Security at camelAI

Our team has built state-of-the-art security into our product suite, so that you can rest easy knowing your data is safe with us.

We take security very seriously. Below is an overview of our practices and policies to protect your data at all times. We’ll update this page as needed to reflect our latest efforts.

General Security Practices

  • 2FA for All Personnel: We require non-SMS two-factor authentication (2FA) for all camelAI employees, founders, and any contractors. Where hardware-based 2FA (e.g., YubiKey) or TOTP (e.g., Authy, Google Authenticator) is not available, SMS or email-based 2FA is used. Strong passwords are mandatory in all cases.
  • Access Controls: Access to servers, databases, source code, and third-party tools is strictly limited and granted on a need-to-know basis.
  • No External Copies of Production Data: We never copy production data to external devices such as personal laptops.
  • Automated Security Monitoring: We use tools like GitHub Advanced Security to alert us of known vulnerabilities in our dependencies and apply patches promptly.
  • Regular Internal and External Audits: We conduct periodic internal security reviews and external penetration tests to identify vulnerabilities.

Infrastructure Security

  • Hosting: Our servers run on AWS infrastructure, which undergoes regular third-party security audits (e.g., ISO 27001, SOC 2). We also use Cloudflare R2 and AWS S3 for distribution artifacts and to mitigate DDoS threats.
  • Data Centers and Backups: Our primary servers are in AWS’s U.S.-based regions. Encrypted backups are stored in multiple geographic locations for disaster recovery.
  • High Availability (HA): We employ auto-scaling, health checks, and failover mechanisms across availability zones to ensure minimal downtime.

Authentication and Authorization

  • Admin Passwords: Admin passwords are hashed with bcrypt, and we never store passwords in plain text.
  • API Tokens: API keys and tokens are encrypted at rest and never stored in plain text.
  • Role-Based Access Control (RBAC): All tokens are assigned specific roles, and users have access only to the data and features they need.

Encryption

  • In-Transit: All communication between camelAI, your connected apps, and our LLM providers is protected by TLS (HTTPS).
  • At Rest: We use industry-standard AES-256 encryption for data at rest, including backups and temporary caches.
  • Highly Sensitive Data: Private keys, app tokens, and other secrets are encrypted using AES-256 and stored in a secure vault.

Data Handling

  • Do We Train on Your Data? No. We do not train on your data. We have opted out of data sharing with our LLM providers.
  • How Your Data Is Pulled and Stored: Data is retrieved from your connected apps only when you explicitly request it. Results are cached in AWS EC2 for 5 minutes, then cleared. Conversation history is stored securely and can be deleted anytime via your account settings.
  • Who Can See Your Data? Only you and the camelAI platform have visibility into your data by default. Our team has limited access, strictly for support or troubleshooting purposes, and only with your explicit permission.

Vulnerability Management

  • Monitoring and Patching: We watch for dependency vulnerabilities and patch them quickly. We keep dependencies updated to reduce exposure.
  • Penetration Testing: We conduct regular penetration tests, checking for common attack vectors like XSS and replay attacks, and remediate issues swiftly.
  • Rate Limiting: We use rate-limiting measures to protect against brute-force attacks or abuse, designed not to interfere with normal usage.

Backups and Recovery

  • Encrypted Backups: Backups are stored using AWS S3 with AES-256 encryption.
  • Disaster Recovery: If hardware failures or data corruption occur, we can restore from these secure backups.
  • Retention: We retain backups for a set period to facilitate point-in-time recovery.

Crashes and Other Errors

  • Aggressive Monitoring: We proactively monitor for errors or crashes and address them as soon as possible.
  • Uptime Guarantee: We aim for 99.99% uptime and offer an SLA for enterprise customers.

Certifications

  • Current: CASA certified.
  • In Progress: SOC 2 Type 1 and Type 2.
  • Future Considerations: While we don’t hold additional certifications right now (e.g., ISO 27001, HIPAA), we continually evaluate new compliance standards to meet enterprise needs.

Frequently Asked Questions

  • How Can I Delete My Data? You can remove conversation history or revoke app connections directly from your camelAI dashboard at any time:
    • Account Settings → Clear conversation history.
    • Manage → Active Connections → Revoke specific app connections.
  • Can I Control App Permissions? Yes. You can restrict permissions at the org level, and revoke these permissions at any time in the connections page.
  • How Do I Report a Vulnerability? Email us at [email protected]. We follow a responsible disclosure process and will respond promptly.
  • What Are Your Uptime Guarantees? We strive for 99.99% uptime and have mechanisms in place for auto-scaling and failover. We offer an SLA for enterprise customers.

If you have any other questions or concerns, please reach out to us at [email protected]. We’re here to help.