Data Security FAQs
Where does Aampe store our data?
Where does Aampe store our data?
Each customer has a dedicated pipeline that reads enduser data from their sources and transforms it into Aampe’s data model.The pipeline removes or anonymizes PII, if present, and stores the result into Aampe’s cloud warehouse as a tenant-specific dataset.We are able to co-locate BigQuery instances into any Google Cloud location to satisfy any needs on data storage location.
Is our data used for global model training?
Is our data used for global model training?
No. Aampe follows a strict multi-tenant data and model architecture. No data is ever shared between customers.
Where and how are models fine-tuned?
Where and how are models fine-tuned?
Aampe doesn’t operate around a central model that undergoes training or fine-tuning cycles. There’s no global predictive function, shared parameter space, or batch-training pipeline.
Because of that, there is nothing in the system that resembles a model checkpoint, a retraining schedule, or a fine-tuning workflow. Each agent learns continuously from its own interactions with a single user. Learning is online, individual, and incremental, driven entirely by the feedback generated in that user’s own history.
Because of that, there is nothing in the system that resembles a model checkpoint, a retraining schedule, or a fine-tuning workflow. Each agent learns continuously from its own interactions with a single user. Learning is online, individual, and incremental, driven entirely by the feedback generated in that user’s own history.
Does Aampe need PII?
Does Aampe need PII?
Many customers use Aampe without sending any PII. Since Aampe is not the final sender of any message, we do not need user names or emails. The Aampe message uses placeholders that are replaced by the final mile sender.At times certain user attributes (e.g. state of residence) are helpful to create audiences. Many customers choose to send limited PII on an as-needed basis.
What is Aampe's data retention policy?
What is Aampe's data retention policy?
Data is retained by Aampe throughout the contract period. This enables embedded charts and analytics, auditing, and offline policy evaluation.
What precautions does Aampe take to keep our data secure?
What precautions does Aampe take to keep our data secure?
All data is encrypted at rest and in transit. Access to data is restricted to authorized personnel only. Aampe conducts regular security audits.Security certificates and reports are available upon request.
Do Aampe follow an AI security framework?
Do Aampe follow an AI security framework?
Yes. Our AI security program is aligned with the OWASP AI Security & Privacy Top 10 for vulnerability identification and mitigation, and we incorporate the NIST AI Risk Management Framework (AI RMF) into our governance and risk-assessment processes.Do you follow any AI security framework
How does Aampe prevent model poisoning, adversarial attacks, and prompt injection?
How does Aampe prevent model poisoning, adversarial attacks, and prompt injection?
Aampe agents don’t share a global model, and there’s no promptable inference surface that a user can manipulate. Each agent learns only from observed behavioral signals through its own causal-learning loop. This architecture reduces Aampe’s exposure to these kinds of attacks.\
How does Aampe monitor for anomalous behavior?
How does Aampe monitor for anomalous behavior?
Aampe maintains continuous monitoring across all production systems to detect anomalous or high-risk behavior, including unexpected API calls, traffic spikes, or abnormal system activity.
- API Behavior Analytics: We track request patterns, rate anomalies, unauthorized endpoints, and abnormal payloads. Threshold- and behavior-based alerts trigger on deviation from established baselines.
- Traffic & Volume Monitoring: Real-time metrics detect sudden spikes, unusual burst patterns, or other deviations in system load.
- Centralized Logging & Telemetry: Aampe uses GCP Cloud Logging for centralized log collection and an OpenTelemetry-compatible platform for telemetry and alerting. Logs are aggregated, immutable, access-controlled, and continuously monitored in alignment with our SOC 2–compliant security program.
- System Health & Drift Checks: Automated checks validate system integrity, operational stability, and drift from expected behavior.
What are Aampe's escalation paths for a software incident?
What are Aampe's escalation paths for a software incident?
Aampe employs the following procedures in response to high-severity anomalies:
- Automated Safeguards: High-severity anomalies trigger automatic containment (rate limiting, endpoint blocking, or disabling an action/service).
- On-Call Engineering Escalation: Alerts route to the 24/7 on-call SRE/security team, who investigate and mitigate under defined SLAs.
- Security Incident Response: Events meeting incident criteria are escalated to our Security Incident Response Team following SOC 2–aligned incident response procedures.
- Customer Notification: If an incident affects customer data, notifications follow contractual and regulatory obligations.