Security

Drift is built for teams who can't afford to guess about security. This page summarizes the controls we have in place today. For enterprise security reviews, DPAs, penetration-test reports, or our SOC 2 readiness status, contact security@driftai.studio.

Infrastructure

• Hosting: the Drift application runs on Vercel's global edge network. Our primary database runs on Supabase (Postgres) in AWS us-east-1.
• Encryption in transit: all traffic to Drift is served over TLS 1.2+. HSTS is enforced.
• Encryption at rest: Customer Data is encrypted at rest using AES-256 at the database and storage layer.
• Network isolation: our database is not exposed to the public internet; application servers connect via private networking.

Access control

• Workspace isolation: every workspace's data is isolated using Postgres Row-Level Security. Queries are scoped to the caller's workspace at the database layer — not just the application layer.
• Role-based access: workspace members have differentiated roles (owner, admin, member) with least-privilege defaults.
• Least-privilege internal access: only a small number of Drift engineers have production database access, gated by hardware-backed authentication.
• Audit logs: sensitive actions (role changes, agent deployment, data export) are recorded with actor, timestamp, and target — visible to workspace admins.

Application security

• Authentication: password-based sign-in uses Supabase Auth with bcrypt hashing. Passwords are never stored in plaintext. SSO (SAML/OIDC) is available on enterprise plans.
• Secret management: API keys, tokens, and other secrets are stored in Vercel's encrypted environment variables and never committed to source control.
• Dependency hygiene: we monitor our dependency graph for known vulnerabilities and apply patches promptly.
• Error monitoring: we capture exceptions via Sentry with PII-scrubbing enabled.

Data handling

• No model training on your data: we do not use Customer Data to train foundation models.
• Subprocessors: we use a small, vetted list of subprocessors (Supabase, Vercel, Stripe, Twilio, OpenAI / Anthropic / ElevenLabs / VAPI, Sentry). Each is bound by a DPA.
• Data portability: workspace owners can export all workspace data at any time from settings.
• Data deletion: on workspace cancellation, Customer Data is retained for 30 days, then permanently deleted. Backups are purged within 35 days.

Operational security

• Incident response: we maintain an internal incident response runbook. In the event of a security incident affecting Customer Data, we will notify affected workspace owners within the timeframes required by applicable law.
• Backups: the primary database is backed up daily with point-in-time recovery. Backups are encrypted.
• Uptime: current system status is available at driftai.studio/status.

Compliance

We are actively working toward SOC 2 Type II. We sign DPAs and rely on Standard Contractual Clauses for EU/UK transfers. Enterprise customers can request the current compliance package, vendor security questionnaire responses, and subprocessor list at security@driftai.studio.

Reporting a vulnerability

Security researchers: please report suspected vulnerabilities to security@driftai.studio. We commit to acknowledging reports within 2 business days and will not pursue legal action against good-faith research that follows responsible disclosure.