Draft — not legal advice. This document is a placeholder while we finalize our production legal documents with counsel. Use of Drite during early access is governed by the most recent version of this draft.

Trust

Security at Drite

Last updated: April 7, 2026

Drite handles sensitive business data — financial records, employee information, customer details, and payments. We take security seriously and design every part of the platform with defense-in-depth in mind. This page summarizes our current security posture during early access.

1. Data encryption

  • In transit: all traffic between your browser, our APIs, and our backend services is encrypted with TLS 1.2 or higher.
  • At rest: customer data is encrypted at rest using AES-256.
  • Secrets: API keys, access tokens, and credentials are encrypted using industry-standard key management.

2. Authentication and access

  • OAuth 2.1 with mandatory PKCE for every client.
  • Scoped API keys — restrict access per service and per environment.
  • JWT tokens with configurable claims and expiry.
  • Optional multi-factor authentication for end users.
  • Role-based access control (RBAC) within every organization, configurable per resource.

3. Multi-tenancy and isolation

Every query in Drite is scoped to an organization. Users and AI agents can only access data for the organizations they belong to. Cross-tenant access is prevented at the database query layer, not just at the application layer. We test continuously for tenant isolation regressions.

4. AI agent safety

  • Agents operate only within the organization that enabled them.
  • High-stakes actions (e.g., transferring funds, sending external communications) require explicit owner approval before execution.
  • Every agent action is logged in an append-only audit trail.
  • We use frontier AI providers under enterprise agreements with no-training and zero-retention provisions where available.

5. Infrastructure

  • Hosted on cloud providers with SOC 2, ISO 27001, and PCI DSS certifications.
  • Network segmentation between public-facing services and internal data stores.
  • Production access restricted to a small set of approved engineers, with audit logging.
  • Daily encrypted backups with point-in-time recovery.
  • Disaster recovery procedures with documented RPO/RTO targets.

6. Monitoring and incident response

  • Continuous monitoring for security events, performance anomalies, and integrity violations.
  • Append-only audit log records every action across the platform.
  • Documented incident response runbooks with on-call rotation.
  • Customer notification within 72 hours of any confirmed data incident affecting their organization.

7. Compliance roadmap

During early access we are operating against the following compliance roadmap. Read more on our Compliance page.

  • SOC 2 Type II: in progress
  • GDPR + CCPA / CPRA: in progress
  • HIPAA Business Associate Agreement (BAA): planned for healthcare vertical
  • PCI DSS: scope reduction via tokenization through certified processors

8. Reporting a vulnerability

If you believe you have found a security vulnerability in Drite, please report it to security@drite.io. We respond to all reports within 2 business days. We do not currently run a paid bug bounty but credit researchers in our hall of fame.

9. Contact

Questions: security@drite.io.