Security & Compliance

Last updated: April 2026  ·  For security inquiries: security@onbaseai.com

Data Handling in Client Engagements

[PLACEHOLDER — TEAM TO COMPLETE] Describe how client data is handled during Readiness Assessments, Activation engagements, and Managed AI. Include: what data OnBaseAI accesses, how it is stored (or not stored), retention period, destruction policy, and who has access. This section is the most important for enterprise procurement reviews.

Example structure: "During the Readiness Assessment, OnBaseAI practitioners work within [client-controlled environments / read-only access / etc.]. No client data is retained beyond [X days / engagement completion]. All data is [encrypted in transit / not stored on OnBaseAI systems / etc.]."

The AIRO Assessment Tool

The AIRO Assessment collects organization name (optional) and role (optional) on the intro screen. No email address is required to view results. If a user chooses to email their results, that email address is collected solely to deliver the results email and is not retained for marketing purposes.

AIRO does not collect any personally identifiable employee data. Assessment responses are not associated with identifiable individuals. [PLACEHOLDER — add specifics about where assessment data is stored and for how long].

Certifications & Compliance

[PLACEHOLDER — TEAM TO COMPLETE] List any current certifications (SOC 2 Type II, ISO 27001, etc.) or state the current certification status and timeline. Example: "OnBaseAI is currently pursuing SOC 2 Type II certification. Estimated completion: [Q]." If no certifications are currently held, state that plainly.

For clients in regulated industries (financial services, healthcare, government), [PLACEHOLDER — add specifics about how regulated-data engagements are handled, any additional agreements required, e.g. BAA for healthcare].

Third-Party Subprocessors

[PLACEHOLDER — TEAM TO COMPLETE] List all material third-party tools that may handle client or user data. Examples to assess: booking tool (Calendly), form handler (Formspree/Netlify), CRM, analytics, email provider, project management. For each, note what data it handles and link to their own security/privacy documentation.

Access Controls

[PLACEHOLDER — TEAM TO COMPLETE] Describe internal access controls: who on the OnBaseAI team has access to client data, how access is provisioned and deprovisioned, MFA requirements, etc.

Reporting a Vulnerability

If you've identified a security vulnerability in any OnBaseAI property, please report it responsibly to security@onbaseai.com. We will acknowledge receipt within two business days and work with you on remediation. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.