Security is foundational to Executive Office AI. This page summarizes the controls, practices, and commitments that apply across the Service.
For the full definitions and legal commitments that govern processing of personal data, see our Privacy Policy. For the list of third parties that process customer data on our behalf, see our Sub-processors page.
Enterprise customers can request our Data Processing Addendum, security questionnaire responses, and a call with engineering at Results@JairekRobbins.com.
Platform security posture.
Encryption in transit
All traffic between your browser or client and EOAI is encrypted with TLS 1.2 or higher. Traffic between internal services runs over encrypted network paths provided by our hosting platforms.
Encryption at rest
Databases, object storage, and backup snapshots are encrypted at rest using provider-managed keys (AES-256 where applicable). Secrets are stored in isolated secret stores and are never committed to source control.
Access control
Production access is restricted to a short list of named engineers. Credential access to hosting, database, and payment providers is gated behind SSO and 2FA. Customer data is only accessed for support with the requesting customer's prior approval, except where required to diagnose a live incident.
Tenant isolation
Customer data is logically isolated per organization in the application layer. AI prompt construction is scoped to the requesting organization, and agents do not operate across tenant boundaries.
AI training opt-out
We have opted out of AI model training on customer data with all AI sub-processors that offer the control (OpenAI, Anthropic). Prompt content and outputs are not used to improve their public models.
Authentication
Email-and-password sign-in requires minimum complexity, bcrypt password hashing, and breach-list screening before acceptance. Optional two-factor authentication is available. Single sign-on via Google is supported. SAML SSO is available on enterprise plans.
Audit logging
Security-relevant events (sign-in, sign-out, password changes, 2FA state changes, admin actions) are logged to an append-only audit log with retention aligned to each plan. Enterprise customers receive export or streaming access on request.
Rate limiting and abuse prevention
Authentication and sensitive endpoints are protected by per-IP and per-account rate limits. Suspicious patterns trigger alerts and, where warranted, automatic account pause.
Backups and recovery
Databases are backed up automatically on a rolling schedule. Point-in-time recovery is supported for the retention window of the underlying provider. Restoration is tested periodically.
Vulnerability management
We track dependency advisories, apply security patches on a defined cadence, and rotate credentials following any suspected exposure. Third-party scanning and periodic manual review are part of our process.
Responsible disclosure
If you believe you have discovered a security issue, please email us at the address below. We will acknowledge within two business days and will not pursue good-faith researchers who follow responsible disclosure.
Data handling and commitments.
What we will not do
We will not sell customer data. We will not use customer content to train public AI models. We will not grant third parties access to your account data except as necessary to deliver the Service under binding confidentiality and data-protection terms.
Incident response
If we confirm a security incident that has affected your data, we will notify you without undue delay, and within any timeframe required by applicable law (including GDPR's 72-hour rule where it applies). Our notice will describe what happened, what data was involved, and the steps we are taking.
Data residency
Primary application data is hosted in the United States. Certain integrations (for example, OAuth connections that you authorize) may cause data to be processed in the provider's region. See the Sub-processors page for locations.
Deletion and export
You may request export of your account data in a machine-readable format, and you may request deletion from your account settings or by writing to us. Deletion propagates across primary storage and backups on a schedule described in our Privacy Policy.
Compliance roadmap.
We operate to the substance of widely adopted frameworks (SOC 2 control families, ISO 27001 principles, GDPR, CCPA/CPRA) and are progressing toward formal attestation. If your evaluation requires a specific certification or control, tell us what you need and we will share our current posture and roadmap candidly.
Contact.
General security questions, DPA requests, and vendor due diligence: Results@JairekRobbins.com
Responsible disclosure of suspected vulnerabilities: Results@JairekRobbins.com with subject line "Security Report".