Security

Updated 2nd August, 2022

Compliance

SOC 2 Type II

Obviously AI's SOC 2 Type II report covers the trust services categories of Security, Confidentiality, and Availability, and is audited annually.

General Data Protection Regulation (GDPR)

We comply with GDPR data retention requirements, and offer a data processing agreement (DPA) for customers in the EU.

Health Insurance Portability and Accountability Act (HIPAA)

Obviously AI is HIPAA compliant, and is prepared and able to execute a standard Business Associate Agreement ("BAA"). To see if you qualify for a BAA, please contact a sales representative.

California Consumer Privacy Act (CCPA)

We ensure policies, processes, and controls comply with CCPA requirements.

Infrastructure

Secure infrastructure provider

We host all of our data in physically secure Google Cloud facilities that include 24/7 on-site security, camera surveillance, and more. All customer data is hosted in data centers that are SOC 2, ISO 27001 and HITRUST compliant.

Data encryption in transit & at rest

All data sent to or from Obviously AI is encrypted using TLS, and all customer data is encrypted using AES-256. Data is only sent when a session is actively being viewed and is deleted right after, unless recordings are explicitly enabled. We use Cloudflare's geographic load balancer and regionally located servers in the Netherlands and UK to ensure that intra-European traffic never leaves Europe.

Data redundancy and resiliency

Obviously AI's infrastructure has been designed to be fault tolerant. All databases operate in a cluster configuration and the application tier scales using load balancing technology that dynamically meets demand.

Server security and monitoring

All servers are configured using a documented set of security guidelines and images are managed centrally. Changes to the company’s infrastructure are tracked, and security events are logged appropriately.