In transit
Full-stack TLS 1.3 · HSTS preload · HTTPS-only · automatic 301 upgrade from HTTP · mTLS between internal services · no plaintext on API ports.
Security & Compliance · Whitepaper
Maxfound AI · Security & Compliance
Maxfound AI brings enterprise-grade B2B SaaS security practices to every line of code.
Data protection / access control / audit / GDPR / LLM data handling · 11 chapters · a one-stop answer for enterprise due diligence.
v2.0Updated: Next review: quarterly
HTTPS-only
Full-stack TLS 1.3 · HSTS preload
SOC 2 ready
Vercel/Neon certified · self-audit 2026 Q4
GDPR compatible
Transfer / deletion / export fully supported
Data encryption
AES-256 at rest · TLS 1.3 in transit
Chapter 02 · Data Protection
Data Protection
In transit / at rest / backups / cross-border / tenant isolation / destruction — six layers of defense, each with verifiable implementation details.
At rest
Neon Postgres encryption at rest (AES-256, AWS KMS–managed keys) · sensitive customer fields (OAuth refresh tokens, API key hashes) are double-encrypted · secrets in Vercel env use envelope encryption.
Backups
Automated daily snapshots · 7-day retention on Standard · 30 days on Pro · 90 days plus cross-AZ redundancy on Enterprise · quarterly restore drills.
Cross-border
Customer data is processed entirely within the chosen region. Any cross-border transfer to AI answer engines is handled under GDPR Article 49 (explicit consent / contractual necessity), and no customer PII is transferred to third countries.
Tenant isolation
Dedicated Postgres schema per customer · row-level security (RLS) enforced · every application query is filtered by organization_id · physical isolation options in Chapter 10, Self-Hosting.
Destruction
Primary tables are hard-deleted within 30 days of contract termination · backups roll off (up to 90 days) · a written Certificate of Data Destruction is provided · customers can restore with one click during the soft-delete window.
Chapter 03 · Access Control
Access Control
Authentication / MFA / API keys / roles / sessions / SSO — layered defense on the principle of least privilege.
User authentication
Magic links (one-time email links), SMS OTP (Twilio), and OAuth providers (Google / GitHub / Microsoft / Apple). Passwordless by default to reduce credential-stuffing risk.
Multi-factor authentication (MFA)
TOTP (Google Authenticator / 1Password / Microsoft Authenticator) plus WebAuthn hardware keys · launching on the 2026 Q3 roadmap · Enterprise plans can enforce it org-wide.
API key management
Format maxfound_<24-byte hex> (48 chars) · shown in plaintext only once at creation · stored as a SHA-256 hash · global rate limit of 30 requests/min/key · per-key revocation and scopes (read / write / admin).
Roles & permissions
Four roles: Admin (full access) / Editor (read-write) / Viewer (read-only) / Sub-brand member (Growth plan and above, scoped to specific brand resources) · granular resource-level ACLs.
Session security
HMAC-SHA256–signed cookies · 30-day TTL · httpOnly · Secure · sameSite=lax · double-submit CSRF tokens · step-up verification on anomalous IP / user-agent changes.
Enterprise SSO (SAML / OIDC)
SAML 2.0 + OIDC · supports Okta / Auth0 / Azure AD identity providers · automatic SCIM provisioning · Enterprise plan only.
Chapter 04 · Audit Log
Audit Log
Every create / update / revoke action is logged in full · customers can pull their own audit data on demand.
audit_log table fields
| Field | Type | Description |
|---|---|---|
| actor_id | uuid | User or API key that initiated the action |
| actor_type | enum | user / api_key / system / admin |
| target_type | string | Resource type acted on (brand / prompt / report / …) |
| target_id | string | Unique identifier of the resource acted on |
| action | string | Action verb: create / update / delete / revoke / export |
| metadata | jsonb | Action context (before/after diff, reason, linked trace) |
| ip | inet | Client IP · dual-stack IPv4/IPv6 |
| user_agent | text | Full client user-agent string |
| request_id | uuid | Links Vercel Edge logs to backend traces end to end |
| timestamp | timestamptz | Event time in UTC · millisecond precision |
Retention
Tiered by plan
- Standard: 1 year hot storage
- Pro: 2 years hot storage + 3 years cold archive
- Enterprise: 5 years full retention · customizable
Self-Serve
Call it anytime
GET /api/audit-log ?from=2026-01-01 &to=2026-05-14 &action=delete Authorization: Bearer maxfound_xxx
Returns JSON / CSV · scoped to your account's organization only · filter by time window, action, and actor.
