Skip to main content

Command AI security overview

Command AI takes security seriously. A lot of companies say that. We prefer to back it up with our actions and clear communication about our policies to let you assess how seriously we take security.

The summary

For those looking for reassurance that Command AI is a secure, enterprise-grade option:

  • We are trusted by public companies with millions of end users.
  • We are SOC 2 Type 2, HIPAA, and GDPR certified to the most stringent standards.
  • We offer a number of options to tune Command AI to your company’s security and availability posture.

For more details, check out our Security Dashboard.

How to break down Command AI’s security posture

We think of Command AI’s security in the following buckets.

Application security

Preventing unauthorized parties from accessing Command AI and our customer data. This includes external parties and internal parties (most breaches in 2023 begin with a compromised internal party).

The easiest way for us to communicate our commitment to application security is with our certification.

  • We are SOC 2 Type 2 compliant, certified for security. Enterprise customers can request a copy of our compliance report.
  • We are HIPPA compliant, so customers who process personal health information (PHI) of patients can safely use Command AI without risking their own security status.

For further detail, here are some practices we maintain to ensure Application security.:

  • Force all API transactions to use HTTPS, so all data-in-transit is encrypted using TLS
  • Encrypt all data at-rest
  • Host all of our servers and databases in the US in facilities that are SOC 2 and ISO 27001 certified
  • Maintain detailed audit logs of internal systems
  • Regularly conduct external penetration tests from third-party vendors (Command AI Enterprise customer can also request our results, which we're proud of)
  • Regularly conduct security awareness training sessions with all employees
  • Maintain detailed audit logs of all internal systems.
  • Have a responsible disclosure program, in order to work with security researchers when they identify potential security vulnerabilities. We guarantee a response to all legitimate reports within 5 days from submission. This allows us to ensure any vulnerabilities that do arise are reported and dealt with prompty.

Availability

As a cloud service, we must be available for our both our customers (to log into their Command AI Dashboard and make changes) and their end users (to ensure they reliably have access to Command AI experiences).

We’re proud of our availability record, which you can view here. Customers who prefer to manage their own availability can self-host using the features available on our Enterprise Tier.

Most companies who report SOC 2 compliance are only certified for Security, but we have gone the extra mile to also obtain certification for Availability (in addition to Privacy, which is also non-standard), which means we take extra precautions to ensure we maintain our availability record in the future. For details, Enterprise customers can request our SOC 2 report (which covers Security, Availability, and Privacy).

Privacy (end user data)

Command AI generates data from end users interacting with our experiences and your application, and makes this data available to our customers, so you can fine-tune your Command AI configuration and better understand user behavior overall.

We offer several dials to control the flow of end-user data.

  • Our Growth tier includes the option to specify data fields that should be removed from analytics events.
  • Our Enterprise tier includes the option to turn of all logging to Command AI’s servers entirely. Data can still be sent to a custom destination (like an internal data lake or CDP).

Regardless of configuration, Command AI is compliant with GDPR.

Most companies who report SOC 2 compliance are only certified for Security, but we have gone the extra mile to also obtain certification for Privacy (in addition to Availability, which is also non-standard). For details, Enterprise customers can request our SOC 2 report (which covers Security, Availability, and Privacy).