Aijency

Data Security & Privacy

Last updated: 6 June 2026 · Version 1.2

This page explains how Aijency protects the personal data processed by Aijent on your website. It is intended for enterprise clients, procurement teams, and security reviewers.

At a glance

Question	Answer
Is visitor data encrypted in transit?	Yes — TLS (HTTPS)
Is visitor data encrypted at rest?	Yes — AES-256
Is a Data Processing Agreement in place with Anthropic?	Yes — included in Commercial Terms
Is data stored in Australia?	Yes — Supabase ap-southeast-2 (Sydney)
Is platform activity logged and monitored?	Yes — immutable audit log + error & uptime monitoring
Does Anthropic train models on your data?	No — Per Data Processing Agreement with Aijency
Is data sold to third parties?	No
Is data used for advertising?	No

1. What data Aijent collects

Aijent securely collects only the information a visitor voluntarily provides during a conversation. This encrypted data typically includes:

Full name
Email address
Company name
Phone number
Business needs discussed during the conversation
The full conversation transcript

No browsing history, device fingerprinting, or passive tracking data is collected. A single anonymous visitor identifier (aijency_vid) is stored in browser local storage for session continuity only — it is a randomly generated UUID and is not used for cross-site tracking.

2. How data flows

Visitor submits a message in the chat widget Transmitted over HTTPS (TLS) to Aijency’s application servers. Function compute is pinned to Vercel’s Sydney region (ap-southeast-2); the message is processed there transiently — no lead data is stored at this layer.

Aijency calls the Anthropic Claude API The conversation is processed transiently by Anthropic to generate Aijent’s response. Anthropic does not retain this data after the request completes and does not use it to train models. This is a contractual obligation under Anthropic’s Commercial Terms and DPA.

Lead data is stored in Aijency’s database Stored in Supabase PostgreSQL, ap-southeast-2 (Sydney, Australia). Encrypted at rest. Row-level security enforced per client tenant — no tenant can access another tenant’s data.

Data is synced to your connected CRM Sent via OAuth 2.0 to your connected CRM (e.g. HubSpot). OAuth tokens are encrypted at rest using AES-256-GCM. Only your authorised CRM account receives this data.

3. AI processing — Anthropic

Aijent is powered by the Anthropic Claude API. The following protections apply:

No model training. Anthropic confirmed in writing that API inputs and outputs are not used to train models by default. This is a contractual obligation, not a policy preference.
Transient processing. Conversation data is processed in-flight to generate a response. Anthropic does not store conversation data beyond the request lifecycle.
Data Processing Agreement. A DPA — including Standard Contractual Clauses (SCCs) for GDPR compliance — is automatically incorporated into Anthropic’s Commercial Terms of Service. By accepting those terms, Aijency has a legally binding DPA with Anthropic as a sub-processor.

Anthropic’s full DPA is publicly available at anthropic.com/legal/data-processing-addendum. Compliance documentation including SOC 2 Type II, ISO 27001:2022, and ISO/IEC 42001:2023 certifications is available at trust.anthropic.com.

4. Anthropic certifications

Certification	Scope	Where to verify
SOC 2 Type II	Security, availability, confidentiality controls	trust.anthropic.com (available under NDA)
ISO 27001:2022	Information security management	trust.anthropic.com
ISO/IEC 42001:2023	AI management systems	trust.anthropic.com

5. Sub-processors

The following sub-processors handle personal data on behalf of Aijency clients:

Sub-processor	Purpose	Location
Anthropic	AI processing (Aijent conversational responses)	United States
Supabase	Database and file storage (data at rest)	Australia (ap-southeast-2, Sydney)
Vercel	Application hosting and edge delivery (transient compute; no customer data stored at rest)	Australia (ap-southeast-2, Sydney) — function compute; global edge for static delivery
Stripe	Subscription billing and payment processing	United States
Resend	Transactional email notifications	United States
Sentry	Application error monitoring and alerting (diagnostic data)	United States
PostHog	Product analytics — authenticated client dashboard only (not website visitors)	United States

Aijency reviews all sub-processors before engagement and maintains data processing agreements with each.

6. Applicable privacy frameworks

Australian Privacy Act 1988 — primary governing framework
GDPR (EU/UK) — Standard Contractual Clauses in place via Anthropic DPA
PDPA (Singapore) — supported via contractual DPA chain

7. Technical security controls

All data in transit encrypted via TLS (HTTPS enforced on all connections)
All OAuth tokens encrypted at rest using AES-256-GCM
Application secrets and the data-encryption key are held in a dedicated, access-controlled secrets manager — kept out of source code and rotated under a documented key-management policy
Row-level security enforced at the database level — tenant data is strictly isolated
OAuth 2.0 with PKCE for all third-party integrations
Managed PostgreSQL with encryption at rest, hosted in ap-southeast-2 (Sydney)
Static code analysis (SAST) on every commit
Immutable, append-only audit logging of security-relevant events — records cannot be modified or deleted
Continuous application error monitoring and alerting across all environments
Uptime and availability monitoring with alerting and a public status page

8. Enterprise enquiries

For any security related questions, please contact info@aijency.ai.