Chapter 05 · Vulnerability Response
Vulnerability Response
Responsible disclosure · three-tier response SLAs · bug bounty on the roadmap.
Disclosure Channel
security@maxfound.ai
We commit to not pursuing legal action against good-faith security researchers. Please give us a reasonable 90-day remediation window via this address before any public disclosure.
Send a vulnerability reportPGP / GPG encryption
PGP key TBD · we recommend encrypting sensitive vulnerability details · the public key will be published to keys.openpgp.org and this page in 2026 Q2.
Please include
Affected URL / API endpoint · PoC reproduction steps (screenshots or a minimal curl) · your suggested severity · how you'd like to be credited
Response SLA · three severity tiers
Critical
Response: Acknowledged within 24 hoursFix: Hotfix within 72 hours + public incident reportExamples: RCE / unauthorized access to other tenants' data / authentication bypass / large-scale data exposure
Medium
Response: Acknowledged within 3 business daysFix: Fixed and disclosed within 7 business daysExamples: Stored XSS / CSRF / limited-scope unauthorized writes / low-sensitivity key exposure
Low
Response: Acknowledged within 10 business daysFix: Fixed within 30 business daysExamples: Information disclosure (e.g. version numbers) / reflected XSS on non-sensitive pages / configuration best-practice gaps
Bug Bounty Program: A public bounty program is on the 2026 Q4 roadmap. For now, every researcher who submits a valid vulnerability receives written acknowledgment, a Hall of Fame listing, and Maxfound AI swag (T-shirt / stickers / internal annual report). Significant findings also earn a one-time cash recognition (tiered by Critical / Medium / Low).
Chapter 06 · LLM Data Handling
LLM Data Handling
Our #1 most-asked question: “You call so many LLMs — will my data be used for training?” The answer is no, and it's enforced by contract.
Customer data is never used for training
A customer's brand fact-claims, private prompts, and internal knowledge-base content are never used to train any LLM. Our contracts with upstream LLM providers explicitly prohibit this use.
Default prompts contain no customer PII
Our standard scan prompts combine brand terms, category terms, and generic benchmark questions — they contain no employee names, customer emails, or internal addresses unless a customer deliberately pastes them into the dashboard.
DPAs cover every upstream LLM provider
Every upstream provider (OpenAI, Google, Anthropic, Perplexity) operates under signed terms whose contractual language confirms customer inputs are not used to train their models.
All LLMs run in paid API mode
ChatGPT (OpenAI), Claude (Anthropic), Gemini (Google), and Perplexity all run via paid API mode. Per each provider's policy, API data is not used for training by default (OpenAI's policy retains logs for 30 days, then deletes them).
Prompt packs are isolated per customer
LLM scans run with a customer-specific prompt pack · never mixed with another customer's prompts or context · each call is an isolated session · no cross-customer memory · no LLM-side fine-tuning.
Customer Content is never used for any training
Everything a customer uploads or generates on our platform (custom prompts, brand fact libraries, monitoring targets, case studies) is never used as training material by any LLM, nor by any model-training pipeline of our own.
Bottom line: Customer Content is never used to train any LLM, never used to train our own models, and never appears in any publicly released dataset. On contract termination we are obligated to destroy the data and provide written proof.
Chapter 07 · Subprocessors
Subprocessors
Complete subprocessor list · GDPR Article 28 compliant · any addition or change is emailed to Enterprise customers 30 days in advance.
| Service | Purpose | Data transferred | Location | DPA | Certification |
|---|---|---|---|---|---|
| Neon Postgres | Primary database | User metadata / scan results / audit logs | us-east-1 (multi-AZ) | Signed | SOC 2 Type II |
| Resend | Transactional email delivery | Recipient email + message content | us-east-1 | Signed | SOC 2 Type II |
| Stripe | Payment processing | Card numbers (PCI-isolated · tokenized) / billing address | Global (by customer region) | Signed | PCI DSS Level 1 |
| Cloudflare | CDN + DDoS protection + DNS | HTTP traffic metadata + cached content | Global edge network | Signed | SOC 2 Type II / ISO 27001 |
| Vercel | Next.js deployment platform | Server runtime logs / build artifacts | iad1 (primary) + global Edge | Signed | SOC 2 Type II |
Upstream LLM providers
ChatGPT (OpenAI) / Gemini (Google) / Claude (Anthropic) / Perplexity · all under signed API terms of service · operated strictly per each provider's enterprise / API data policy.
Change notification
Whenever a subprocessor is added or changed, we notify Enterprise customers 30 days before it takes effect via email and a dashboard banner · customers have a 14-day objection window · if an objection is upheld, they may terminate early with a pro-rata refund.
