Security at PathPilot AI

We treat your goal data with the same seriousness you treat your goals. Here's exactly how we protect it — no marketing language, just facts.

Last updated: March 2026

Our security commitments

256-bit AES Encryption

All data encrypted at rest and in transit using AES-256 and TLS 1.3.

SOC 2 Type II (Planned)

We are actively pursuing SOC 2 Type II certification. Audit scheduled for Q3 2026.

GDPR Compliant

Full GDPR compliance including right to erasure, data portability, and DPA agreements.

Zero AI Training on Data

Your goal data is never used to train AI models. Zero retention agreements with all LLM providers.

99.9% Uptime SLA

Infrastructure hosted on AWS with multi-region redundancy and automated failover.

OAuth 2.0 + MFA

Industry-standard authentication with optional two-factor authentication on all accounts.

Isolated Data Storage

Each user's data is logically isolated. No cross-tenant data access is possible by design.

Automatic Backups

Daily encrypted backups with 30-day retention. Point-in-time recovery available on Pro+.

How we protect your data

Data Encryption

  • All data encrypted at rest using AES-256
  • All data in transit encrypted via TLS 1.3
  • Database backups encrypted with separate keys
  • Encryption keys rotated every 90 days

Access Control

  • Role-based access control (RBAC) on all resources
  • Principle of least privilege enforced across all systems
  • Multi-factor authentication available on all accounts
  • Session tokens expire after 24 hours of inactivity

Infrastructure Security

  • Hosted on AWS with VPC isolation
  • Web Application Firewall (WAF) on all endpoints
  • DDoS protection via AWS Shield
  • Automated vulnerability scanning on every deploy

Application Security

  • Content Security Policy (CSP) headers on all pages
  • Input sanitization and output encoding throughout
  • SQL injection and XSS prevention by default
  • Rate limiting on all API endpoints

Privacy & Data

  • GDPR and CCPA compliant data handling
  • No sale of personal data to third parties
  • Data deletion within 30 days of account closure
  • Anonymized analytics only — no behavioral tracking

Monitoring & Response

  • 24/7 automated security monitoring
  • Anomaly detection on all authentication events
  • Incident response plan with <4 hour SLA
  • Security breach notification within 72 hours (GDPR)

Responsible Disclosure Policy

If you discover a security vulnerability in PathPilot AI, we ask that you report it to us privately before disclosing it publicly. We commit to acknowledging your report within 24 hours, providing a fix timeline within 72 hours, and crediting you publicly (if desired) once the issue is resolved.

[email protected] PGP key available on request

Data residency & third parties

Data location

All user data is stored in AWS US-East-1 by default. EU data residency (Frankfurt) is available on the Super Team plan for GDPR-sensitive workloads.

AI processing

Goal data sent to AI models is processed with zero-retention agreements. The AI provider does not store, log, or train on your data. Processing happens in-memory only.

Third-party sub-processors

We use a minimal set of sub-processors: AWS (infrastructure), Stripe (payments), Resend (transactional email), and PostHog (anonymized product analytics). A full sub-processor list is available on request.

Data portability

You can export all your data at any time in JSON or CSV format from your account settings. We will never hold your data hostage.

Account deletion

Deleting your account triggers immediate removal of all personal data. Anonymized aggregate analytics data (e.g. 'a user completed 12 tasks') may be retained for up to 30 days before purge.

Questions about security?

Our security team responds to all enquiries within one business day.