1. Security Overview
Athena is built for organisations that take data security seriously. This page provides a technical overview of the security measures, architecture, and compliance commitments that protect your data.
2. Security at a Glance
| Encryption in Transit | TLS 1.3 on all connections |
| Encryption at Rest | AES-256 for all stored data (database, files, backups) |
| Data Isolation | Row-Level Security (RLS) - complete logical separation between organisations |
| Authentication | Email/password with optional TOTP two-factor authentication |
| Session Security | Concurrent session detection with automatic termination and security alerts |
| Infrastructure | SOC 2 Type II certified database provider (Supabase on AWS) |
| AI Data Policy | Zero training - your data is never used to train AI models |
| Data Residency | Primary database in Ireland (EU); workflows in Germany (EU) |
| Compliance | UK GDPR, Data Protection Act 2018, ICO registered (ZC016874) |
| Breach Notification | 48 hours to affected customers; 72 hours to ICO where required |
3. Platform Architecture
Application Layer
- Frontend: Next.js application hosted on Vercel, served over HTTPS with automatic TLS certificate management.
- API Routes: Serverless functions handling all business logic, with authentication checks on every request.
- Mobile: Native mobile application for iOS and Android.
Data Layer
- Database: PostgreSQL on Supabase (SOC 2 Type II certified), hosted on AWS eu-west-1 (Ireland). All data encrypted at rest with AES-256.
- File Storage: Supabase Storage (S3-compatible), encrypted at rest, with signed URLs for secure access.
- Vector Search: pgvector extension within the same PostgreSQL instance - embeddings never leave the database infrastructure.
Processing Layer
- Workflow Engine: n8n hosted on Elestio/Hetzner infrastructure in Germany (EU). Handles document processing, extraction, embedding generation, and integration synchronisation.
- AI Processing: API-only connections to Anthropic (Claude), Google (Gemini), OpenAI, and ElevenLabs. No data retention by providers.
4. AI Data Handling
This is the section most enterprise security teams focus on:
| Question | Answer |
|---|---|
| Is our data used to train AI models? | No. We use API-tier agreements with all AI providers, which prohibit input data from being used for model training. |
| Is our data retained by AI providers? | No. Data is processed in real-time via API calls and is not retained beyond the request lifecycle. |
| Which AI providers do you use? | Anthropic (Claude), Google (Gemini), OpenAI, ElevenLabs. Full list in our Sub-Processor Register. |
| Is data encrypted when sent to AI providers? | Yes. All API calls are made over TLS 1.3. |
| Do you use consumer or API versions? | API (enterprise) versions only. Consumer terms (which may allow training) do not apply. |
| Does AI make automated decisions about people? | No. AI is used for document analysis and search assistance only. All outputs are for human review. |
5. Compliance and Certifications
Current
- UK GDPR Compliance: Full compliance with the UK General Data Protection Regulation and the Data Protection Act 2018. Guidance is overseen by the ICO.
- ICO Registration: Registration number ZC016874.
- Infrastructure Certifications: Our primary database provider (Supabase) holds SOC 2 Type II certification. See Supabase security and Vercel security.
- Payment Security: Payment processing is handled by Stripe, which is PCI DSS Level 1 certified.
Planned
- Cyber Essentials: Working toward Cyber Essentials certification.
- Penetration Testing: Independent penetration testing planned as part of our security maturity programme.
6. Incident Response
- Detection: Automated monitoring of infrastructure metrics, application error logging, and security event detection.
- Containment: Immediate assessment and containment of any identified threat.
- Notification: Affected customers notified within 48 hours. ICO notified within 72 hours where required.
- Remediation: Root cause analysis, system patching, and process improvement.
- Communication: Post-incident report provided to affected customers.
7. Audit Rights
Enterprise customers have audit rights as defined in our Data Processing Agreement. We can satisfy audit requirements through providing relevant third-party audit reports and certifications, answering detailed security questionnaires, allowing audits with 30 days’ notice, and sharing documentation of our security measures and policies.
8. Data Lifecycle
On Termination
Customer data is available for export in machine-readable format (JSON/CSV) for 30 days. After the export period, all data is securely deleted within 90 days, including database records, stored files, vector embeddings, and processing logs. Written confirmation of deletion is provided on request.
9. Legal Documentation
| Document | Purpose | Link |
|---|---|---|
| Privacy Policy | How Athena collects and uses personal data | /privacy |
| Terms of Service | Service agreement and usage terms | /terms |
| Data Processing Agreement | Article 28 UK GDPR processor obligations | /legal/dpa |
| Sub-Processor Register | All third parties processing customer data | /sub-processors |
| Cookie Policy | Cookies used on the website and app | /cookies |
| Acceptable Use Policy | Permitted and prohibited uses of the Service | /acceptable-use |
10. Responsible Disclosure
If you discover a security vulnerability in the Athena platform, please report it to lee@askathena-ai.co.uk. We will acknowledge receipt within 24 hours and will not take legal action against individuals who report vulnerabilities in good faith.
11. Questions?
If you have security questions, need to complete a vendor assessment, or would like to discuss any aspect of our security posture, please contact:
Lee Andrews
Founder & Director
Zeus AI Business Solutions Ltd (trading as Athena)
Email: lee@askathena-ai.co.uk
Website: askathena-ai.co.uk