Trust & Compliance

How Adam protects your data.

Adam is built on a small, audited set of infrastructure providers. This page lists every subprocessor that touches customer data, the regions where data is stored, our recovery objectives, and the SLAs we hold ourselves to for security updates.

Last updated June 9, 2026

hello@adam.new
Encryption
TLS 1.2+ in transit · AES-256 at rest
Primary region
US East (N. Virginia)
Recovery time objective
24 hours
Recovery point objective
24 hours
01

Security frameworks & certifications

Adam is a young company. We're transparent about where we are on the audit roadmap and what we're working toward.

SOC 2 Type I
In progress
Trust Services Criteria audit covering security and availability.

On our audit roadmap

SOC 2 Type II
In progress
Operating effectiveness over a continuous observation window.

On our audit roadmap

GDPR
In progress
EU data protection alignment via DPA and subprocessor disclosure.
ISO 27001
Planned
Information security management system certification.
HIPAA
Not supported
Not currently supported. Adam is not a HIPAA-eligible service.

Not on roadmap

Penetration Test
Planned
Independent third-party application and infrastructure pentest.

Pending first audit

We will publish audit reports here once they are complete. Customers with active contracts can request our security questionnaire response (e.g. CAIQ-Lite, SIG) at hello@adam.new.

02

Subprocessors

Every third-party service that processes customer data on Adam's behalf, the data they process, and where they operate. This page is the source of truth and is updated when the list changes.

Core infrastructure

Hosts the application, database, and runtime sandboxes.

Amazon Web Services (AWS)
Trust page
Purpose
Primary database (RDS PostgreSQL), application compute (ECS Fargate), cache (ElastiCache Redis), container registry, and secrets management.
Data
User accounts, sessions, conversations, agent state, and billing records.
Location
US East (N. Virginia) · us-east-1. Encrypted at rest; automated daily backups.
Cloudflare
Trust page
Purpose
Edge compute (Workers) serving the web app, R2 object storage, CDN, and DNS.
Data
Application traffic; user-uploaded files and generated artifacts.
Location
Global edge network · R2 buckets in Western North America (WNAM).
Daytona
Trust page
Purpose
Per-user sandboxed Linux environments for agent tool execution.
Data
Files and processes the agent creates while completing user tasks.
Location
United States, managed by Daytona.

AI model providers

Process prompts and conversation context to generate responses.

Anthropic
Trust page
Purpose
Claude model inference for the primary agent loop.
Data
Conversation messages and tool inputs sent during a turn.
Location
Managed by Anthropic. Inputs are not used for model training under their commercial terms.
AWS Bedrock
Trust page
Purpose
Claude model inference served through AWS.
Data
Conversation messages and tool inputs sent during a turn.
Location
AWS US East (N. Virginia) · us-east-1.
OpenAI
Trust page
Purpose
GPT model inference and OpenAI Agents tool calls.
Data
Conversation messages and tool inputs sent during a turn.
Location
Managed by OpenAI. API inputs are not used for training by default.
Google (Generative AI)
Trust page
Purpose
Gemini model inference for selected workloads.
Data
Conversation messages and tool inputs sent during a turn.
Location
Managed by Google.
OpenRouter
Trust page
Purpose
Routes selected model calls to underlying providers.
Data
Conversation messages and tool inputs sent during a turn.
Location
Managed by OpenRouter.
Mixedbread
Trust page
Purpose
Text embeddings for semantic memory and search.
Data
Task and memory text sent to generate embedding vectors.
Location
Managed by Mixedbread.
ElevenLabs
Trust page
Purpose
Text-to-speech and transcription for voice mode.
Data
Text and audio transmitted for synthesis or transcription.
Location
Managed by ElevenLabs.

Agent tooling

Power the agent's web, search, and integration capabilities.

Composio
Trust page
Purpose
OAuth connectors and tool execution for 1000+ third-party apps.
Data
OAuth tokens and request/response payloads for connected apps.
Location
Managed by Composio.
Brave Search
Trust page
Purpose
Web search results for agent research.
Data
Search queries.
Location
Managed by Brave.
Exa
Trust page
Purpose
Semantic web search for agent research.
Data
Search queries.
Location
Managed by Exa.

Billing & payments

Process subscriptions, payments, and invoices.

Stripe
Trust page
Purpose
Subscription billing, payment processing, and invoices.
Data
Customer name, email, billing address, and tokenized payment method.
Location
PCI-DSS Level 1 certified processor; managed by Stripe.

Observability

Operate the service: errors, metrics, traces, and product analytics.