Chapter 08 · Compliance Roadmap
Compliance Roadmap (honest, no hype)
We honestly separate Done / In progress / Planned · we never label roadmap items as done · and we never count an underlying platform's certification as our own.
Done
GDPR ready
Cross-border transfer / deletion / export / DPA / DPO contact — all supported
Done
HTTPS-only · full-stack TLS 1.3
Submitted to the HSTS preload list · mTLS between internal services
Done
Underlying platforms are SOC 2 Type II
Vercel / Neon / Cloudflare / Resend / Stripe are all certified (inherited)
Done
White-Hat Compliance Commitment v1.0
7 core commitments · 11 black-hat tactics rejected (signed · publicly archived)
Planned
SOC 2 Type I independent audit
Report issued by an independent auditor (Big Four–tier / Vanta partner)
Target: Kicking off 2026 Q4
Planned
ISO 27001 information security management system
ISMS framework being documented · certification audit planned
Target: Kicking off 2027
Related: White-Hat Compliance Commitment v1.0 has been issued · 11 black-hat tactics rejected · Read the full commitment · compliance progress is reviewed quarterly and this page is updated accordingly.
Chapter 09 · Data Subject Rights
Data Subject Rights (GDPR / CCPA)
Six data-subject rights · all available via self-serve channels · with a 24-hour human fallback.
| Right | Channel | SLA |
|---|---|---|
Right to access / be informed | GET /api/me + /api/audit-log (self-serve) | Real-time |
Right to data portability (export) | Email export@maxfound.ai · or one-click export in the dashboard | Full ZIP (CSV + JSON) within 24 hours |
Right to rectification | Edit directly in the dashboard · or email support@maxfound.ai | Real-time (self-serve) / 3 business days (assisted) |
Right to erasure (right to be forgotten) | POST /api/account/delete · or email legal@ | Immediate soft delete + hard delete within 30 days |
Right to restrict / object to processing | Dashboard settings · disable specific data uses | Takes effect in real time |
Withdraw consent | Disable non-essential cookies anytime in the cookie banner | Real-time · core features unaffected |
Chapter 10 · Self-Hosting
Self-Hosting (Enterprise option)
For government, finance, defense, and large enterprises — we support private deployment, single-tenant, BYO LLM, and offline air-gapped setups.
Private deployment (Helm chart)
Kubernetes 1.27+ · Helm 3 chart · supports EKS / AKS / GKE / self-managed clusters · six-month security-patch channel · upgrade and rollback scripts ship with each release.
Single-tenant Neon instance
Dedicated Postgres compute + storage · self-managed backup cadence · choice of region (US / EU / APAC) · the customer holds the database root credentials.
Bring Your Own LLM Key
Customers fund their own LLM API keys (OpenAI / Google Gemini / Anthropic Claude / Perplexity) · we charge only a platform fee · customers retain full control over LLM usage and billing.
Air-gapped offline deployment
Fully offline environment · local LLM inference (vLLM / SGLang) in place of cloud APIs · suited to government, finance, defense, and large-enterprise intranets · requires a high-tier Enterprise custom contract.
Commercial note: Self-hosting is a high-tier Enterprise custom option · starting contract value on request · it includes initial deployment support, quarterly security patches, and a dedicated technical account manager (TAM). Email enterprise@maxfound.ai to discuss.
Chapter 11 · Contact
Contact
One place to reach us · Security / Legal / DPA / Bug bounty / Enterprise
Security reports
security@maxfound.ai
Vulnerability reports · security research collaboration · responsible disclosure · PGP key TBD (publishing 2026 Q2)
SLA: Critical 24h · Medium 3 business days · Low 10 business days
Legal
legal@maxfound.ai
Request a DPA · sign contract addenda · file data-subject rights requests · compliance questions · deletion requests
SLA: DPA PDF within 24h · deletion requests processed immediately
Enterprise
enterprise@maxfound.ai
Private deployment · single-tenant · BYO LLM key · offline air-gapped · dedicated TAM · custom SLA
SLA: sales team replies within 1 business day + schedules a technical architecture call
Bug Bounty
Public bounty not yet open
For now: written acknowledgment + Hall of Fame listing + swag + cash recognition for significant findings
Public bounty program: on the 2026 Q4 roadmap
Applicable entity
Maxfound AI
Maxfound AI Technology
Document version
v2.0
Updated:
Related documents
Still have items on your due-diligence checklist?
Legal, procurement, and security teams at enterprise accounts usually have their own vendor questionnaire · send it straight to legal@maxfound.ai · we answer every item within 5 business days, and can schedule an architecture call for complex cases.