We take the security of your data seriously. Here's how we protect your store, your customers, and your conversations.
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Your chat conversations, product data, and customer information are protected end-to-end.
All infrastructure is hosted in data centers within the European Union (Helsinki, Finland). Your data never leaves the EU, ensuring compliance with GDPR and EU data sovereignty laws.
Every API request must include a valid workspace API key. Keys are scoped per workspace and can be revoked instantly from your dashboard. We never log raw API keys.
Access to production systems is restricted to authorized personnel only, using multi-factor authentication. All access events are logged in an immutable audit trail for 90 days.
Our infrastructure is monitored 24/7 for anomalies, intrusion attempts, and performance degradation. Automated alerts notify our on-call team within 60 seconds of any incident.
We conduct quarterly penetration tests through independent security firms. Vulnerability findings are triaged within 48 hours and remediated based on severity.
Every service, user, and integration operates with the minimum permissions necessary. Your chat data is scoped to your workspace only — no cross-tenant data access is possible.
We are actively working toward SOC 2 Type II certification. Our security controls, policies, and procedures are aligned with AICPA Trust Services Criteria.
Your data is stored in PostgreSQL and MySQL databases hosted in Helsinki, Finland (EU). Chat messages, product information, and user accounts are all hosted within the European Union. Backups are encrypted and stored in a separate EU region.
When you delete your account or a specific resource (conversations, products, documents), the data is permanently removed from our active databases within 24 hours. Encrypted backups are retained for 30 days for disaster recovery and then permanently deleted.
No. Your chat conversations and knowledge base documents are scoped exclusively to your workspace. They are never used to train shared models or shared with other CircuCity AI customers. When we use third-party AI providers, we use API endpoints with data processing agreements that prohibit training on customer data.
We do not store any payment card information. All payments are processed through Stripe, a PCI DSS Level 1 certified payment processor. We only store a reference to your Stripe customer ID and subscription status.
We maintain a documented incident response plan. In the event of a security breach, affected customers are notified within 72 hours of confirmed impact. We provide a post-incident report detailing root cause analysis and remediation steps.
If you've discovered a security vulnerability, please report it responsibly. We take all reports seriously and respond promptly.
Please do not publicly disclose vulnerabilities before we've had a chance to address them. We aim to acknowledge reports within 24 hours and provide a timeline for resolution.
For general security inquiries, contact security@circucity.se