Security

Last updated: May 27, 2026

Security is not a feature we bolt on. It is a posture we hold. This page describes how we protect your data at AIKON and how we run GAIA SQUAD safely on your behalf. The language is intentionally accessible — we want everyone on your team to be able to read it, not just your IT person.

Our security principles

Three commitments underwrite everything below.

1. Your source of truth stays yours. We never copy your originals onto our systems. Slack and Google Workspace remain your systems of record. We only hold derived artifacts our digital teammates need to do their work.
2. OAuth account isolation. Our teammates use their own Google Workspace accounts under your organization, never yours. They can read what you share with them; they cannot accidentally write back to or share from your account.
3. No data sale, no AI training on your content. We do not sell your data, share it with advertisers, or use it to train AI models — ours, our partners', or anyone else's.

Data protection

Encryption in transit. All communication between you, our service, and our subprocessors uses TLS 1.2 or higher. We do not accept unencrypted connections.

Encryption at rest. Customer data is encrypted at rest using industry-standard algorithms. Backup snapshots are also encrypted.

Account isolation. Each customer organization's data is logically isolated from every other customer's data. AIKON staff cannot browse customer data without an explicit, logged access event tied to a support or security investigation.

Infrastructure

Hosting. We run on trusted cloud infrastructure providers that maintain industry-standard physical security, redundancy, and compliance certifications (such as SOC 2 and ISO 27001). The specific providers and regions we use are described in our subprocessor list, available on request.

Redundancy. Customer data is replicated across multiple availability zones for durability. We perform regular backups and test restoration on a recurring schedule.

Patching. We track security advisories from our infrastructure and software providers and apply patches promptly. Critical-severity patches are applied within days.

Access controls

Staff access. AIKON staff access to customer data is restricted to the minimum required for support, troubleshooting, security investigation, or compliance with law. Every access event is logged.

Authentication. Internal access to production systems requires strong authentication, including multi-factor authentication for sensitive systems.

Onboarding and offboarding. Access is granted by role and revoked promptly when an employee changes roles or leaves AIKON.

How our digital teammates handle your data

Tara and other Squad members operate within boundaries you control:

• Slack. They access only the channels you invite them into. If you remove them from a channel, they lose access immediately.
• Google Workspace. They use their own accounts under your organization. They can read what you share with them and write to documents you grant them edit access to. They never write back through your account.
• Email. Tara has her own email address and corresponds only with people inside your organization. She does not email external parties.
• Memory. They keep working artifacts (search indexes, summaries, conversation history) only as long as you remain a customer. On departure, all are erased within 30 days.

How AI agents access (and don't access) your data

This is one of our most important architectural commitments.

Our AI agents are not in the data-access path. When Tara or another Squad member needs information, the GAIA platform retrieves it through standard, deterministic application code — the same kind that has powered secure SaaS for two decades. The AI sees data only after the platform has decided what it is allowed to see.

In practical terms:

• Access decisions are deterministic, not AI-generated. Which Slack channels, which Google Workspace documents, which past conversations are in scope for a request — the platform computes that using tenant isolation, user-level permissions, and OAuth-scoped credentials. The AI does not construct queries or interpret access-control logic.
• Inputs are sanitized before the AI sees them. Data passed to the AI is validated and scoped to the requesting user's permissions at the application layer. The AI cannot ask for everything because the platform never offers that as a choice.
• Industry-standard practices below the AI layer. Tenant isolation, role-based access controls, least privilege, parameterized queries, audit logging — applied consistently before any AI involvement.
• Hallucinations cannot cause data breaches. Even if an AI agent generates output asking for data it should not see, the platform layer does not interpret AI-generated instructions for access. It computes what is permitted from the request context, regardless of what the AI says.

The AI thinks; the platform decides what it gets to think about.

Subprocessors

We use a small set of trusted third parties to host infrastructure, deliver AI capabilities, and run our business. Every subprocessor operates under a written agreement that:

• Prohibits use of your data for the subprocessor's own purposes.
• Prohibits training of AI models on your content.
• Requires the subprocessor to maintain security and confidentiality standards comparable to ours.

We review our subprocessor relationships regularly. The current list is available on request — write to info@gaiasquad.com.

Vulnerability management and incident response

Monitoring. We monitor our systems continuously for unusual activity, errors, and signs of compromise.

Vulnerability reports. If you believe you have found a security issue, please write to info@gaiasquad.com with the subject line Security report. We will acknowledge receipt within 2 business days and work with you in good faith to validate and address the issue. We do not take legal action against researchers who follow responsible disclosure practices.

Incident response. If a confidentiality incident occurs that presents a risk of serious harm to our customers, we will:

• Investigate and contain the incident promptly.
• Notify affected customers directly with the information they need to assess the impact, as required by Quebec's Law 25 and applicable laws.
• Notify the Commission d'accès à l'information du Québec (CAI) when required.
• Document the incident and take corrective action to prevent recurrence.

AI safety considerations

GAIA SQUAD is operated by AI digital teammates. We take additional precautions:

• Grounded outputs. Our teammates draw on your team's own knowledge and on curated sources of HR expertise, not on the open internet. We provide citation links where applicable.
• Human in the loop. AI outputs are suggestions for human decision-makers, not autonomous decisions affecting employees. You review before anything takes effect.
• No training on your content. Period.
• Right to human review. If you believe an AI output materially affected you, you can request human review (see our Privacy Policy).

Our acknowledgment

Perfect security does not exist. We will not pretend otherwise. What we commit to is:

• Holding ourselves to the principles above.
• Telling you the truth when something goes wrong.
• Improving continuously as our understanding and the threat landscape evolve.

Contact

For security questions, vulnerability reports, or incident inquiries, write to info@gaiasquad.com with a clear subject line. We read every message.