
Data Subject Access Requests
Submit a DSAR via the privacy request form at autara.co/privacy-request. We respond within the statutory 30-day window.
Infrastructure Security
Cloudflare Edge Protection
All traffic is routed through Cloudflare's global edge network — Web Application Firewall (WAF), DDoS mitigation, SSL/TLS enforcement, and IP-level rate limiting before traffic reaches Autara servers.
Row-Level Security
Every row of customer data is isolated by tenant at the database layer using PostgreSQL Row-Level Security policies. Cross-tenant data access is architecturally prevented — not just access-controlled at the application layer.
Three-Tier Secrets Management
Production secrets (database keys, service credentials) are never accessible to team members. They are stored in isolated runtime environments (Supabase Vault, n8n encrypted credential store) with no human access path in production.
CI Secret Scanning
Every commit across all Autara repositories is scanned for exposed credentials using gitleaks. Any secret found in committed code is a P0 all-stop violation — work halts until the secret is rotated and the leak is remediated.
Application Security
PII Redaction Before AI
All inbound conversation messages pass through a Presidio-powered PII redaction pipeline before reaching the AI layer. Names, phone numbers, email addresses, and financial data are redacted at the edge — AI models never see raw personal data.
Dependency Vulnerability Scanning
All npm dependencies are scanned for known vulnerabilities in CI. Critical and high-severity findings block deployment.
Zero-Tolerance Secrets Policy
Hardcoded credentials are a P0 governance violation. No production credential may appear in source code, configuration files, or AI agent conversation context.
Tenant Isolation at Database Layer
Tenant data isolation is enforced at the PostgreSQL RLS layer — not the application layer. A bug in the application cannot expose one tenant's data to another.
Powered by Stripe — PCI DSS Level 1
Autara does not process, store, or transmit payment card data. All billing operations are handled by Stripe, which maintains PCI DSS Level 1 certification — the highest level of payment security compliance. Autara never sees your raw card details.
Sub-processors
The following third-party services process data on behalf of Autara and its customers.
| Processor | Purpose | Data category | Region |
|---|---|---|---|
| Cloudflare | Edge network, WAF, DDoS, SSL | Encrypted traffic metadata, IP addresses | Global (EU edge priority) |
| Hetzner | Cloud compute — workflow orchestration | Workflow execution metadata | EU — Germany |
| LlamaParse | Document ingestion & parsing | Customer document content | US |
| OpenRouter | AI inference routing | Conversation content (Presidio PII-redacted before dispatch) | US |
| PostHog | Product analytics | Usage events, session metadata | EU |
| Resend | Transactional email delivery | Email content, recipient addresses | US |
| SignWell | E-signature & contract execution | Contract-signatory PII (names, emails, signatures) | US |
| Stripe | Billing & payment processing | Billing contact data only | US / EU (PCI DSS L1) |
| Supabase | Database & authentication | Business data, user accounts, conversation history | EU — Ireland |
| Twilio | SMS & WhatsApp messaging | Message content, phone numbers | EU |
| Vercel | Application hosting | HTTP requests, IP addresses | Global (EU edge) |
Last updated: June 2026. We notify customers of material sub-processor changes.
* OpenRouter routes to AI model providers including Anthropic, OpenAI, and Google. These are sub-processors of OpenRouter, not Autara. See trust.openrouter.ai for OpenRouter's current sub-processor list.
Incident Response
P0 All-Stop Protocol
Any confirmed security incident triggers an immediate all-stop response. All non-critical work halts. A dedicated incident record is opened, root cause is investigated, and a post-incident review is published internally.
GDPR Breach Notification SLA
Personal data breaches are notified to the ICO within 72 hours of Autara becoming aware (GDPR Article 33). Affected individuals are notified without undue delay where required (Article 34).
Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities. Contact us at security@autara.co before public disclosure. We acknowledge within 48 hours and provide regular updates.
Legal Documents
Data Processing Agreement (DPA) available on request. Email legal@autara.co with your company name and intended use.