Compliance Overview

Our customers span regulated industries that demand predictable governance. While Round Table AI is still a young product, we align our processes with widely adopted standards.

Data Residency & Access

• Primary infrastructure runs in AWS us-east-1 with CloudFront POPs worldwide.
• Data access is limited to vetted engineers with production break-glass procedures.
• Audit logs record every privileged action.

Privacy Regulations

• GDPR/UK GDPR: We act as a data processor and sign Data Processing Addendums (DPAs) on request. Customers may execute Standard Contractual Clauses for cross-border transfers.
• CCPA/CPRA: We do not sell personal information. End users can request access or deletion by emailing privacy@round-table.ai.
• LGPD & PIPEDA: Rights requests are handled through the same privacy inbox with a 30-day SLA.

Security Frameworks

• SOC 2 Type II: Underway. Controls already map to the Trust Services Criteria and are enforced via automation (infrastructure-as-code, mandatory code reviews, CI checks).
• Penetration Testing: Third-party assessments run annually, with remediation tracked in Jira.
• Vendor Reviews: All critical suppliers (AWS, Stripe, Anthropic, OpenAI, xAI, Google, Plausible) have completed security questionnaires and provide their own compliance reports.

Business Continuity

• Automated daily backups with point-in-time recovery.
• Multi-AZ failover for databases and stateless application tiers.
• Disaster recovery runbooks tested twice per year.

Subprocessors

| Vendor | Purpose | Region | | --- | --- | --- | | Amazon Web Services | Hosting, networking, data storage | Global | | Anthropic, OpenAI, xAI, Google | AI inference APIs | US/EU (per provider) | | Stripe | Payments and subscription billing | US/EU | | Plausible | Privacy-friendly marketing analytics | EU |

We will update this list before onboarding additional subprocessors.

Need a signed DPA, SOC 2 bridge letter, or security questionnaire? Contact compliance@round-table.ai.