Trust

How Airlock handles security, data, and shared responsibility.

About this page

This page is maintained by the Airlock team to answer common security and privacy questions. It describes current, app-visible controls — not an independent certification.

Authentication & access

  • Email and password sign-in with password reset via email.
  • Optional Google sign-in.
  • Role-based access control inside each organization (owner, admin, developer, approver, auditor).
  • Row-level security is enforced on every tenant-scoped table.

Platform & hosting

Airlock runs on a managed cloud platform (managed Postgres, managed auth, edge-served application code). Backups and infrastructure hardening are provided by the underlying platform. This is not a certification.

Data we collect

  • Account data: name, email, and optional profile fields you provide.
  • Application configuration: applications, API key metadata (never the plaintext key after issuance), and policies.
  • Gateway usage: request metadata (timestamps, request/correlation IDs, decisions, policy version).
  • Raw prompts and responses are only persisted when the matching policy sets audit_mode to 'redacted' or 'full', per your configuration.

Sensitive data handling

  • Built-in detectors: email, phone, SSN, credit card (Luhn-validated), and org-defined custom regex.
  • Detected values can be redacted, warned, blocked, or routed for human approval based on the active policy.
  • Raw sensitive values are never persisted unless the policy's audit_mode is set to 'full'.

Subprocessors

Airlock routes requests to the AI providers you configure (OpenAI at MVP). Additional subprocessors used to operate the service are listed on request — email support@KinetIQ.com.

Retention & deletion

Audit retention varies by plan. You can request account deletion at any time; deletion removes your organizations, applications, policies, keys, and audit events, subject to any legal hold.

Incident & security contact

Report a suspected security issue to support@KinetIQ.com. We acknowledge reports on receipt and coordinate remediation with the reporter.

Shared responsibility

Airlock provides governance primitives — policies, detectors, approvals, and audit. You are responsible for configuring policies that match your regulatory and business obligations, keeping API keys secret, and reviewing audit output. Your end users are governed by your own terms.

Compliance

Airlock does not currently advertise formal compliance certifications. Contact support@KinetIQ.com to discuss your specific requirements.