Security Controls and Compliance Overview
Introduction
Respell makes it easy to use AI in your work life. Our drag-and-drop workflow builder can automate a tedious process in minutes, allowing you to build AI workflows without code. Powered by the latest AI models. It’s like magic. From individuals to businesses, everyone can use it.
We’re committed to keeping your data safe and secure. Our vigilant approach guarantees that your information remains confidential, while our adherence to regulations ensures the highest ethical standards.
Within this document, you’ll gain insights into our security controls and compliance practices.
Information Security Framework
We’ve taken a robust approach to ensure the security of your data, and our commitment is underscored by our adherence to the SOC 2 Type 2 framework. SOC 2 evaluates an organization’s controls over security, availability, processing integrity, confidentiality, and privacy of customer data.
Our systems and processes are regularly audited by independent professionals to ensure they meet the highest security standards.
Data Protection and Privacy
Customer Data Access
- Customer data is stored and encrypted at rest on our production database in Google Cloud Platform (GCP).
- Confidential Customer Data is not used or stored in non-production systems/environments.
- Automatic vulnerability scanning is set up on GCP and Github.
- Only lead engineers have access to production.
- Event logging is monitored to track who is accessing the production database.
Data Retention and Destruction
Data is retained as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners may determine retention periods for their data.
Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use.
Retention periods are documented in Respell’s Data Management Policy.
Encryption
Customer data is encrypted in the PostgreSQL database in accordance with Respell’s Cryptography Policy.
Key Management
Access to keys and secrets shall be tightly controlled in accordance with the Access Control Policy.
The following table includes usage for cryptographic keys:
| Domain | Key Type | Algorithm | Key Length |
|---|---|---|---|
| Web Certificate | RSA or ECC with SHA2+ signature | RSA or ECC with SHA2+ signature | 2048 bit or greater/RSA, 256bit or greater/ECC |
| Web Cipher (TLS) | Asymmetric Encryption | Ciphers of B or greater grade on SSL Labs Rating | Varies |
| Confidential Data at Rest | Symmetric Encryption | AES | 256 bit |
| Passwords | One-way Hash | Bcrypt, PBKDF2, or scrypt, Argon2 | 256 bit+10K Stretch. Include unique cryptographic salt+pepper |
| Endpoint Storage (SSD/HDD) | Symmetric Encryption | AES | 128 or 256 bit |
Network Security
Application Security
- Code Reviews and Audits: We conduct audits by experienced security professionals to identify and address vulnerabilities and weak points in the Respell platform codebase.
- Vulnerability Assessments: Automatic vulnerability scanning is set up on GCP and Github.
- Authentication and Authorization: Authentication mechanisms are in place to ensure that only authorized users can access specific functionalities and data, including making changes to production data.
- Deployment Access: Specific engineers have access to deploy changes in the production database. No single user can push changes; a second verification is required.
- Least Privilege Principle: Granting users and components only the minimum permissions required for their specific roles and functionalities.
- Error Handling: Error-handling mechanisms are in place to avoid disclosing sensitive information to potential attackers in error messages.
- Auditing and Logging: Thorough auditing and logging mechanisms are in place in GCP to monitor and track user activities for potential security breaches.
Employee Training and Awareness
All employees must complete a Security Awareness Training course and be onboarded onto Respell’s best practices for securely handling data and accessing company applications.
Platform
Compliant Models
The following models on our platform are compliant:
Azure GPT-3.5 Turbo 16kAzure GPT-4 32kAzure GPT-4 8k
No user data that is inputted and outputted into this models is sent to OpenAI or other model providers to be saved or to be trained on.
Find more detailed information on Azure’s privacy and security here.
Explore Page
We manually approve every single spell before it is made public, examining it for accuracy, relevance, security, and overall quality. Once a spell has been approved, it will appear on our Explore page for anyone to see or use.
For more in depth information regarding compliance, please contact the Respell team: hello@respell.ai.