Trust
What Adalyst does today to protect customer data. The agreements we sign. The sub-processors we engage. How we communicate when something goes wrong.
Adalyst connects to every advertising and CRM platform through official OAuth. Access and refresh tokens are encrypted at rest and rotated through provider refresh flows.
Ad platform data, CRM records, and account-level metadata are tenanted per organisation. Access inside an organisation is scoped by role.
Single sign-on through Google and Microsoft is available on every plan. Sessions use signed, HTTP-only cookies. Audit logs record every authentication and privileged action.
Adalyst uses row-level tenancy: every record carries an organisation ID and every API read and write enforces organisation scope server-side. Session cookies are signed and HTTP-only.
TLS 1.2+ in transit. AES-256 at rest. Per-workspace encryption keys. Tokens and audit content are encrypted with the workspace's own key, separated from other customers.
Every LLM call made on a workspace's behalf is logged with metadata (model, provider, token counts, duration, outcome). Prompt and response bodies are stored encrypted with the workspace's own data-encryption key, subject to a configurable retention window. Outbound prompts are scanned for sensitive-content patterns before transmission. Workspace admins and audit-viewers can review the full history.
Infrastructure is hosted on reputable cloud providers. We process data under UK GDPR and the EU GDPR. Standard Contractual Clauses cover any data transfers to jurisdictions outside the EEA or the UK, and we apply supplementary technical measures where appropriate.
Workspaces can configure retention up to 7 years. Deletion is permanent and irreversible after a 30-day grace window. Full data export is available on request.
Adalyst engages a short list of third parties to host, secure, deliver, and operate the Service. We publish the live list — purpose, data categories, processing region, and DPA link per vendor — so your security team can track it in their own vendor-management system.
Workspace admins can opt in to email notifications when the list changes, at Settings → Organisation. A machine-readable version is served at GET /api/public/sub-processors.
We commit to notifying affected workspace admins within 72 hours of confirmation of a notifiable security incident, via email to the administrator addresses on file. Notices include the severity assessment, time of detection, a summary of what we know, and — where available — a link to a public write-up.
Notice is sent regardless of communication preferences.
Contact: security@adalyst.app.
Email security@adalyst.app with reproduction steps, affected endpoint or flow, and any relevant request/response pairs. Full policy at /.well-known/security.txt.
Security or procurement team need documentation, a DPIA, or a standard assessment walk-through? We respond within one business day.