Policy

Compliance Overview

Last updated February 21, 2026

Our customers span regulated industries that demand predictable governance. While Round Table AI is still a young product, we align our processes with widely adopted standards.

Data Residency & Access

  • Primary infrastructure runs in AWS us-east-1 with CloudFront POPs worldwide.
  • Data access is limited to vetted engineers with production break-glass procedures.
  • Audit logs record every privileged action.

Privacy Regulations

  • GDPR/UK GDPR: We act as a data processor and sign Data Processing Addendums (DPAs) on request. Customers may execute Standard Contractual Clauses for cross-border transfers.
  • CCPA/CPRA: We do not sell personal information for monetary consideration. When analytics cookies are active, pseudonymous identifiers may be shared with advertising partners as defined by CCPA — users can opt out via the "Your Privacy Choices" footer link or Global Privacy Control. End users can request access or deletion by emailing privacy@round-table.ai.
  • LGPD & PIPEDA: Rights requests are handled through the same privacy inbox with a 30-day SLA.

Security Frameworks

  • SOC 2 Type II: Underway. Controls already map to the Trust Services Criteria and are enforced via automation (infrastructure-as-code, mandatory code reviews, CI checks).
  • Penetration Testing: Third-party assessments run annually, with remediation tracked in Jira.
  • Vendor Reviews: All critical suppliers (AWS, Stripe, Anthropic, OpenAI, xAI, Google) have completed security questionnaires and provide their own compliance reports.

Business Continuity

  • Automated daily backups with point-in-time recovery.
  • Multi-AZ failover for databases and stateless application tiers.
  • Disaster recovery runbooks tested twice per year.

Subprocessors

| Vendor | Purpose | Region | | --- | --- | --- | | Amazon Web Services | Hosting, networking, data storage | Global | | Anthropic, OpenAI, xAI, Google | AI inference APIs | US/EU (per provider) | | Stripe | Payments and subscription billing | US/EU | | Google Analytics | Marketing analytics (consent or legitimate interest, by jurisdiction) | US/EU | | Customer.io | Marketing analytics and user engagement (consent or legitimate interest, by jurisdiction) | US/EU | | Plausible Analytics | Consent-free audience measurement (no cookies, no persistent personal data) | EU (Germany) |

We will update this list before onboarding additional subprocessors.

Need a signed DPA, SOC 2 bridge letter, or security questionnaire? Contact compliance@round-table.ai.

Open AppStart Free Trial