Encryption Standards

• In Transit: All data transmissions use TLS 1.3 with perfect forward secrecy
• At Rest: AES-256-GCM encryption for all stored data
• Key Management: Cryptographic keys are managed using industry-standard key management services

Data Minimization & Retention

• 24-Hour Auto-Deletion: All session data is automatically and permanently deleted after 24 hours
• No Training Data: Your data is never used to train AI models
• Minimal Collection: We only collect data necessary for service delivery

Authentication

• Enterprise SSO: Integration with Google Workspace and Microsoft 365
• Multi-Factor Authentication: Enforced through your identity provider (Google/Microsoft)
• Session Management: Short-lived access tokens with secure refresh mechanisms
• Password-Free: No password storage reduces credential attack surface

Access Control

• Organization-Based Isolation: Strict data segregation between organizations
• Principle of Least Privilege: Users only access data within their organization
• Administrative Controls: Separate admin accounts with enhanced security requirements

Platform Security

• SOC 2 Type II Infrastructure: Built on Vercel's certified platform (our certification in progress)
• Web Application Firewall: Active protection against OWASP Top 10 threats
• DDoS Protection: Global edge network with automatic mitigation
• Rate Limiting: Protection against automated attacks and API abuse

Network Security

• Zero Trust Architecture: No implicit trust for any request
• Content Security Policy: Security headers configured to protect against XSS attacks
• HSTS Preloading: Enforced HTTPS for all connections

Security Monitoring

• Comprehensive Audit Logging: All authentication and data access events logged
• Real-Time Threat Detection: Automated alerts for suspicious activities
• Security Analytics: Pattern analysis to identify potential threats

Incident Response

• 24/7 Response Team: Dedicated security incident response
• NIST-Based IR Plan: Formal incident response procedures
• Breach Notification: Commitment to notify within 72 hours of discovery

THEUS implements comprehensive AI safety through multiple independent layers, ensuring responsible and secure AI interactions at every step.

Five-Layer Safety Architecture

Data Protection

• No training on user data
• 24-hour automatic deletion
• Complete session isolation
• Zero data persistence

Continuous Monitoring

• Real-time anomaly detection
• Usage pattern analysis
• Automated threat response
• Security event logging

Current Compliance

• GDPR Compliant: Full support for EU data protection requirements
• CCPA Compliant: California privacy rights supported
• Infrastructure Certifications: Built on SOC 2, ISO 27001 certified providers

Roadmap

• SOC 2 Type II: Independent certification planned for 2026
• ISO 27001: International security standard certification

• Secure Development: Security review for all code changes
• Dependency Management: Automated vulnerability scanning
• Penetration Testing: Regular third-party security assessments
• Security Training: Ongoing security awareness for all staff

We carefully vet all third-party services and maintain Data Processing Agreements with:

• Vercel: Infrastructure and hosting (SOC 2 Type II)
• Clerk: Authentication services (SOC 2 Type II)
• Google Cloud: AI services (ISO 27001, SOC 2)
• Upstash: Database services (SOC 2 Type II)

For detailed network configuration requirements, please refer to our comprehensiveIT Configuration Guide below.

For security inquiries, vulnerability reports, or to request our detailed security documentation:

1.1 Information You Provide

• Account Information: Name, email, and organization details when you sign up
• Simulation Inputs: Product descriptions, goals, and parameters you enter
• Context Documents: Optional files you upload for enhanced simulations (automatically deleted after 24 hours)
• Feedback: Any feedback or support requests you submit

1.2 Information Collected Automatically

• Usage Data: Features used, simulation parameters, and interaction patterns
• Technical Data: Browser type, device information, and IP address
• Performance Data: Error logs and performance metrics to improve service quality

1.3 Information We Don't Collect

• Personal data about simulated panelists (they're AI-generated)
• Unnecessary personal information
• Sensitive categories of personal data

2.1 Primary Uses

• Service Delivery: Running your simulations and generating insights
• Account Management: Authentication and access control
• Communication: Service updates and support responses
• Improvement: Enhancing features and user experience

2.2 What We Don't Do

• Sell your personal information
• Use your data to train AI models
• Share simulation content with other customers
• Perform behavioral advertising

We share your information only in these limited circumstances:

3.1 Service Providers

• Infrastructure: Vercel (hosting), Clerk (authentication)
• AI Processing: Google Cloud (Gemini API) - with strict no-training agreements
• Analytics: Aggregated usage data only

3.2 Legal Requirements

We may disclose information if required by law, subpoena, or to protect rights and safety.

