Trust & infrastructure
AskHandle Security
Effective Date: December 2, 2024
AskHandle Overview
AskHandle is a cloud-based platform that helps organizations of all sizes deploy AI agents globally. It enables businesses to concentrate on training and deploying intelligent AI agents, while AskHandle handles the underlying infrastructure, scaling, and security management.
AskHandle applies security best practices and manages platform security so customers can focus on their business. The platform is designed to protect customers from potential threats by implementing security controls at every level—from physical to application layers. It also isolates customer applications and data and can quickly deploy security updates without any disruption to service or requiring customer intervention.
AskHandle’s Commitment to Trust
Trust is a core principle at AskHandle. Our commitment to customer privacy and building trust guides our daily decisions. Every employee shares in the responsibility of maintaining trust, and we take this duty seriously.
Security Assessments and Compliance
Data Centers
AskHandle’s application infrastructure is hosted on Vercel, a cloud platform built on Amazon Web Services (AWS). Our database infrastructure runs on Neon, a managed cloud PostgreSQL provider also operating on AWS. Both Vercel and Neon maintain rigorous security programs and run within AWS data centers that are continuously assessed for compliance with industry standards.
The underlying AWS data center operations are accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Vercel additionally holds its own SOC 2 Type 2 certification, and AskHandle’s static assets and file storage are served directly through AWS S3 and Amazon CloudFront.
PCI
We use Stripe, a PCI-compliant payment processor, to securely encrypt and process credit card payments. Additionally, AskHandle’s infrastructure provider is PCI Level 1 compliant.
Penetration Testing and Vulnerability Assessments
Third-party security testing of the AskHandle application is conducted by independent, reputable security consulting firms. The findings from each assessment are reviewed with the assessors, risk-ranked, and assigned to the relevant team for resolution.
Physical Security
AskHandle’s infrastructure runs on Vercel and Neon, both of which operate within ISO 27001 and FISMA-certified data centers managed by Amazon Web Services (AWS). Amazon has extensive experience designing, building, and operating large-scale data centers, and this expertise is applied throughout the AWS platform and infrastructure.
AWS data centers are in unmarked, secure facilities. Critical sites are protected by substantial setbacks, military-grade perimeter control berms, and other natural boundary defenses. Physical access to these facilities is strictly controlled, with security staff monitoring all perimeter and building entry points. The centers are equipped with video surveillance, advanced intrusion detection systems, and other electronic security measures.
Authorized personnel must undergo two-factor authentication at least three times before accessing data center floors. All visitors and contractors must present identification, sign in, and remain continuously escorted by authorized staff.
Amazon restricts data center access to employees with a legitimate business need. If an employee’s role no longer requires such access, their permissions are promptly revoked, regardless of their continued employment with Amazon or AWS. Additionally, all physical and electronic access to Amazon’s data centers is logged and regularly audited to ensure security.
For additional information see: https://aws.amazon.com/security
Environmental Safeguards
Fire Detection and Suppression
To minimize fire risk, automatic fire detection and suppression systems have been installed throughout the data center. The fire detection system uses smoke sensors in all critical areas, including data center environments, mechanical and electrical spaces, chiller rooms, and generator equipment rooms. These areas are protected by various fire suppression systems, such as wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
Power
The data center’s electrical power systems are fully redundant and designed for continuous operation, ensuring no impact to services 24/7. Uninterruptible Power Supply (UPS) units provide backup power for critical and essential systems during electrical failures. Additionally, backup generators supply power to the entire facility, ensuring seamless operation even during extended outages.
Climate and Temperature Control
Maintaining a stable operating temperature is crucial to prevent hardware overheating and reduce the risk of service interruptions. The data centers are equipped with climate control systems that regulate temperature and humidity to optimal levels. Monitoring systems, along with on-site personnel, ensure that the environmental conditions remain within the required range for proper equipment performance.
Management
Data center staff continuously monitor the electrical, mechanical, and life support systems to promptly identify and address any issues. Preventative maintenance is regularly performed to ensure the ongoing reliability and functionality of all equipment.
