Note regarding LLM Providers: We utilize OpenAI models for our Large Language Model capabilities.
Last Updated: February 2026
At AI Factory Labs, security is not an afterthought—it is the foundation of our “SafeAI” architecture. We serve regulated industries (Aviation, Finance, Healthcare) where data integrity and isolation are paramount.
This document outlines the technical and organizational measures we implement to protect your data.
This Privacy Policy explains how AI Factory Labs Ltd (“we”, “us”, “our”) collects, uses, and protects your data when you use our website (aifactorylabs.io) and our suite of AI agents (e.g., AirSafeAI, AMLSafeAI, SEAT).
1. Infrastructure & Cloud Security
1.1 Hosting Providers
Our platform is hosted entirely on the Google Cloud Platform (GCP), a Tier-1 cloud provider with industry-leading compliance certifications (ISO 27001, SOC 2 Type II, FedRAMP).
Primary Region: europe-west2 (London).
Failover Region: A geographically separate, compliant European region (e.g., europe-west1 Belgium) for disaster recovery.
1.2 Network Security
DDoS Protection: We utilize Google Cloud Armor to mitigate volumetric and application-layer attacks.
Firewalls: All traffic passes through a Web Application Firewall (WAF) configured with OWASP Top 10 protection rules.
VPC Isolation: Application logic and database layers reside in private Google Virtual Private Cloud (VPC) subnets, inaccessible directly from the public internet.
2. Data Encryption
We employ a “Defense in Depth” approach to cryptography.
2.1 Encryption in Transit
All data transmitted between your browser/API client and our servers is encrypted using TLS 1.3 (Transport Layer Security). We enforce HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.
2.2 Encryption at Rest
Databases: All Customer Data (including Vector Indices) is encrypted at rest using AES-256 standards.
Key Management: Encryption keys are managed via Google Cloud Key Management Service (Cloud KMS), with strict rotation policies.
3. Data Segregation (The "SafeAI" Guarantee)
To prevent “Cross-Tenant Data Leakage” (where Client A’s AI accidentally accesses Client B’s files), we implement strict logical isolation:
Vector Database Isolation: Each client is assigned a unique namespace within our Vector Database (Pinecone/Weaviate). Queries are scoped strictly to the authenticated tenant’s namespace at the API level.
Ephemeral Processing: For transient agents (e.g., Textscanr), data is processed in ephemeral containers that are destroyed immediately after the session ends.
4. Application Security
4.1 Authentication
MFA: Multi-Factor Authentication is enforced for all administrative access to our production environment.
SSO: Enterprise clients can request Single Sign-On (SSO) integration (SAML 2.0 / OIDC) to manage access via their own Identity Providers (e.g., Okta, Google Workspace identity, Entra ID).
4.2 Vulnerability Management
Code Scanning: We use automated Static Application Security Testing (SAST) in our CI/CD pipelines to catch vulnerabilities before code is deployed.
Dependency Scanning: We monitor third-party libraries (Python/JavaScript packages) for known CVEs using automated tools (e.g., GitHub Dependabot).
5. Operational Security
5.1 Access Control (RBAC)
Access to production data is restricted to a small team of authorized Senior Engineers on a “Need-to-Know” basis utilizing GCP Identity and Access Management (IAM).
Audit Logs: All access to backend infrastructure is logged using Google Cloud Logging and retained for 90 days for audit purposes.
No Standing Access: We use “Just-in-Time” (JIT) access protocols for production maintenance.
5.2 Personnel Security
Background Checks: All employees with access to critical infrastructure undergo background checks.
Training: All staff receive mandatory security and data privacy training upon hire and annually thereafter.
6. Incident Response
We maintain a formal Incident Response Plan (IRP) that includes:
Detection: Real-time monitoring of infrastructure and API anomalies using Google Cloud Monitoring.
Containment: Immediate isolation of affected systems.
Notification: In the event of a confirmed data breach, we will notify affected customers within 72 hours, in compliance with GDPR Art. 33.
7. Compliance Certifications
While AI Factory Labs is a proprietary software vendor, our underlying infrastructure partners are fully certified:
Google Cloud Platform (GCP): ISO 27001, SOC 2 Type II, HIPAA, GDPR compliant.
OpenAI (LLM Partner): SOC 2 Type II compliant.
8. Vulnerability Disclosure
If you believe you have found a security vulnerability in our platform, please disclose it responsibly by emailing [email protected]. We appreciate your help in keeping our platform safe.
ABOUT US
AiFactoryLabs deploys autonomous AI agents to automate compliance, operations, and growth workflows for enterprise.
Socialize
Email: [email protected]
160 Kemp House, City Rd, London EC1V 2NX
© 2026 AiFactoryLabs. All rights reserved.