Evidence first
We do not claim certifications, attestations, or controls we do not have. Status is stated plainly.
Trust Center
Procurement-grade control for the operating system of digital labor.
Alabobai keeps trust conservative and explicit: no unearned certifications, no vague claims, no hidden vendor story. This page holds the evidence, response expectations, subprocessors, and procurement paths in one place.
No unearned certifications. Evidence available on request.
Procurement snapshot
Status locked
Certification posture
In progress
SOC 2 readiness is active; no complete certification is claimed.
Response window
24h business days
Security inquiries are acknowledged within one business day.
DPA path
/dpa
Request intake, review, redlines, and final signature are documented.
Contacts
security + legal
Procurement and security contacts are available in one place.
Clear boundaries, verifiable commitments, and procurement-ready proof.
This page is intentionally conservative. It exists to help legal, security, procurement, and operators review the platform without hunting across multiple pages for basic answers.
Procurement ready
Security review, DPA flow, subprocessors, and contact paths live on one page for faster evaluation.
Least privilege
Subprocessors and infrastructure exist to operate the platform, not to widen the data surface by default.
Clear response windows
Business-day acknowledgement and incident update expectations are written as operating policy, not marketing copy.
Certification status
Current posture, stated without exaggeration.
| Program | Status | Notes |
|---|---|---|
| External certifications | None issued | We do not represent any certification, attestation, or audit report as complete unless it is complete. |
| SOC 2 Type II | In progress | Control mapping and audit preparation are in progress. No report has been issued yet. |
| ISO/IEC 27001 | Planned | Planned after SOC 2 readiness milestones are completed. |
| ISO/IEC 27701 | Planned | Planned as an extension to privacy governance after core ISMS maturity. |
DPA request flow
One path from intake to signature.
- Submit the request at /dpa or email legal@alabobai.com.
- We confirm intake within 1 business day and route to legal/security.
- We provide the current DPA template and subprocessors list for review.
- Redlines are reviewed with enterprise stakeholders and resolved in writing.
- Final signature can be completed before production data onboarding.
Security contact and incident policy
Operational commitments written plainly.
- Primary channel: security@alabobai.com
- Initial acknowledgement SLA: within 24 hours on business days
- High-severity security reports: triage begins immediately after validation
- Status updates: at least every 24 hours for active high-severity incidents
- Confirmed incidents affecting customer data are disclosed without undue delay.
- Target initial customer notice window: within 72 hours of confirmation when legally required.
- Disclosure includes impact scope, affected data classes, mitigation, and next updates.
- Post-incident review and corrective actions are documented and tracked to completion.
Subprocessors
Vendors supporting the platform stack.
| Vendor | Purpose | Region |
|---|---|---|
| OpenAI | LLM inference for enabled cloud AI workflows | US (provider-managed) |
| Google Cloud Platform | Application hosting and infrastructure services | US primary region |
| Supabase | Managed Postgres, auth support, and storage | US primary region |
| Upstash | Rate limiting and cache services | US (provider-managed) |
Resources
Need the procurement pack, legal path, or security review?
Start with the DPA, privacy policy, terms, and direct legal or security contact paths below. If you need a rollout review, use the sales path and we will route it to the right team.