Sentry
Trust page
Purpose
Error monitoring and stack-trace capture.
Data
Error events, browser metadata, anonymized user IDs.
Location
Managed by Sentry · US region.
Axiom
Trust page
Purpose
OpenTelemetry trace and log storage.
Data
Service traces and structured logs.
Location
Managed by Axiom.

Optional user-connected integrations

Only engaged when a user explicitly connects their account. Tokens are scoped per user.

Google Workspace
Purpose
Gmail, Drive, Calendar access via OAuth.
Data
Scoped account data the user authorizes.
Location
Managed by Google.
GitHub
Purpose
Repository read/write via the Adam GitHub App.
Data
Repository content and metadata for installed orgs.
Location
Managed by GitHub.
Slack
Purpose
Workspace messaging via OAuth.
Data
Channel and DM content the user authorizes.
Location
Managed by Slack.
Discord
Purpose
Server messaging via the Adam bot.
Data
Channel content where the bot is invited.
Location
Managed by Discord.
Telegram
Purpose
Direct-message bot interactions.
Data
Chat content with the Adam bot.
Location
Managed by Telegram.
X (Twitter)
Purpose
Read-only access for agent research tasks.
Data
Public timelines and search results.
Location
Managed by X.
03

Data residency

Where customer data lives, by category.

Primary database
AWS US East (N. Virginia) · RDS PostgreSQL
User accounts, sessions, conversations, agent threads, and billing records.
Object storage
Cloudflare R2 · Western North America (WNAM)
User-uploaded files, generated artifacts, and product skill assets.
Edge compute
Cloudflare Workers · global edge
Web application and the R2 access proxy. Compute is stateless; no customer data is persisted at the edge.
Sandboxes
United States, managed by Daytona
Per-user Linux sandboxes are ephemeral and isolated. They are stopped after inactivity and rebuilt on demand.

Adam does not currently offer customer-selectable region pinning. EU/UK regional residency is on the roadmap and will be made available to enterprise customers under DPA.

04

Recovery objectives

Our targets for restoring service and the maximum data loss window we plan around.

Recovery Time Objective (RTO)
24 hours
The maximum target time to restore the service to operational state after a disruption affecting the production environment.
Recovery Point Objective (RPO)
24 hours
The maximum target window of customer data that may be lost in a worst-case recovery scenario, set by our daily backup cadence.

AWS RDS performs automated daily backups of the primary database with point-in-time recovery. Cloudflare R2 stores objects with provider-managed durability guarantees. Sandboxes are ephemeral and reproducible from configuration; their state is not part of the recovery scope.

We will publish recovery test results alongside our SOC 2 report.

05

Security update SLAs

Our commitments for triaging and patching vulnerabilities, by severity.

Critical
9.0 – 10.0
≤ 4 hours
≤ 72 hours
Active exploit, data exposure, or full service unavailability.
High
7.0 – 8.9
≤ 1 business day
≤ 7 days
Privilege escalation, authenticated bypass, significant degradation.
Medium
4.0 – 6.9
≤ 3 business days
≤ 30 days
Limited-impact issue requiring user interaction or local access.
Low
0.1 – 3.9
≤ 5 business days
Next scheduled release
Hardening recommendations and informational findings.
Customer-facing patches
Web application and worker updates ship as zero-downtime Cloudflare Worker rollouts. Backend updates deploy to AWS ECS Fargate as rolling, health-checked releases.
Dependency updates
Automated dependency monitoring runs continuously. Critical dependency CVEs are patched on the same SLA as critical product vulnerabilities.
06

Operational practices

The day-to-day controls that protect customer data.

Incident response
We notify affected customers within 72 hours of confirming a security incident that involves their data, in line with GDPR Article 33. Once an incident is resolved, we share root cause and remediation with affected customers.
Data retention & deletion
User content is deleted within 30 days of account closure or on request. Backups containing the data roll off within 90 days. Sandbox state is purged on stop and is never included in backups.
Workforce security
MFA is required on every employee account. Production access is limited to the minimum necessary and reviewed regularly. Security awareness training is part of onboarding for every new hire.
Vendor security review
Every new subprocessor is reviewed for security posture, DPA availability, and data minimization before being added. We prefer vendors with completed SOC 2 or ISO 27001 audits and published trust pages.
07

Reporting & contact

How to reach our security team, request documents, or report a vulnerability.

Security & compliance
hello@adam.new
DPAs, security questionnaires, audit reports, and subprocessor notifications.
Vulnerability disclosure
hello@adam.new
Report a suspected vulnerability. We respond within one business day and do not pursue good-faith researchers.
Privacy requests
hello@adam.new
Access, deletion, or export of personal data. See the privacy policy for full rights.
HomePrivacy PolicyTerms of Service