top of page

CathyAI Agents
Security Standards and FAQ

CathyAI Security & Privacy: Frequently Asked Questions (FAQ)

1. Is my data secure on the CathyAI platform?

Absolutely. Security is the foundation of the CathyAI platform. The system is engineered with multiple layers of protection to ensure your data is always secure. We are SOC 2 Type 1 compliant, which is a rigorous, third-party audit that verifies our security controls and processes meet the highest industry standards. We are also in the process of obtaining our SOC 2 Type 2 certification, which involves continuous monitoring to ensure these standards are consistently maintained. 

2. Will my conversations be used to train the AI models?

No, never. Your data is your data. We use enterprise-grade APIs to connect to large language models, and our agreements explicitly state that none of your information is used for training the models. Unlike some free consumer tools, your proprietary information, conversations, and uploaded documents remain confidential.

3. Where is my data stored?

All client data is currently stored securely in Canada. For enterprise clients with specific regulatory needs, we have the capability to ensure data is hosted exclusively within a requested geography, such as the US, to comply with data sovereignty requirements.

4. Can anyone at your company or on my team see my chats?

Your privacy is paramount.

  • Internal Access: Our administrators cannot see the content of your chats. The system is designed to ensure your conversations are private.

  • Team Access: Within your organization, each user has a unique seat and login. No one on your team can see your chats unless you explicitly use the "share" function.  This ensures confidentiality between team members.

5. How do you protect my data from external threats?

We employ a multi-faceted approach to security. Our platform is built on a microservice architecture, which isolates different parts of the system to enhance security and prevent cascading issues. We also utilize end-to-end encryption and private network systems to protect your data both when it's being stored and when it's in transit. 

6. What happens when I upload a document?

We are continuously enhancing our security features. We are in the process of implementing automatic virus scanning for all file uploads and downloads to protect your systems from malware. We are also developing a PII (Personally Identifiable Information) Redactor that will warn you if you are about to upload sensitive personal data, helping you maintain compliance and protect privacy. 

7. What is our responsibility as users?

That's a great question. While we provide a highly secure environment, we always advise clients to practice smart data hygiene. As a best practice, you should never upload or discuss information that you wouldn't want in the public domain.Think of it like any other digital communication tool—it's a shared responsibility to keep sensitive information safe.

CathyAI Security vs. Industry Standards

How the CathyAI platform's security measures compare to common standards in the enterprise Software-as-a-Service (SaaS) industry.

Feature

CathyAI Platform

Typical Enterprise SaaS Standard

Analysis

Core Security Certification

SOC 2 Type 1 (with Type 2 in progress)

SOC 2 Type 2 is the gold standard; ISO 27001 is also common, especially for global companies.

On Par/Exceeding. Achieving SOC 2 Type 1 is a strong baseline. Actively pursuing Type 2 demonstrates a commitment to best practices and places the platform on par with established, trusted enterprise solutions.

Data Encryption

End-to-end encryption; private network systems. 

Encryption in transit (TLS) and at rest (AES-256) is standard.

Meets Standard. The platform employs the necessary encryption protocols to protect data at all stages, which is a fundamental requirement for any enterprise-grade application.

Data Residency & Sovereignty

All data currently stored in Canada. Options for dedicated US or Canada hosting for enterprise clients is available.

Often provide regional hosting options (e.g., US, EU, APAC) to comply with regulations like GDPR. Data sovereignty is a key selling point for regulated industries.

Competitive Advantage. Offering clear data residency in Canada is a significant advantage for Canadian clients. The flexibility to provide dedicated US hosting for American clients makes the platform competitive against larger providers who offer regional choices.

Use of Customer Data for Training

Explicitly does not use customer data to train LLMs via its API agreements. 

This is a major differentiator. While many consumer-grade AI tools use data for training, reputable enterprise SaaS platforms using AI/ML will have a zero-training policy on customer data as a core privacy commitment.

Meets Enterprise Standard. This is a critical and non-negotiable point for most businesses. CathyAI's firm stance aligns perfectly with enterprise expectations for data confidentiality and intellectual property protection.

Internal Data Access Controls

Administrators cannot see user chats; data is segregated by client tenant and then by unique user ID. 

Role-Based Access Control (RBAC) is standard. Strict policies should be in place to prevent employees from accessing client data unless required for support, with explicit client permission.

Exceeds Standard. The "we don't want to know" philosophy, combined with a microservice architecture that enforces data segregation, is a very strong security posture that goes beyond basic access controls.

Upcoming Security Features

Proactive features like virus scanning for file uploads and a PII redactor are in development. 

Advanced features like these are often found in mature, market-leading platforms. They signal a proactive, rather than reactive, approach to security.

Forward-Thinking. The development of these features shows a mature security roadmap. This is a strong selling point, as it demonstrates the platform is not just meeting today's standards but preparing for future threats.

Conclusion: The CathyAI platform's security measures are not only aligned with but, in some cases, exceed the typical standards for enterprise SaaS solutions. The commitment to SOC 2 Type 2, clear data residency policies, and a firm "no-training" stance on user data are all hallmarks of a secure and trustworthy platform.

bottom of page