Security

Last updated: April 19, 2026

AI Executives OS processes sensitive executive data — calendars, meeting content, decisions, and business communications. Security is foundational to how we build, operate, and evolve the Service.

1. Our Approach

We take a defense-in-depth approach. Multiple layers of controls combine to protect customer data, authentication, integrations, and the AI processing layer.

2. Infrastructure

  • Application hosting: Vercel (SOC 2 Type II certified)
  • Database and authentication: Supabase (SOC 2 Type II certified)
  • Voice agent infrastructure: Fly.io
  • Meeting infrastructure: Daily.co, Recall.ai
  • File storage: encrypted object storage via infrastructure providers

All traffic is encrypted in transit using TLS 1.2 or higher.

3. Data Protection

3.1 Encryption

  • In transit: TLS 1.2+ on all connections
  • At rest: AES-256 for databases and storage
  • OAuth tokens and sensitive credentials: application-layer encryption on top of storage encryption

3.2 Data Isolation

  • Row-level security policies at the database layer isolate customer data
  • Per-customer processing boundaries for AI interactions
  • Strict separation between customer environments

3.3 Backups

  • Daily automated database backups
  • Point-in-time recovery available
  • Encrypted backups

4. Authentication and Access Control

  • Passwords hashed using bcrypt with appropriate work factors
  • OAuth integrations use PKCE to prevent code interception
  • Session management uses secure, HTTP-only cookies
  • Rate limiting on authentication endpoints

4.1 OAuth and Integration Security

When you connect Google Calendar, Microsoft 365, Recall.ai, or other services:

  • OAuth tokens are encrypted at rest
  • We request minimum necessary scopes
  • You may revoke integrations at any time
  • Tokens are rotated according to best practices

4.2 Internal Access

  • Employee access to customer data is restricted and logged
  • Least-privilege access model
  • Multi-factor authentication required for employee accounts

5. AI Service Security

5.1 AI Provider Selection

We use AI providers that offer business-grade data processing terms, including:

  • Data not used for training foundation models by default
  • Data processing agreements in place
  • Encryption of data in transit to AI providers
  • Limited retention by AI providers

5.2 Prompt and Output Security

  • System prompts are protected from direct user injection
  • Outputs are monitored for anomalous patterns
  • Sensitive data handling in prompts follows internal guidelines

6. Meeting Content Security

6.1 Transcription and Storage

  • Meeting transcripts are encrypted at rest
  • Meeting participants are informed when recording occurs (via meeting bot visibility)
  • You may delete individual meetings or all meeting data at any time

6.2 Meeting Bot Identification

When a meeting bot joins a call on your behalf, it is identifiable as an AI participant. We do not hide or disguise bot presence.

7. Voice and SMS Security

7.1 Voice Agent Infrastructure

Voice agents run on isolated infrastructure with real-time audio processing:

  • Audio is encrypted in transit
  • Voice data is not retained beyond the session unless explicitly configured
  • Voice processing uses enterprise-grade providers (Deepgram, ElevenLabs)

7.2 SMS Security

  • SMS messages sent via Twilio with appropriate compliance (TCPA, 10DLC)
  • Opt-out mechanisms provided where applicable

8. Application Security

  • Code reviewed before deployment
  • Automated testing including 190+ Playwright end-to-end tests
  • Dependency vulnerability scanning
  • Secret scanning to prevent credential exposure

9. Monitoring and Incident Response

  • Continuous monitoring for errors, anomalies, and security events
  • Key application events are logged
  • Documented incident response procedures
  • Customer notification in the event of a material security incident

10. Compliance and Responsibilities

10.1 Our Responsibility

We secure the Service, its infrastructure, and the data processing practices we operate.

10.2 Your Responsibility

You are responsible for:

  • Protecting your account credentials
  • Compliance with meeting recording and privacy laws in your jurisdiction
  • Appropriate consent from meeting participants
  • Reviewing AI-generated outputs before relying on them
  • Not using the Service for prohibited purposes

11. Privacy

For data handling practices, see our Privacy Policy.

12. Responsible Disclosure

If you discover a security vulnerability:

  • Email: security@theaiexecutives.com
  • Provide sufficient detail to reproduce
  • Give us reasonable time to respond before public disclosure
  • Do not access or modify data beyond what is needed to demonstrate the issue

We welcome good-faith security research.

13. Contact