Trust Center

Procurement-grade control for the Digital Production System.

Alabobai keeps trust conservative and explicit: no unearned certifications, no vague claims, no hidden vendor story. This page holds the evidence, response expectations, subprocessors, and procurement paths in one place.

Contact sales Review controls

No unearned certifications. Evidence available on request.

Procurement snapshot

Status locked

Certification posture

No false claims

External certifications are not represented unless complete evidence exists.

Response window

1 business day

Security inquiries are acknowledged within 1 business day.

DPA path

/dpa

Request intake, review, redlines, and final signature are documented.

Contacts

security + legal

Procurement and security contacts are available in one place.

Production receipts

Artifact-backed proof of what changed.

Receipts capture shipped changes, verification results, remaining risks, and the next target. Trust stays tied to artifacts, not vague claims.

Receipt not found in this build. Open /receipts for the latest proof artifact.

Open full receipt Read the mandate

What this page is

A procurement pack, not a marketing page.

No unearned certifications or attestations
Subprocessors listed plainly
DPA path documented end-to-end
Incident response expectations stated as operating policy

Clear boundaries, verifiable commitments, and procurement-ready proof.

This page is intentionally conservative. It exists to help legal, security, procurement, and operators review the platform without hunting across multiple pages for basic answers.

Evidence first

We do not claim certifications, attestations, or controls we do not have. Status is stated plainly.

Procurement ready

Security review, DPA flow, subprocessors, and contact paths live on one page for faster evaluation.

Least privilege

Subprocessors and infrastructure exist to operate the platform, not to widen the data surface by default.

Clear response windows

Business-day acknowledgement and incident update expectations are written as operating policy, not marketing copy.

Certification status

Current posture, stated without exaggeration.

Program	Status	Notes
External certifications	None issued	We do not represent any certification, attestation, or audit report as complete unless it is complete.
Independent security review	Available by request	Security posture can be reviewed with enterprise buyers without implying a completed external certification.
Data processing review	Available by request	DPA, subprocessors, and processing boundaries are reviewed before production data onboarding.

DPA request flow

One path from intake to signature.

Submit the request at /dpa or email legal@alabobai.com.
We confirm intake within 1 business day and route to legal/security.
We provide the current DPA template and subprocessors list for review.
Redlines are reviewed with enterprise stakeholders and resolved in writing.
Final signature can be completed before production data onboarding.

Security contact and incident policy

Operational commitments written plainly.

Primary channel: security@alabobai.com
Initial acknowledgement SLA: within 1 business day
High-severity security reports: triage begins immediately after validation
Status updates: at least every 24 hours for active high-severity incidents

Confirmed incidents affecting customer data are disclosed without undue delay.
Target initial customer notice window: within 72 hours of confirmation when legally required.
Disclosure includes impact scope, affected data classes, mitigation, and next updates.
Post-incident review and corrective actions are documented and tracked to completion.

Subprocessors

Vendors supporting the platform stack.

Vendor	Purpose	Region
Vercel	Hosting, edge delivery, and server-side execution for the platform	Provider-managed (deployment configured)
Clerk	Authentication and user identity (required for account access)	Provider-managed
Supabase	Managed Postgres + storage for platform data persistence	Project-configured (typically US)
Upstash	Rate limiting and cache services	Provider-managed (region configured)
Paddle	Payments and subscription billing (only when purchasing a plan)	Provider-managed
Resend	Transactional email delivery (only when email workflows are enabled)	Provider-managed
OpenAI	LLM inference (only when cloud AI providers are enabled)	Provider-managed
Anthropic	LLM inference (only when cloud AI providers are enabled)	Provider-managed
Groq	LLM inference (only when cloud AI providers are enabled)	Provider-managed
Google AI	LLM inference + live token workflows (only when enabled)	Provider-managed
Tavily	Web search API (only when enabled)	Provider-managed
Qdrant	Vector memory store (optional; may be self-hosted)	Customer-controlled (deployment configured)
Browserbase	Remote browser execution (optional; used for server-side browsing and capture lanes)	Provider-managed
E2B	Cloud code sandbox execution (optional; used when configured)	Provider-managed

Resources

Need the procurement pack, legal path, or security review?

Start with the DPA, privacy policy, terms, and direct legal or security contact paths below. If you need a rollout review, use the sales path and we will route it to the right team.

Latest production receipt (/receipts)Data Processing Addendum (DPA)Privacy Policy Terms of Service Security contact: security@alabobai.com Legal contact: legal@alabobai.com

Contact sales Email security