Security — SimpledAId

Encryption in transit and at rest

All communication between your browser, the SimpledAId widget, and our servers travels over HTTPS/TLS. Data stored in our database is encrypted at rest. There is no path that moves your data in the clear.

Tenant isolation via row-level security

Every record in our database carries a tenant identifier. Reads are always filtered by that identifier and enforced at the database layer by Postgres row-level security (RLS). One customer's data cannot be accessed by another, even if an application-layer bug were present. Sensitive tables have the default database roles revoked; access requires service credentials.

Least-privilege access and secrets management

Each internal service is granted only the permissions it needs, nothing more. Credentials and API keys are stored in a managed secrets store and injected at runtime. Keys are never hard-coded in source code or configuration files.

Certified infrastructure

SimpledAId runs on Supabase (hosted on AWS) and Cloudflare. Both hold SOC 2 Type II and ISO 27001 certifications. We are built to SOC 2 and ISO 27001-aligned practices on that certified infrastructure. SimpledAId itself is not yet independently SOC 2 certified; we will not claim otherwise.

Your data is never used to train AI

Customer account data and shopper chat transcripts are never used to train AI models, by us or anyone acting on our behalf. This is a firm operational policy, not just a contractual clause.

LLM provider data handling

We use LLM providers (OpenAI and Anthropic) under business API terms that explicitly prohibit training on customer data and apply limited or zero data retention on API inputs. We select and review providers against these criteria before use.

Logging, monitoring, and backups

We maintain structured application and access logs, automated alerting for abuse and anomalies, and regular database backups with tested restore procedures. Logs are retained for a defined period and access to them is restricted.

Breach notification

If a personal-data breach occurs that affects your data, we will notify you without undue delay with the information you need to meet your own obligations to regulators and affected individuals. We do not wait for you to ask.

Data protection and compliance

SimpledAId is built and operated by Simpled Tech Limited, a company registered in England and Wales. We handle personal data to GDPR-grade standards.

We operate in two distinct roles depending on context. When a shopper chats with the SimpledAId widget on a customer's store, that store is the data controller and we are the processor. We process chat data only on the store's instructions to provide the service. When you use SimpledAId as a customer, we are the controller for your account and billing data. The contractual framework for the processor relationship is set out in our Data Processing Addendum.

Full detail on what we collect, why, how long we keep it, and your rights is in our Privacy Policy. Our subprocessors list names every third-party service that touches personal data on our behalf.

Your responsibilities

The SimpledAId widget is designed for standard retail and e-commerce conversations. Please do not ask shoppers to submit, and do not configure the widget to collect, any of the following through the chat interface:

Special-category personal data (health information, biometric data, data about religious beliefs, political opinions, and similar categories under UK/EU GDPR Article 9).
Full payment-card numbers (PANs) or card security codes. Payment should always be handled by a dedicated, PCI DSS-compliant provider.

If you have specific compliance requirements, speak to us before deployment. We are happy to work through them with you.

Report a vulnerability

If you discover a security vulnerability in SimpledAId, please disclose it responsibly by emailing [email protected]. We will acknowledge your report promptly and keep you informed as we work to resolve it.

Security and privacy, built in from the start