Security & Compliance

1. Overview

PROXI AI LLC ("Proxi") provides a data integration and analytics platform that connects to multiple third-party sources. This document describes our data handling practices, security measures, and regulatory compliance posture. It is intended for Customer security and compliance teams evaluating Proxi for deployment.

2. Data Architecture

2.1 Storage Infrastructure

All data is hosted on managed cloud infrastructure located in the United States, providing encryption at rest and in transit.

2.2 Data Layers

Our storage architecture maintains separation between:

• Raw layer: Immutable copies of original API responses, retained for the lifetime of the Customer's account.
• Normalized layer: Structured, standardized data derived from the raw layer for querying and analytics.

2.3 Tenant Isolation

All data is logically isolated per Customer. There is no cross-tenant access at the query layer, and database operations enforce tenant-level scoping on every request.

3. Security Measures

3.1 Data Encryption

• Data in transit: All communications between clients, Proxi, and third-party APIs use TLS encryption.
• Data at rest: Database storage is encrypted at rest using AES-256.
• Credentials: OAuth tokens and API keys are stored encrypted on a per-connection basis.

3.2 Authentication and Access Control

• Customer authentication is managed through secure session-based authentication.
• Integration connections use OAuth 2.0 where supported, with tokens stored encrypted.
• Internal access to production systems is restricted to essential personnel only.

3.3 Infrastructure Security

• Managed cloud infrastructure with industry-standard security certifications.
• Parameterized queries to prevent SQL injection.
• Webhook endpoints validate payloads against expected signatures where supported by the integration source.

4. Sensitive Data Categories

Depending on Customer-connected integrations, the following categories of sensitive data may be processed:

• Email addresses, names, and contact information
• Phone numbers and physical addresses
• IP addresses and device information
• Message and chat content
• Email and document content
• Financial data (payment amounts, subscription details)
• Behavioral and product analytics data
• API credentials and tokens (stored encrypted)

The specific data processed depends entirely on which integrations a Customer connects and the authorization scope they grant.

5. Regulatory Compliance

5.1 CCPA / CPRA Compliance

Proxi operates as a "Service Provider" under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). This means:

• We do not sell or share personal information.
• We process personal data only for the business purposes specified in our agreements with Customers.
• We do not retain, use, or disclose personal data outside of the direct business relationship.
• We assist Customers in responding to verifiable consumer requests (access, deletion, correction).
• We maintain a CCPA-compliant Privacy Policy with required disclosures.

5.2 Data Processing Agreement

We offer a Data Processing Agreement (DPA) to all Customers that defines our obligations as a data processor, including security commitments, sub-processor transparency, breach notification timelines (72 hours), data deletion procedures, and audit rights.

5.3 GDPR Readiness

While Proxi is a US-based company, our data handling practices align with key GDPR principles including purpose limitation, data minimization, storage limitation, and security. Customers processing EU personal data should ensure appropriate transfer mechanisms are in place.

6. Data Retention and Deletion

• Raw data is retained for the duration of the Customer's active account.
• Customers may request full data deletion at any time by emailing aditmittal@berkeley.edu.
• Upon account termination, all Customer data is deleted as soon as reasonably practicable.
• Data may persist in encrypted backups for a limited period before being overwritten through normal backup rotation.

7. Incident Response

In the event of a security incident affecting Customer data:

• We will notify affected Customers within 72 hours of becoming aware of the incident.
• Notification will include the nature of the incident, categories and approximate number of affected records, likely consequences, and measures taken or proposed to mitigate impact.
• We will cooperate with Customers in investigating and remediating the incident.
• We will take commercially reasonable steps to prevent recurrence.

8. Sub-processors

Current sub-processors:

We notify Customers at least 30 days before engaging new sub-processors.

9. What Proxi Does Not Do

• We do not sell personal data.
• We do not use Customer data for advertising or profiling.
• We do not share data between Customers (strict tenant isolation).
• We do not train machine learning models on Customer data without explicit written consent.
• We do not access Customer data except as necessary to provide the Service or as directed by the Customer.

10. Contact

For security questions, compliance inquiries, or data deletion requests: