Trust Center

Security

Enterprise-grade protection, built in — not bolted on.

🔒

Encryption at Rest

All data is encrypted at rest using AES-256 via Google Cloud's default encryption. Database storage, file uploads, and backups are all covered.

🔐

Encryption in Transit

All connections use TLS 1.2+ encryption. API calls, file uploads, webhook callbacks, and browser sessions are all encrypted end-to-end.

🏗️

Infrastructure

Hosted on Google Cloud Platform (us-central1). Cloud Run for compute, Cloud SQL for PostgreSQL, with automatic scaling and redundancy.

👥

Access Control

Role-based access (Admin, User) with Google OAuth 2.0 authentication. Superadmin controls available for platform management. Session-based auth with secure tokens.

🧱

Data Isolation

Strict multi-tenant isolation. Each organization's data — documents, forms, chat history, embeddings — is completely separated at the database level. No cross-tenant access.

🛡️

Security Headers

OWASP-recommended security headers including Content Security Policy, X-Frame-Options, X-Content-Type-Options, HSTS, and referrer policy enforcement.

Compliance

Different industries, different requirements. We build the controls — you choose which frameworks apply to you.

All Customers

Schools & Education

Business & Enterprise

International / GDPR

Data Protection for Every Customer

Regardless of your industry, every Heartbeat AI customer benefits from:

Data Processing Agreement (DPA) — available for all customers, signed digitally before onboarding
Data ownership — you own your data. We never sell, share, or use customer data for training AI models
Deletion on request — request full data export or deletion at any time. We comply within 30 days
Incident response — data breach notification within 72 hours
Minimal data collection — we collect only what's necessary to provide the service
Secure sub-processors — all third-party services vetted for security compliance (see list below)

FERPA & COPPA — Student Data Protection

For K-12 schools, districts, and educational institutions:

FERPA alignment — Heartbeat AI acts as a "school official" with a "legitimate educational interest" under FERPA. We do not use education records for any purpose other than providing the contracted service.
COPPA considerations — Our platform is designed for use by school staff and administrators. If student-facing features are used for children under 13, schools must obtain parental consent as required by COPPA.
Student data protection — Student PII is never shared with third parties, never used for advertising, and never sold
Data Processing Agreement — Our DPA includes FERPA-specific provisions. Schools can sign it digitally before onboarding.
Data minimization — Schools choose what data to store. Our no-code forms let you collect only what you need.
Staff access controls — Role-based access ensures only authorized staff can view student data

Important note: FERPA compliance is a shared responsibility. Heartbeat AI provides the technical safeguards and contractual commitments. Schools are responsible for ensuring their use of the platform complies with their institutional policies and applicable law.

Business & Enterprise Security

For professional services, SMBs, and enterprise customers:

SOC 2 aligned controls — our infrastructure and practices follow SOC 2 Type II principles for security, availability, and confidentiality
Private containers — Enterprise customers can create private document containers with per-user access controls for sensitive data like contracts, HR files, or client records
Audit logging — all form submissions, document uploads, and administrative actions are logged with timestamps and user attribution
Digital signatures — legally binding e-signatures on contracts and agreements with full audit trail
Custom data retention — configure how long data is retained based on your industry requirements
API key security — AI provider API keys are encrypted server-side and never exposed to browsers

Sub-Processors

Third-party services that process data on our behalf. We notify customers before adding new sub-processors.

Service	Purpose	Data Processed	Location
Google Cloud Platform	Infrastructure (Cloud Run, Cloud SQL, Cloud Storage)	All platform data	US (us-central1)
Stripe	Payment processing	Billing info, payment method tokens	US
Google Gemini	AI language model (default)	Queries, document text for RAG	US
Google Drive API	Optional file sync integration	File metadata, content (when enabled)	US
Slack API	Optional Slack integration	Channel messages (when enabled)	US
QuickBooks API	Optional accounting integration	Invoice and customer data (when enabled)	US

Note: AI provider integrations (OpenAI, Anthropic, Ollama) are optional and customer-configured. When you bring your own API key, queries are sent directly to that provider under your own terms of service with them.

Legal Agreements

Review and sign our agreements digitally. All forms are hosted on the Heartbeat AI platform itself.

📋

Data Processing Agreement

Standard DPA covering data handling commitments, FERPA provisions, breach notification, and sub-processor obligations. Required for all customers processing personal data.

Review & Sign DPA

📝

Terms of Service

Service agreement covering account responsibilities, data ownership, acceptable use, billing, and liability terms.

Review & Sign ToS

🤝

Non-Disclosure Agreement

Mutual NDA for partnerships, integrations, investment discussions, and consulting engagements.

Review & Sign NDA

Frequently Asked Questions

Do you sell customer data?

No. We never sell, rent, or share customer data with third parties for marketing or advertising. Your data is used solely to provide the Heartbeat AI service.

Is my data used to train AI models?

No. Customer data is never used to train, fine-tune, or improve AI models. When we use Google Gemini as the default AI provider, queries are processed under Google Cloud's enterprise terms which prohibit using customer data for model training.

Can I export or delete my data?

Yes. You can export your documents, form entries, and chat history at any time. For full account deletion, contact us and we'll process the request within 30 days.

Is Heartbeat AI FERPA compliant?

Heartbeat AI provides the technical safeguards and contractual commitments needed for FERPA compliance, including a DPA with FERPA-specific provisions. However, FERPA compliance is a shared responsibility — schools must ensure their use of the platform aligns with their institutional policies.

Where is my data stored?

All data is stored in Google Cloud Platform's us-central1 region (Iowa, USA). Database backups are encrypted and stored in the same region.

What happens if there's a data breach?

We will notify affected customers within 72 hours of confirming a data breach, including details of what data was affected, what we're doing about it, and recommended actions.

Can I bring my own AI provider?

Yes. You can configure your own API keys for OpenAI, Anthropic, Google Gemini, or even a self-hosted Ollama instance. When you bring your own key, queries go directly to that provider under your terms with them.