Security

Last updated: March 19, 2026

At COSAI, security is foundational to everything we build. Aldric is an AI assistant that acts on your behalf, which means trust and safety are not optional features — they're the architecture itself. This page describes how we protect your data, what controls you have, and what Aldric will never do without your permission.

1. Safe Defaults

Aldric ships with Safe Mode enabled by default. This means every action that has a side effect — sending an email, scheduling a meeting, updating a record, or making any external request — requires your explicit approval before execution.

Our safe defaults include:

Least-privilege access: Aldric requests only the minimum permissions each workflow needs. No broad or unnecessary scopes.
Approval gates: Actions with side effects are routed through your Cockpit Approval Inbox before execution. You review what Aldric wants to do, see the full context, and approve or deny with one click.
Spend caps: You can configure spending limits per workflow to prevent runaway costs or unintended large actions.
Exclusions: Define actions that Aldric will never take, regardless of context. These exclusions cannot be overridden by the AI.
Audit trail: Every action Aldric takes — approved, denied, or automated — is logged in an immutable, append-only audit trail that you can review at any time.
Safe Mode toggle: Safe Mode is on by default but can be toggled per policy for workflows where you want full automation (e.g., low-risk calendar confirmations).
Read-only mode: For sensitive integrations, you can grant Aldric read-only access so it can provide insights without making changes.

2. What Aldric Will Never Do

Regardless of your configuration, Aldric has hard-coded safety boundaries that cannot be overridden:

Will never send emails without your explicit approval (unless you configure a specific policy to allow it).
Will never make financial transactions autonomously.
Will never delete data without confirmation.
Will never share your credentials, access tokens, or API keys with third parties or in generated outputs.
Will never bypass your configured approval gates.
Will never access integrations or data beyond the scopes you have explicitly granted.

3. How the Approval Flow Works

Every action that modifies external state flows through a three-step approval process:

Step 1 — Action Requested: Aldric identifies an action that needs to be taken (e.g., send an email, update a CRM record, schedule a meeting). It constructs the action with full context: what it wants to do, why, and the assessed risk level.

Step 2 — Review in Cockpit: The action appears in your Approval Inbox within the Cockpit. You can see the complete details, including the draft content, the recipient, and any relevant conversation history. You can edit the action before approving.

Step 3 — Approve or Deny: One click to approve or deny. Every decision — along with a timestamp, your identity, and the action details — is permanently recorded in your audit trail.

For mobile users, approval requests are delivered as push notifications so you can review and act on them from anywhere.

4. Infrastructure Security

Our infrastructure is designed with defense-in-depth principles:

Hosting: The application is hosted on Vercel with automatic TLS termination and DDoS protection. Our database and authentication services are hosted on Supabase with SOC 2 Type II compliance.
Encryption: All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption provided by our infrastructure partners.
Authentication: We use passwordless magic-link authentication and Google OAuth, eliminating password-related attack vectors. Session tokens are managed using secure, HTTP-only cookies with proper SameSite attributes.
Row-Level Security: Our database enforces row-level security (RLS) policies, ensuring that every query is scoped to the authenticated user. Even in the event of an application-level vulnerability, users cannot access each other's data.
Secrets Management: API keys, service role keys, and sensitive credentials are stored as environment variables, never committed to source code. Server-side secrets are never exposed to the client.

5. Authentication and Access Control

Access to the Services is controlled at multiple levels:

User authentication: Magic-link (passwordless) authentication, Google OAuth, and Apple Sign In (iOS).
Route-level gating: The Cockpit (/app) is accessible only to users with an active subscription or trial. Admin routes are restricted to an allowlist of authorized email addresses.
API authorization: All API routes verify the user's session and entitlements before processing requests. Read operations use RLS-scoped queries; write operations use a service-role client with explicit authorization checks.
Third-party OAuth: Integrations with services like Gmail and Google Calendar use OAuth 2.0 with minimal scope requests. Tokens are encrypted and stored securely. You can revoke access at any time.

6. AI Model Security

Aldric uses AI models from Google (Gemini) for voice and vision processing and from Anthropic (Claude) for complex reasoning tasks. Our approach to AI security includes:

No training on your data: Your interactions with Aldric are not used to train AI models. Our agreements with model providers explicitly prohibit using customer data for model training.
Prompt injection mitigation: We implement input validation, output filtering, and structured tool-calling patterns to minimize the risk of prompt injection attacks.
Structured execution: Aldric executes actions through defined tool schemas, not free-form code execution. This constrains the scope of what the AI can do to pre-defined, audited operations.
Human-in-the-loop: The approval workflow ensures that a human reviews and authorizes consequential actions before they are executed.

7. Voice, Vision, and Audio Security

When using voice and vision features with Aldric:

Audio is transmitted over encrypted WebSocket connections (TLS 1.2+) to Google's Gemini Live API for real-time processing.
Raw audio recordings are not stored after transcription is complete. Gemini processes speech-to-text and text-to-speech natively.
Camera frames (when vision is active) are sent as JPEG images over the same encrypted WebSocket connection. Frames are processed in real time and not stored.
On-device memory is encrypted using AES-GCM (CryptoKit) before syncing to the cloud. Server-side memory is encrypted at rest.
Voice sessions have a 30-minute time limit as a safety measure.
You can disable voice and camera features at any time through your device settings.
When offline, on-device Apple models process speech locally — no data leaves your device.

8. Audit and Compliance

Transparency is a core principle. Every interaction between Aldric and external services is logged:

Immutable audit trail: All events are append-only. Records cannot be modified or deleted, even by administrators.
Searchable logs: Filter and search your audit trail by date, action type, status, and integration.
Export: Export your audit data for compliance reporting or internal review.

9. Incident Response

In the event of a security incident, we will:

Investigate promptly and contain the issue.
Notify affected users within 72 hours, as required by applicable regulations.
Provide a clear description of what happened, what data was affected, and what steps we are taking.
Implement measures to prevent recurrence.

10. Responsible Disclosure

We welcome reports from security researchers. If you discover a vulnerability in our systems, please report it responsibly to contact@cosai.cloud. We ask that you:

Provide sufficient detail for us to reproduce and address the issue.
Avoid accessing, modifying, or deleting data that does not belong to you.
Give us reasonable time to address the issue before public disclosure.

We commit to acknowledging your report within 48 hours and providing regular updates on our investigation.

11. Contact

For security-related questions or concerns, contact us at:

COSAI
Email: contact@cosai.cloud