Candidly AI's Trust Center

We have secure, reliable hosting that customers can depend on. We are happy to provide details about our risk mitigation practices and recovery objectives upon request.

We pay great attention to enterprise features such as access control and single sign on. We are happy to provide more details about our enterprise features upon request.

We may provide security-related reports upon request.

We are working on our security compliance. We can provide completed questionnaires upon request.

Customer and stakeholder data is encrypted in transit and at rest. Access to production data follows least privilege and is logged and reviewed. All data is processed and stored on self-hosted infrastructure.

Candidly AI runs all AI processing on infrastructure we host ourselves, with zero third-party AI API dependencies. We do not use customer or stakeholder data to train third-party AI models. Conversation data is processed in region and is never sent to an outside model.

We prioritize and take environmental, social, and governance (ESG) considerations seriously in our operations and decision-making processes.

Candidly AI's privacy practices are aligned with PIPEDA and PIPA. We process personal information only as needed to deliver the service. Our subprocessor list is available on request, and customers can exercise data-subject rights at any time.

Access to systems and data is granted on a least-privilege basis and protected with multi-factor authentication. Access rights are reviewed on a regular schedule and revoked promptly when no longer required. Privileged credentials are rotated on a defined cycle.

Candidly AI runs on infrastructure we host ourselves, with in-region data residency so your stakeholders' data stays within your borders. All AI processing runs on our own infrastructure with zero third-party AI API dependencies. Our current footprint is monitored continuously for availability and security, and we add in-region residency as we expand.

Company devices are encrypted, kept up to date, and configured to our security standards. Endpoint posture is reviewed as part of our control program.

Our network is protected by a web application firewall and continuous intrusion detection. Traffic is monitored and filtered, and security events are logged and triaged. Network controls are tested as part of our ongoing compliance program.

We maintain a documented set of security policies governing how we operate. Personnel complete security awareness training, and vendors are assessed for security and privacy before onboarding. Practices are reinforced through internal review.

Our security and privacy policies are reviewed and approved on a regular cycle. Summaries are available here, and full policy documents can be requested under NDA.

We are constantly monitoring the security of our website. We will post our grades from public security rating agencies when they become available.

We maintain a documented incident response plan with defined roles, escalation paths, and notification procedures. Affected customers are notified in line with our contractual and legal obligations.

We have a dedicated team that manages security risks. We are happy to provide more details about our risk management practices upon request.

We have strict asset management policies in place to ensure that all assets are accounted for and secure.

We have a business continuity plan in place to ensure that we can continue to operate in the event of a disaster.

We provide security awareness training to all employees to ensure that they are aware of security best practices.

We have a change and configuration management process in place to ensure that changes are properly reviewed and approved.

We have physical and environmental controls in place to ensure that our data centers are secure and reliable.

We continuously monitor our systems for security threats and vulnerabilities. We are happy to provide more details about our continuous monitoring practices upon request.