Skip to main content
AIER

// Security & Trust

Security & Trust at AIErudit

How we protect customer data: the controls we run, the vendors we use, and what is on our roadmap. Written for security reviewers, in plain language.

TLS 1.2+ · HSTSEU hostingGDPR-alignedMFA & passkeysPublic status page
Request DPAView subprocessors

// Controls

What we run today.

These statements are intentionally conservative. They describe current platform controls and tracked production-readiness work without implying certifications we do not hold.

Data protection

  • Encrypted in transit with TLS and HSTS on production edge paths
  • Application data is encrypted at rest by the managed database and storage layers
  • MFA and passkeys are available for account protection
  • Card data never touches AIErudit servers; payments are handled by Stripe

Infrastructure

  • AWS eu-central-1 is the primary application and data region
  • Least-privilege IAM and AWS Secrets Manager hold production secrets
  • Database backups and restore drills are tracked as production-readiness work
  • CloudFront and nginx edge controls protect public delivery paths

Monitoring & response

  • Health checks cover app, API, sitemap, and security.txt delivery
  • Better Stack receives error and request metadata for monitoring
  • Incident response and status-page publication are tracked in Sprint 156
  • Vulnerability reports follow the public security.txt contact path

Privacy and GDPR

  • Export, delete, and anonymization workflows are built into account operations
  • Retention and subprocessor commitments are documented for B2B review
  • Analytics uses Mixpanel EU where enabled by consent and configuration
  • DPA review is available for Business and Enterprise procurement

// Subprocessors

Who touches the data.

Every third party that processes customer data, what they do for us, and where it lives.

Amazon Web Services

EU primary: eu-central-1
Purpose
Hosting, database, storage, CDN origin infrastructure
Data
Application, account, course, and operational data

Stripe

EU/US with transfer safeguards
Purpose
Checkout, billing, invoices, refunds
Data
Billing metadata and payment identifiers; card data stays with Stripe

Brevo

EU
Purpose
Transactional and lifecycle email
Data
Email address, name, message metadata

Mixpanel EU

EU
Purpose
Consent-aware product analytics
Data
Usage events, country or coarse region, device metadata

Better Stack

EU where available
Purpose
Error monitoring and operational alerts
Data
Error, request, and service metadata

MaxMind

Provider-operated service
Purpose
Server-side GeoIP resolution for consent and localization behavior
Data
IP-derived country or region metadata

Google, GitHub, Apple, Facebook

Provider regions with transfer safeguards
Purpose
Optional OAuth sign-in providers
Data
Provider account identifiers and authentication metadata

Anthropic, OpenAI, Gemini

Provider regions with transfer safeguards
Purpose
Optional AI sandbox and assistant model calls
Data
User-submitted prompts and selected context for active AI features

CloudFront / WAF or CDN layer

Global edge, EU application origin
Purpose
Edge delivery and request protection
Data
Request metadata and public asset delivery logs
Last updated June 11, 2026Subscribe to changes

// Compliance & roadmap

Where we stand - honestly.

No badge wall. This is the current status of each framework, including the ones we have not reached yet.

GDPR

In place

Privacy policy, account data rights, subprocessors, retention work, and DPA review are tracked as public trust artifacts.

PCI DSS

In place

Stripe-hosted SAQ-A scope: card data is collected and processed entirely by Stripe, a PCI DSS Level 1 service provider. AIErudit never receives, transmits, or stores PAN cardholder data.

EU data residency

In place

Primary application systems and data storage are operated from AWS eu-central-1, with global edge services limited to delivery and request metadata.

SOC 2 Type II

In progress

Controls are being formalized against the Trust Services Criteria. No SOC 2 certification is claimed on this page.

ISO 27001

On roadmap

Formal ISO 27001 certification is under evaluation and sequenced after the SOC 2 control program.

// Documents

For your review packet.

Start with the public materials below. We can provide a countersigned DPA and questionnaire responses during procurement.

DPA templateMarkdown · review templateSubprocessor listThis page · dated listPrivacy policyaierudit.com/privacysecurity.txt/.well-known/security.txt

// Vulnerability disclosure

Found something? Tell us.

We welcome good-faith security research. Report privately, give us reasonable time to fix, and do not access data that is not yours.

Open security.txtEmail security report
  • Report tosecurity@aierudit.com
  • AcknowledgementWithin 2 business days
  • Triage & severityWithin 5 business days
  • RecognitionNo bounty program yet; public credit is opt-in

// Questions

Send us your questionnaire.

Security reviews move faster with a human on the other end. Write to us directly, or check live uptime any time.

security@aierudit.comContact salesstatus.aierudit.com
AIEruditMaster AI by doing
PrivacyTermsStatus
Operated from Warsaw, Poland