Trust & Security Center

Last updated: June 2026

Sevenfold is built for businesses that handle real customer relationships and sensitive communications. Security and privacy are not features — they are the foundation everything else sits on. This page outlines the controls, certifications, and commitments we maintain to keep your data safe.

CASA Tier 2 Security Assessment

Sevenfold has completed an independent CASA (Cloud Application Security Assessment) Tier 2 evaluation, audited against the OWASP Application Security Verification Standard (ASVS). All 14 security categories were independently assessed and passed.

Security CategoryStatus
Architecture, Design and Threat Modelling✓ Passed
Authentication✓ Passed
Session Management✓ Passed
Access Control✓ Passed
Validation, Sanitization and Encoding✓ Passed
Stored Cryptography✓ Passed
Error Handling and Logging✓ Passed
Data Protection✓ Passed
Communication Security✓ Passed
Malicious Code✓ Passed
Business Logic✓ Passed
Files and Resources✓ Passed
API and Web Service Security✓ Passed
Configuration Verification✓ Passed

Compliance

Sevenfold operates in alignment with the following frameworks and regulations.

FrameworkScope
Australian Privacy Act 1988Governing collection, use and disclosure of personal information in Australia
GDPREU data subjects — including EU Standard Contractual Clauses where applicable
CCPA / CPRACalifornia residents — operating as a compliant service provider
PCI DSSPayment card data handled exclusively through Stripe, a Level 1 PCI DSS certified provider
Google API Limited UseCompliance with Google’s API User Data Policy for any Google Workspace integrations

Security Controls

Encryption All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256. Encryption keys are managed separately from encrypted content and rotated on a regular schedule. OAuth tokens are encrypted independently from customer content.

Infrastructure Sevenfold uses an established cloud infrastructure platform that maintains SOC 2 Type II and SOC 3 compliance. Data is encrypted in transit and at rest, and Sevenfold applies application-level security controls to protect customer data. The underlying provider maintains physical security controls, 24/7 facility monitoring, and redundant power and connectivity across its data centres.

Workspace Isolation Every customer workspace is fully isolated at the application, database, and storage layers. Your data is inaccessible to other customers — there is no shared data environment across accounts.

Access Controls Internal access to Sevenfold systems follows least-privilege principles, enforced with multi-factor authentication across all team members. All access is logged and reviewed on a regular basis.

Monitoring Sevenfold systems are monitored continuously. Automated anomaly detection alerts our engineering and security teams to unusual activity. All system events are logged and retained for investigation purposes.

Penetration Testing We conduct annual third-party penetration testing across the full platform. Critical vulnerabilities are remediated within 24 hours of discovery. A testing summary is available on request.

AI and Data

CommitmentStatus
Customer data used to train Sevenfold modelsNever
Customer data shared with third-party AI providers for trainingNever
AI inference providersAnthropic, OpenAI
Inference data used for model improvement by providersNot permitted under our agreements
Customer approval required for outbound actionsYes — configurable per workflow

Your content, communications, configurations, and AI interaction records are never used to train or improve any AI model. AI inference is routed exclusively through Anthropic and OpenAI under strict data processing agreements that prohibit use of submitted data for model training.

Subprocessors

All subprocessors are bound by confidentiality and data protection obligations consistent with our commitments to you.

ProviderPurpose
Cloud infrastructure platformCloud infrastructure and hosting (SOC 2 Type II / SOC 3)
AnthropicAI inference
OpenAIAI inference
StripePayment processing (PCI DSS Level 1)
SentryError monitoring and diagnostics
MixpanelProduct analytics

For an up-to-date subprocessor list or to request advance notification of changes, contact privacy@sevenfoldai.com.

Data Retention and Deletion

EventOutcome
Active subscriptionData retained and accessible
Subscription cancelledData retained for 30 days for export or reinstatement
30 days after cancellationAll data permanently deleted from systems and backups
Manual deletion requestActioned within 7 business days

Incident Response

In the event of a confirmed security incident, we commit to notifying affected customers within 72 hours where required by applicable law, providing clear information about what happened, what data was affected, and the steps being taken. A post-incident report is available upon request.

Frequently Asked Questions

Where is my data stored? Customer data is stored with an established cloud infrastructure provider that maintains SOC 2 Type II and SOC 3 compliance. Data is encrypted in transit and at rest and protected with application-level security controls.

Is my data used to train AI models? No. Your data is never used to train or improve any AI model. This applies to all content, communications, and AI interaction records.

Is each customer’s data kept separate? Yes. Workspaces are fully isolated at the application, database, and storage layers. There is no shared data environment between customers.

What happens to my data when I cancel? Your data is retained for 30 days after cancellation for export or reinstatement, then permanently deleted from all systems and backups.

Can I request a copy of your security documentation? Yes. Contact security@sevenfoldai.com to request our CASA validation letter, penetration test summary, or subprocessor list.

How do you handle Google Workspace data? Where you authorise Sevenfold to connect to Google services, we access only the data required for the specific functions you enable. We comply with Google’s Limited Use requirements and do not use Google data for advertising or AI model development.

Reporting a Vulnerability

If you discover a potential security vulnerability in Sevenfold, please report it responsibly before public disclosure. We commit to acknowledging your report within 2 business days and will not pursue legal action against researchers acting in good faith.

Report to: security@sevenfoldai.com

Resources

Contact

For security-related queries, contact security@sevenfoldai.com