Security & Data Privacy

At Alkimi AI, we are deeply committed to the security of our platform and the protection of your data. We understand that trust is paramount, especially for enterprise and educational institutions. This document outlines the comprehensive security measures and data privacy practices we have implemented to safeguard your information.

We employ a multi-layered approach to data security, ensuring your information is protected at every stage.

Data Encryption

• In Transit: All data transmitted between your browser and our services is encrypted in transit using industry-standard TLS 1.2 or higher, enforced by our partners at Google Cloud and Cloudflare.
• At Rest: All your data, including knowledge base content, agent configurations, and chat histories, is encrypted at rest using the built-in AES-256 encryption capabilities of our database provider, Google Cloud SQL.

Data Storage & Isolation

We utilize a multi-tenant architecture with strict logical data isolation. Your organization's data is segregated from other customers' data at the database level using PostgreSQL's Row-Level Security (RLS). This ensures that a given user, connected through a properly authenticated database connection, can only access the data that pertains to their organization.

Furthermore, we employ PII (Personally Identifiable Information) anonymization techniques within our database for sensitive data fields, providing an additional layer of privacy protection.

Network Security

Our infrastructure is hosted within a Google Cloud Virtual Private Cloud (VPC). We utilize carefully configured firewalls and network access control lists to block unauthorized access, and our databases are not exposed to the public internet, only accessible by authenticated services within our secure environment.

Data Centers & Physical Security

Our services are hosted on Google Cloud Platform and Cloudflare, which maintain state-of-the-art data centers with robust physical security controls, including 24/7 monitoring, biometric access, and redundant power and cooling.

Monitoring & Logging

Our major cloud and database services are configured with comprehensive audit logging enabled. We log network traffic, administrative access, and database activity to provide a detailed audit trail for security monitoring and incident response.

Business Continuity & Disaster Recovery

We maintain a comprehensive backup and disaster recovery strategy to ensure business continuity. Our database is automatically backed up daily, with backups retained for 30 days. These backups are encrypted and stored in a separate region to ensure data durability even in the event of a catastrophic regional failure. We test our restoration procedures to ensure rapid recovery capabilities on an annual basis.

Security is an integral part of our development process, from design to deployment.

Secure Development (SSDLC)

We are committed to building secure software. Our development process includes automated code analysis and dependency scanning through GitHub Advanced Security to identify and remediate potential vulnerabilities early in the development lifecycle.

Vulnerability Management

We use continuous, automated vulnerability scanning to monitor our applications and infrastructure for emerging threats. We strive to address identified vulnerabilities promptly based on their severity and impact.

We are also working towards establishing an annual third-party penetration testing program to validate our security posture against sophisticated attacks.

API Security

Our API endpoints are protected by a robust security layer that includes strict authentication and rate limiting.

• Authentication: Access is governed by user-scoped and role-scoped tokens, ensuring that API clients can only perform actions permitted by their specific permissions.
• Rate Limiting: To prevent abuse and ensure availability, we enforce dynamic rate limits on all endpoints. Resource-intensive operations are further throttled based on organization credit availability.

Access Control

Authentication

We support strong authentication measures, including Single Sign-On (SSO) with providers like Google and Microsoft, to ensure secure and convenient access to your account. For accounts using password-based authentication, we enforce password complexity requirements. We strongly recommend enabling Multi-Factor Authentication (MFA) with your SSO provider for the highest level of security. We are currently working on bringing native MFA support to non-SSO accounts.

Handling Student Data

When a higher education institution uses Alkimi AI, we understand that the institution acts as the custodian of student education records, while students (who are typically adults) retain their rights under FERPA. We act as a service provider and process data only on behalf of and at the direction of the institution.

• Data Custodianship: The higher education institution acts as the custodian of student education records uploaded to the Alkimi platform, while students retain their FERPA rights to access, review, and control disclosure of their information. Our role is that of a data processor working under the institution's direction.
• Limited Data Collection: We only collect the minimal personal information necessary to provide our service: user's email, first and last name, and an optional profile picture, all of which are managed by the user.
• Data Use: We will not use student data for any purpose other than providing and improving our services as directed by the institution. We do not use student data for advertising or marketing. The only time PII is shared with a third party is when it is necessary for a model provider to process a request (e.g., to address a user by name in a response), and we maintain appropriate data processing agreements with those providers to protect this information.

Privacy Policy

Our Privacy Policy provides detailed information about the data we collect, how we use it, and your rights regarding your data. We are committed to transparency and empowering you to control your information.

Data Retention & Deletion

You have control over your data. You can delete your knowledge collections, agents, and account at any time. Knowledge collections are permanently deleted immediately upon request. Other data (accounts, agents, and conversations) is marked for deletion and permanently purged from our systems within one year, or sooner at our discretion or upon request, in accordance with our data retention policy. Backups are retained for 30 days.

For conversations that do not need to be retained, we offer a Temporary Chat feature. Content from these chats is not persisted to long-term storage and is automatically purged from our systems within 72 hours, offering a higher level of privacy for sensitive discussions.

AI Model Security & Subprocessors

We partner with industry-leading AI model providers to power our platform. We understand the critical importance of protecting your intellectual property and data from being used to train third-party models.

• No Training on Customer Data: We explicitly configure our integrations with model providers to opt-out of data training. Your data is processed solely for the purpose of generating a response and is not used to improve their foundation models.
• Subprocessors: We currently utilize the following providers for AI inference and billing. We maintain appropriate Data Processing Agreements (DPAs) with these partners.
  • OpenAI, Anthropic, xAI: Foundation model providers.
  • OpenRouter: Unified interface for accessing various open-source and proprietary models.
  • Stripe: PCI DSS Level 1 compliant payment processor for all billing operations.

If you believe you have discovered a security vulnerability in our platform, we encourage you to report it to us responsibly. Please email us at security@alkimi.ai or contact@alkimi.ai with the details. We are committed to working with the security community to address and resolve any potential issues.