For additional information see: https://aws.amazon.com/security
Network Security
Firewalls
Firewalls are used to control access both from external networks and between internal systems. By default, all access is denied, and only explicitly permitted ports and protocols are allowed based on business requirements. Each system is assigned to a specific firewall security group, tailored to its function. These security groups restrict access to only the necessary ports and protocols, reducing potential risks.
Host-based firewalls further isolate customer applications by blocking localhost connections over the loopback network interface. Additionally, host-based firewalls can be configured to limit both inbound and outbound connections as needed, adding an extra layer of security.
DDoS Mitigation
Our infrastructure incorporates multiple DDoS mitigation techniques, including TCP SYN cookies and connection rate limiting. Additionally, we maintain multiple backbone connections and internal bandwidth capacity that exceeds the bandwidth provided by our internet carriers. We collaborate closely with our providers to quickly respond to any DDoS events and activate advanced mitigation controls when necessary.
Spoofing and Sniffing Protection
Managed firewalls protect against IP, MAC, and ARP spoofing both on the network and between virtual hosts, ensuring that spoofing attacks are not possible. To prevent packet sniffing, our infrastructure, including the hypervisor, ensures traffic is only delivered to the interface it is addressed to. AskHandle further mitigates risks by employing application isolation, operating system restrictions, and encrypted connections at all levels of the stack.
Port Scanning
Port scanning is strictly prohibited, and any detected instances are promptly investigated by our infrastructure provider. When port scans are identified, they are immediately stopped, and access is blocked to prevent further intrusion attempts.
Data Security
PostgreSQL Database
Customer data is stored in a managed, cloud-hosted PostgreSQL database with strict access controls. All database credentials are unique, rotated regularly, and scoped to the minimum required permissions. Customer data is logically isolated within the platform through enforced access controls at the application layer.
All connections to the database require TLS/SSL encryption, ensuring data in transit is always protected. The database is hosted with a managed provider that maintains high-availability configurations, automated failover, and regular security patching.
Customers can encrypt stored data within their applications to meet additional data security requirements and implement their own key management and retention policies.
AWS S3
Files uploaded as data sources for AI training are securely stored in Amazon Web Services (AWS) S3. AWS S3 protects these files from unauthorized access through encryption and access management features. All objects uploaded to S3 are automatically encrypted, and you can block public access at both the bucket and account levels using S3 Block Public Access. Additionally, S3 complies with various regulatory standards, including PCI-DSS, HIPAA/HITECH, FedRAMP, the EU Data Protection Directive, and FISMA, ensuring alignment with industry requirements. AWS also offers comprehensive auditing capabilities to track access requests to your S3 resources.
Web Messenger
The web messenger is a chat component that can be added to your website to facilitate AI communication with visitors. By default, it is loaded from AWS S3, utilizing the same security features provided by S3.
For added protection, AskHandle offers the option to integrate AWS WAF (Web Application Firewall). AWS WAF strengthens security by allowing you to control access to messenger distributions and block malicious requests before they reach your servers.
Encrypt Data in Transit
We use HTTPS for all applications and SSL for database connections to ensure the security of sensitive data during transmission to and from the applications.
Vulnerability Management
Our vulnerability management process is designed to address risks without requiring customer interaction or causing any impact. AskHandle is alerted to vulnerabilities through a combination of internal and external assessments, system patch monitoring, and third-party mailing lists and services. Each identified vulnerability is reviewed to determine its relevance to AskHandle’s environment, ranked by risk, and assigned to the appropriate team for resolution.
AskHandle Platform Security
We conduct regular penetration tests, vulnerability assessments, and source code reviews to evaluate the security of our applications, architecture, and implementations. Third-party security assessments are performed across all areas of our platform, including testing for OWASP Top 10 web application vulnerabilities and verifying customer application isolation. AskHandle collaborates closely with external security assessors to ensure the platform and applications are secure and follow industry best practices.
Any issues identified within the AskHandle platform are risk-ranked, prioritized, and assigned to the appropriate team for remediation. Our security team reviews each remediation plan to ensure that the issue is resolved effectively and thoroughly.
