Data Security Statement

The BuiltAI platform runs on managed cloud infrastructure with encryption in transit (TLS) and at rest. Files are stored in a private bucket with access mediated by signed URLs and role-based checks.

• Authentication via Supabase Auth with strong passwords and support for magic-link sign-in.
• Role-based authorisation: BuiltAI Admin, Commercial Lead, Delivery Lead, QA Lead, Client Sponsor, Contributor and Reviewer.
• Client users only ever see their own client account, engagement, tasks and deliverables.
• Service-role access is restricted to trusted server operations and is audit-logged.

• Green: low sensitivity, standard handling.
• Amber: commercial / operational data, controlled handling and source-backed review.
• Red: personal, security-sensitive or regulated data — blocked in the MVP. Handled separately under a written secure-route agreement.

Major actions — uploads, downloads, QA decisions, approvals, SOWs, AI usage and admin overrides — are recorded in a system audit log with timestamp, actor, target and payload.

We rely on a small set of vetted sub-processors (database, storage, email, analytics, error logging). A current list is available on request via the contact form.

In the event of a security incident affecting client data, we will notify the affected client without undue delay and provide the information necessary to fulfil any disclosure obligations.