security & ai

Your negotiation strategy is sensitive. We built Ali to protect it.

Ali handles confidential deal strategies, contract terms, and compensation data. That trust is earned through transparency about exactly how your data is handled.

AI TransparencyData PracticesInfrastructureTransparencySubprocessors
AI Transparency

How Ali uses AI

Ali is powered by Anthropic's Claude — one of the most capable and safety-focused AI models available. Here is exactly what that means for your data.

Contractual Guarantee

No training on your data

Under Anthropic's commercial API terms, your inputs and outputs are never used to train or improve AI models. This is enforceable, not aspirational.

Architecture

No web search

Ali does not access the internet. It coaches from Aligned Negotiation's proprietary methodology, not web results or external data.

Contractual Guarantee

Ephemeral AI processing

After generating your coaching response, Anthropic automatically deletes its copy of your conversation within 7 days. Safety-flagged content may be retained up to 2 years per Anthropic's trust and safety policy. Your history lives only in your Ali account.

Architecture

No third-party data sharing

The only external processing is the Anthropic API call that powers your coaching. No other parties receive your conversation content. Error telemetry (anonymized session identifiers) is sent to Sentry for reliability monitoring — no conversation content is included.

Data Practices

What we do and don't do with your data

what we do
  • Store your conversations so you can pick up where you left off
  • Use your Silhouette results to personalize coaching
  • Process uploaded documents to provide analysis
  • Maintain your account profile and preferences
what we don't do
  • Train AI models on your data
  • Sell or share your data with third parties
  • Store your data outside our secured infrastructure
  • Access your conversations without your explicit request
Infrastructure

Where your data lives

Ali stores your conversation history, profile, and coaching progress in a PostgreSQL database hosted on Railway. Every layer of the stack holds independent security certifications.

layer
provider
security
AI Processing
Anthropic (Claude)
SOC 2 Type II
ISO 27001
Hosting & Database
Railway
SOC 2 Type II
US-Based

Encryption

TLS 1.2+ for all data in transit. Encryption at rest at every layer (AES-256 confirmed for Anthropic; Railway encrypts at rest). Your data is encrypted at every stage — in your browser, on the wire, and in storage.

transparency

How your data flows

This is the complete path your data takes when you use Ali. No hidden steps.

You send a message (encrypted in transit, TLS 1.2+)
Ali's server processes and sends to Anthropic's Claude API (encrypted)
Claude generates a coaching response and returns it (encrypted)
Stored in your account (encrypted at rest). Anthropic deletes their copy within 7 days.*
*Standard API data deleted within 7 days. Safety-flagged content may be retained up to 2 years per Anthropic's trust and safety policy.
Subprocessors

Third-Party Services

Ali uses the following subprocessors to deliver the service:

service
role
Certifications
Railway
Infrastructure, hosting, database
SOC 2 Type II
HIPAA
GDPR
Anthropic
AI model provider
SOC 2 Type II
ISO 27001
ISO 42001
Sentry
Error monitoring (no conversation content)
SOC 2 Type II
Resend
Transactional email (verification, notifications)
--
For enterprise

Procurement and security questions

If your organization is evaluating Ali for team use, here are answers to the questions your security and procurement teams will ask.

Do you have SOC 2?
Ali's infrastructure providers — Railway (hosting) and Anthropic (AI) — both hold SOC 2 Type II certification. Ali's own organizational SOC 2 audit is on our compliance roadmap
Where is our data stored?
In a PostgreSQL database hosted on Railway (Railway Metal bare-metal infrastructure, US regions). Encrypted at rest and in transit (TLS 1.2+).
Do you train AI on our data?
No. Anthropic's commercial API terms contractually prohibit training on API customer data. Your conversations and documents are never used to improve AI models.
Can you sign a DPA?
Yes. We can provide a Data Processing Addendum on request. Our infrastructure partners (Railway and Anthropic) both maintain their own DPAs.
Do you support SSO?
SSO/SAML is on our enterprise roadmap. Currently: email/password authentication and Google OAuth.
Who has access to our data?
Only the authenticated user. Ali's engineering team can access data for technical support only when explicitly requested by the customer.
Can you complete a security questionnaire?
Yes. Contact security@alignednegotiation.com and we will complete your vendor assessment.
compliance

Our Security Roadmap

Ali is an early-stage product. We believe transparency about where we are is more credible than overclaiming. This page is updated as we achieve each milestone.

today
  • SOC 2 Type II certified infrastructure
  • AI provider (Anthropic) holds ISO 42001
  • End-to-end encryption
  • No AI training on user data
  • Email verification + Google OAuth
  • Prompt injection protection
in progress
  • Formal privacy policy
  • Terms of service
  • Self-service account deletion
  • Data export capability
  • Application audit logging
On Our Roadmap
  • Ali organizational SOC 2 Type I
  • SSO/SAML for enterprise
  • Multi-factor authentication
  • Formal penetration testing
  • Compliance automation (Vanta)
certifications

Our AI Partner Certifications

AI coaching engine (Claude)
SOC 2 Type II
ISO 27001:2022
ISO 42001:2023
HIPAA-ready
Trust portal: trust.anthropic.com
Hosting, database, infrastructure
SOC 2 Type II
SOC 3
HIPAA
GDPR
EU-US DPF
Trust portal: trust.railway.com
Data Jurisdiction

US-Based Data Processing

All data processing occurs within US-based infrastructure. No data is sent to servers in China or other jurisdictions with mandatory government data-sharing laws. This distinguishes Ali from AI tools built on DeepSeek or other Chinese-origin models. Ali's AI provider (Anthropic) is a US-headquartered company. Railway operates US-region infrastructure. All subprocessors are US-based companies.

Still have questions?

For security documentation, vendor questionnaires, or compliance inquiries:

security@alignednegotiation.com