Security

How we handle your data.

This page is maintained by the Attribufi team to answer common security and privacy questions about the platform. It describes controls that are enabled today, not certifications we do not hold.

Tenant isolation

Workspace-scoped, row-level.

Every customer runs in a dedicated workspace. Database access is scoped with row-level security so one workspace cannot read another workspace's data, even by accident. Application-level checks enforce the same boundary at the API layer.

Encryption

In transit and at rest.

All traffic to and from Attribufi is served over HTTPS. Data at rest is encrypted by our infrastructure providers. Secrets are stored in a managed secret store, never in application source or logs.

Authentication

Email + Google, MFA in progress.

Attribufi supports email and Google sign-in today. Multi-factor authentication and SSO are on the roadmap for the enterprise tier. If MFA or SSO is a procurement requirement, tell us on the contact page.

Subprocessors

Who we share data with.

We use a small number of infrastructure and AI provider subprocessors to run measurement and reporting. If you need the current list for a security review, request it via security@attribufi.com.

Retention

Configurable at the workspace.

Raw prompt outputs are retained for as long as your workspace is active. Aggregated metrics are retained for trend reporting. On workspace deletion, we delete customer data within 30 days.

Responsible disclosure

Report a vulnerability.

If you believe you have found a security issue, email security@attribufi.com. We acknowledge reports within two business days and will keep you updated as we investigate.