Backups
Our databases are hosted on a managed cloud PostgreSQL provider with continuous data protection built in. All data changes are captured in write-ahead logs (WAL), which are continuously streamed and stored in high-durability, geographically redundant storage. In the rare event of hardware failure, these logs can be automatically replayed to restore the database to within seconds of its last known state.
Automated point-in-time recovery (PITR) is enabled, allowing the database to be restored to any point within the retention window. Backup storage is encrypted at rest and protected by strict access controls. Database snapshots are taken regularly and retained according to our data retention policies.
Our infrastructure is designed to be fault-tolerant — failed components are replaced automatically, minimizing the need for manual intervention and reducing the risk of data loss.
Disaster Recovery
Customer Applications and Databases
Our platform is deployed across a globally distributed, serverless cloud infrastructure designed for automatic scaling and high availability. In the event of an outage, application instances are automatically redeployed using current build artifacts, and database connections are seamlessly re-established through our managed PostgreSQL provider's built-in failover capabilities.
Our infrastructure eliminates single points of failure through multi-region redundancy. Failed components are automatically detected and replaced, and our database provider continuously streams data to geographically redundant storage to enable rapid recovery with minimal data loss.
Customer Data Retention and Destruction
You have the flexibility to purge data from our databases to meet your own data retention requirements. If you close your account and request data removal, we will retain the database storage volume for 30 days. After this period, the data is automatically destroyed and rendered unrecoverable.
The decommissioning of hardware is handled by our infrastructure provider through a process designed to prevent any exposure of customer data. AWS follows established data destruction standards, including those outlined in DoD 5220.22-M (“National Industrial Security Program Operating Manual”) and NIST 800-88 (“Guidelines for Media Sanitization”), to ensure complete and secure data destruction.
For additional information see: https://aws.amazon.com/security
Privacy
AskHandle has a published Privacy Policy that clearly outlines the types of data collected and how it is used. We are committed to ensuring customer privacy and maintaining transparency in our practices.
We take proactive steps to safeguard customer privacy and protect the data stored on our platform. AskHandle provides built-in protections including multi-factor authentication options, role-based access controls, encrypted data transport, HTTPS for all customer-facing applications, and the option for customers to encrypt their stored data. For more information, please refer to our Privacy Policy.
GDPR commitment
We are dedicated to supporting our customers’ success, including ensuring compliance with the GDPR.
Compliance with the GDPR is a shared responsibility between AskHandle and our customers in how they use our services. AskHandle commits to fully complying with the GDPR in delivering our services. We are also focused on helping our customers meet their own GDPR compliance obligations. We have thoroughly reviewed the GDPR requirements and are actively making improvements to our products, contracts, and documentation to support full compliance.
WCAG 2.0 commitment
At AskHandle, we are dedicated to making our platform accessible to all users, including those with disabilities. We follow the Web Content Accessibility Guidelines (WCAG 2.0) at both Level A and Level AA to ensure that our web content is perceivable, operable, and understandable for everyone. By adhering to these standards, we aim to create an inclusive experience that meets the diverse needs of our users and ensures equal access to all our digital resources.
Personal Information Protection Law (PIPL) commitment
AskHandle is committed to adhering to the principles set forth in the Personal Information Protection Law (PIPL) of the People’s Republic of China. We prioritize the protection of personal data and ensure full compliance with PIPL regulations. This includes transparent data collection practices, secure processing and storage of personal information, and respecting individuals’ rights to control their data. By following these legal requirements, we aim to protect user privacy and uphold the highest standards of data security.
Access to Customer Data
AskHandle staff does not access or interact with customer data or applications during regular operations. There may be instances where AskHandle is requested to access customer data or applications for support purposes, or when required by law. Access to customer data is strictly controlled, and any interaction by AskHandle staff is authorized by the customer or mandated by the government. All access is documented, including the reason for access, actions taken, and the start and end times of support.
Employee Screening and Policies
As a condition of employment, all AskHandle employees undergo pre-employment background checks and must agree to company policies, including security and acceptable use policies.
Security Team
Our security team is led by the Chief Information Security Officer (CISO) and includes staff dedicated to application and information security. The team collaborates closely with both AskHandle employees and customers to manage risks and uphold our commitment to trust.