////// LEGAL — SECURITY

SECURITY OVERVIEW

Last updated: July 8, 2026 · Alpha release

Security is core to what we're building — the whole point of Business AI Technology (BAIT) is agents that act inside hard boundaries and log everything. Here's how we protect your data during the alpha, what we don't promise yet, and how to report a problem.

// Alpha notice — Business AI Technology is invitation-only, pre-release software provided for evaluation. Features, data, and this document may change without notice. Do not use it for production, regulated, or business-critical data.

01Authentication

  • Sign-in is handled by Google OAuth. We never see or store your password.
  • Sessions use a secure, HTTP-only cookie scoped to .bizaitec.com, so one sign-in works across our products without exposing tokens to page scripts.
  • Session tokens are verified on the server for every protected request.

02Data in transit & at rest

All traffic is served over HTTPS/TLS. Data at rest — your account, profile, and workspace data — is stored with our database and infrastructure providers and encrypted at rest using their managed encryption.

03Access & isolation

  • Each account's data is isolated and access is scoped per user, enforced at the data layer.
  • Internal access to production data is limited to what's needed to operate and debug the alpha, on a least-privilege basis.
  • Agents act only within the capability boundaries you configure — nothing implicit, nothing silent — and every agent action is written to an immutable audit log.

04Infrastructure & providers

We build on established providers rather than rolling our own — notably Google (identity), Supabase (authentication and database), and cloud hosting for compute and delivery. The full list of sub-processors and how they handle data is in our Privacy Policy.

05AI & agent safety

  • Agents run against a defined set of tools and permissions — capabilities are granted explicitly, not assumed.
  • Every decision and action lands in an audit log with its data lineage, so you can see what an agent did and why.
  • Consequential actions are designed to keep a human in the loop; we send only the content needed to a task to our AI providers (see Privacy §04).

06Monitoring

We collect application and error logs to detect failures and abuse, and to investigate issues. We keep these for a limited period and restrict access to them.

07Reporting a vulnerability

If you believe you've found a security issue, please tell us before disclosing it publicly. Email security@bizaitec.com with steps to reproduce.

  • We welcome good-faith research and won't pursue legal action for testing that respects the rules below.
  • Test only against your own account and data — never access, modify, or exfiltrate another user's data.
  • No denial-of-service, spam, social engineering, or physical attacks, and no automated scanning that degrades the service.
  • Give us a reasonable chance to fix an issue before going public.

We'll acknowledge your report, keep you updated, and credit you if you'd like once it's resolved. We don't run a paid bounty during the alpha.

08Alpha limitations

Be candid with yourself about what an alpha is: our controls are best-effort and still maturing. We do notyet hold formal certifications (such as SOC 2 or ISO 27001), and the products are not intended for regulated data (e.g. PCI, HIPAA, or similar). Please don't store anything you can't afford to lose or expose, and don't use the alpha for production or business-critical workloads.

09If something goes wrong

If we become aware of a security incident that materially affects your data, we'll notify affected alpha users without undue delay and tell you what we know and what we're doing about it. Questions about security practices? Reach us at security@bizaitec.com.

Questions? Reach us at hello@bizaitec.com. This document is written in plain language for our alpha testers and is not a substitute for the definitive agreement we will publish at general availability.