Compliance & Security
Last updated: February 18, 2026
AIIVARS LLC, an Arizona limited liability company doing business as SignalManager AI, is committed to maintaining robust security practices and supporting our customers' compliance requirements.
Security Standards
SignalManager AI implements security controls aligned with industry standards:
- SOC 2 Type II — Controls implementation in progress, covering security, availability, and confidentiality
- Encryption — All signal data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Audit Trails — Complete logging of signal processing, ticket generation, and user activity
Note: Compliance is a shared responsibility. Our platform provides tools and controls to support your compliance efforts, but achieving compliance depends on how you configure and use our services.
Data Protection
We implement comprehensive security measures to protect your signal data and platform access:
- End-to-end encryption for data in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication (MFA)
- SSO integration via OAuth 2.0 / OIDC / SAML
- Security audits and penetration testing (planned)
- Complete audit trails and logging
- Role-based access control (RBAC)
- API authentication via scoped tokens with least-privilege defaults
Data Isolation
Customer signal data is logically isolated using row-level tenant and user-level security:
- Row-level tenant isolation — each organization's data is scoped and enforced at the database level
- User-level access controls — permissions are enforced per user within each organization
- No cross-tenant data access — queries are restricted to the authenticated tenant's data
- Connector credentials stored in encrypted vaults, never exposed in logs or API responses
Signal Data Handling
SignalManager AI processes signals from your connected dev tools (error trackers, CI/CD, monitoring, etc.). Here's how we handle that data:
- Minimal data ingestion — We ingest only the metadata and context needed to analyze signals, not full source code or raw logs
- No training on your data — Your signal data is never used to train AI models
- Configurable retention — Set retention periods per connector or globally for your organization
- Data export and deletion — Export or permanently delete your data at any time
Privacy Law Support
Our platform is designed to support compliance with applicable privacy laws, including CCPA/CPRA:
- We do not sell personal information
- Tools to support data subject access requests (DSAR)
- Data export and deletion capabilities
- Non-discrimination for exercising privacy rights
Self-Hosted Deployment
For teams requiring complete data sovereignty, self-hosted deployment with private LLM options is coming soon. Your signal data never leaves your infrastructure. Contact us to learn more or join the waitlist.
Incident Response
We will notify affected customers within 72 hours of discovering any security incident affecting their data, in compliance with applicable breach notification laws. Enterprise customers may have access to dedicated incident response SLAs.
Responsible Disclosure Policy
We value the security research community and encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us:
- Email: [email protected]
- Please include detailed steps to reproduce the issue
- Allow us reasonable time to investigate and address the issue before public disclosure
- Do not access or modify data belonging to other users
We will acknowledge receipt of your report within 48 hours and work with you to understand and resolve the issue promptly.
Subprocessors
We use the following third-party subprocessors to deliver our services:
| Subprocessor | Purpose | Location | DPA Available |
|---|---|---|---|
| Infrastructure & Hosting | |||
| Google Cloud Platform | Cloud infrastructure, hosting, data storage, CDN | USA | ✓ Yes |
| AI & Machine Learning | |||
| User-Configured AI Providers | AI signal analysis and ticket generation (BYO model — OpenAI, Anthropic, Ollama, vLLM, etc.) | Varies | ✓ Provider-dependent |
| Communications | |||
| Amazon Web Services (SES) | Transactional and notification emails | USA | ✓ Yes |
| Productivity & Business | |||
| Google Workspace | Email (Gmail), documents, calendar, drive storage | USA | ✓ Yes |
| Stripe | Payment processing, billing, subscriptions | USA | ✓ Yes |
| Cal.com | Meeting scheduling (B2B sales only) | USA | N/A |
| Monitoring & Security | |||
| Google Cloud Monitoring | Infrastructure monitoring, alerting, uptime checks | USA | ✓ Yes |
| Analytics & Marketing | |||
| Google Analytics | Website analytics (marketing site only) | USA | N/A |
| Google Tag Manager | Tag management (marketing site only) | USA | N/A |
Note: Google Analytics, Google Tag Manager, and Cal.com are used only on our public marketing website or for B2B scheduling and do not process customer signal data.
We will notify customers of any material changes to our subprocessor list with at least 30 days' notice. Enterprise customers may request the complete subprocessor list with additional details by contacting [email protected].
International Customers
For customers outside the United States requiring Data Processing Agreements (DPA), please contact us at [email protected].
Contact
For compliance, security, or data protection questions:
Email: [email protected]
Company: AIIVARS LLC