Security at camelAI

CamelAI meets enterprise standards for security and compliance, so you can trust your data is protected with industry-leading measures.

We take security very seriously. Below is an overview of our practices and policies to protect your data at all times. We’ll update this page as needed to reflect our latest efforts.

Certifications & Compliance

  • CASA Certified – Verified industry-standard security practices.
  • SOC 2 Type 1 and Type 2 (In Progress) – Actively pursuing SOC 2 compliance to ensure enterprise-grade security controls.
  • Future Compliance Roadmap: Evaluating additional standards including ISO 27001, HIPAA, and GDPR compliance based on customer needs.

General Security Practices

  • 2FA for All Personnel: We require non-SMS two-factor authentication (2FA) for all camelAI employees, founders, and any contractors. Where hardware-based 2FA (e.g., YubiKey) or TOTP (e.g., Authy, Google Authenticator) is not available, SMS or email-based 2FA is used. Strong passwords are mandatory in all cases.
  • Access Controls: Access to servers, databases, source code, and third-party tools is strictly limited and granted on a need-to-know basis.
  • No External Copies of Production Data: We never copy production data to external devices such as personal laptops.
  • Automated Security Monitoring: We use tools like GitHub Advanced Security to alert us of known vulnerabilities in our dependencies and apply patches promptly.
  • Regular Internal and External Audits: We conduct periodic internal security reviews and external penetration tests to identify vulnerabilities.

Infrastructure Security

  • Hosting: Our servers run on AWS infrastructure, which undergoes regular third-party security audits (e.g., ISO 27001, SOC 2). We also use Cloudflare R2 and AWS S3 for distribution artifacts and to mitigate DDoS threats.
  • Data Centers and Backups: Our primary servers are in AWS’s U.S.-based regions. Encrypted backups are stored in multiple geographic locations for disaster recovery.
  • High Availability (HA): We employ auto-scaling, health checks, and failover mechanisms across availability zones to ensure minimal downtime.

Authentication and Authorization

  • Admin Passwords: Admin passwords are hashed with bcrypt, and we never store passwords in plain text.
  • API Tokens: API keys and tokens are encrypted at rest and never stored in plain text.
  • Role-Based Access Control (RBAC): All tokens are assigned specific roles, and users have access only to the data and features they need.

Authentication, Authorization & Access Control

  • Admin Password Security: All admin passwords are hashed using bcrypt; plain text passwords are never stored.
  • Secure API Tokens: API keys and tokens are encrypted at rest using AES-256 encryption.
  • Single Sign-On (SSO): Enterprise Only
    CamelAI integrates seamlessly with leading enterprise identity providers, including Okta, Azure AD, and other SAML-based providers, ensuring centralized, secure authentication.
  • Role-Based Access Control (RBAC): Enterprise Only
    Assign granular permissions based on user roles to enforce data access according to organizational policies.
  • Comprehensive Audit Logging: Enterprise Only
    Detailed, exportable audit logs capturing user activities, login attempts, data access events, and changes in permissions, enabling straightforward compliance audits and investigations.

Encryption

  • In-Transit: All communication between camelAI, your connected apps, and our LLM providers is protected by TLS (HTTPS).
  • At Rest: We use industry-standard AES-256 encryption for data at rest, including backups and temporary caches.
  • Highly Sensitive Data: Private keys, app tokens, and other secrets are encrypted using AES-256 and stored in a secure vault.

Data Handling

  • Do We Train on Your Data? No. We do not train on your data. We have opted out of data sharing with our LLM providers.
  • How Your Data Is Pulled and Stored: Data is retrieved from your connected apps only when you explicitly request it. Results are cached in AWS EC2 for 5 minutes, then cleared. Conversation history is stored securely and can be deleted anytime via your account settings.
  • Who Can See Your Data? Only you and the camelAI platform have visibility into your data by default. Our team has limited access, strictly for support or troubleshooting purposes, and only with your explicit permission.

Vulnerability Management

  • Monitoring and Patching: We watch for dependency vulnerabilities and patch them quickly. We keep dependencies updated to reduce exposure.
  • Penetration Testing: We conduct regular penetration tests, checking for common attack vectors like XSS and replay attacks, and remediate issues swiftly.
  • Rate Limiting: We use rate-limiting measures to protect against brute-force attacks or abuse, designed not to interfere with normal usage.

Disaster Recovery & Business Continuity

  • Encrypted Geographically Distributed Backups: Regular encrypted backups are stored securely in multiple geographic AWS regions, protecting against regional outages.
  • Recovery Point Objective (RPO): Less than 24 hours; ensures minimal data loss risk.
  • Recovery Time Objective (RTO): Enterprise Only
    Target restoration of services within 4 hours to minimize downtime.

Backups and Recovery

  • Encrypted Backups: Backups are stored using AWS S3 with AES-256 encryption.
  • Disaster Recovery: If hardware failures or data corruption occur, we can restore from these secure backups.
  • Retention: We retain backups for a set period to facilitate point-in-time recovery.

Crashes and Other Errors

  • Aggressive Monitoring: We proactively monitor for errors or crashes and address them as soon as possible.
  • Uptime Guarantee: We aim for 99.99% uptime and offer an SLA for enterprise customers.

Frequently Asked Questions

  • How Can I Delete My Data? You can remove conversation history or revoke app connections directly from your camelAI dashboard at any time:
    • Account Settings → Clear conversation history.
    • Manage → Active Connections → Revoke specific app connections.
  • Can I Control App Permissions?

    Yes. You can restrict permissions at the org level, and revoke these permissions at any time in the connections page.

  • How Do I Report a Vulnerability?

    Email us at [email protected]. We follow a responsible disclosure process and will respond promptly.

  • What Are Your Uptime Guarantees?

    We strive for 99.99% uptime and have mechanisms in place for auto-scaling and failover. We offer an SLA for enterprise customers.

  • Do you offer Enterprise Agreements (EAs)?

    Yes. CamelAI provides customized Enterprise Agreements offering flexible contract terms, volume-based pricing, dedicated support, and enterprise-specific compliance commitments.

  • Can camelAI accommodate specific compliance requirements like GDPR or HIPAA?

    Currently CASA certified, we are actively pursuing SOC 2 certification and continuously evaluating additional compliance needs like GDPR and HIPAA. Contact our sales team at [email protected] to discuss specific compliance requirements.

  • Which features are exclusively available for Enterprise customers?

    Enterprise-only features include Single Sign-On (SSO), Role-Based Access Control (RBAC), detailed audit logs, advanced disaster recovery (with defined RTO), high availability infrastructure, and guaranteed uptime SLAs.

If you have any other questions or concerns, please reach out to us at [email protected]. We’re here to help.