3.3 Business Transfers

In case of merger or acquisition, your information may transfer to the new entity.

We implement comprehensive security measures:

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Controls: Role-based permissions and authentication
• Infrastructure: SOC 2 Type II certified providers
• Monitoring: 24/7 security monitoring and incident response
• Regular Audits: Security assessments and penetration testing

You can request immediate deletion of your account and associated data at any time.

6.1 Your Rights

• Access: Request a copy of your personal data
• Correction: Update inaccurate information
• Deletion: Request deletion of your data
• Portability: Export your data in standard formats
• Objection: Opt out of certain data uses

6.2 How to Exercise Rights

Contact us at privacy@aigora.com with your request. We'll respond within 30 days.

THEUS operates globally. Your data may be processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards through:

• Standard contractual clauses
• Data processing agreements
• Compliance with local data protection laws

We use minimal cookies necessary for service operation:

• Essential Cookies: Authentication and security
• Functional Cookies: User preferences and settings
• Analytics Cookies: Anonymous usage statistics (optional)

We don't use advertising or tracking cookies.

THEUS is not intended for users under 18. We don't knowingly collect information from children. If we learn we've collected data from someone under 18, we'll delete it promptly.

We may update this policy to reflect service changes or legal requirements. We'll notify you of material changes via email or service notifications. Continued use after updates constitutes acceptance.

For privacy questions or to exercise your rights:

We aim to respond to all privacy requests within 30 days. For urgent matters, please indicate “URGENT” in your subject line.

1.1 Eligibility. You must be at least 18 years old and have the legal capacity to enter into contracts. If you're using the Service on behalf of an organization, you represent that you have authority to bind that organization to these Terms.

1.2 Acceptance. By clicking “I Agree,” accessing, or using the Service, you accept these Terms. If you don't agree, don't use the Service.

1.3 Additional Terms. Your use is also subject to our Privacy Policy, which is incorporated by reference. Additional terms may apply to specific features.

2.1 What We Provide. THEUS is an AI-powered platform that creates simulated focus group discussions with AI-generated personas. The Service is designed for qualitative research and idea exploration.

2.2 No Real Participants. All focus group participants in the Service are AI-generated personas. No real individuals participate in your simulations.

2.3 Service Limitations. The Service provides AI-generated insights that should not replace validated market research or be used as the sole basis for business decisions.

3.1 Account Creation. You must provide accurate, current, and complete information. You're responsible for maintaining the confidentiality of your account credentials.

3.2 Account Security. You're responsible for all activities under your account. Notify us immediately of any unauthorized use.

3.3 Organizations. If you create an organizational account, you may add team members who will be bound by these Terms.

4.1 Permitted Use. You may use the Service only for lawful purposes and in accordance with these Terms.

4.2 Prohibited Uses. You may not:

• Use the Service for any illegal or harmful purpose
• Attempt to reverse engineer or extract the AI models
• Submit content that is offensive, discriminatory, or harmful
• Attempt to bypass usage limits or security measures
• Use the Service to create misleading or deceptive content
• Resell or redistribute the Service without authorization

5.1 Nature of Content. All personas, discussions, and insights are AI-generated. They may contain inaccuracies, biases, or inconsistencies.

5.2 No Warranties. We don't warrant the accuracy, completeness, or reliability of AI-generated content. Use it at your own risk.

5.3 Human Oversight Required. Always apply human judgment and validation to AI-generated insights before making decisions.

6.1 Service IP. Aigora owns all rights in the Service, including software, designs, and AI models.

6.2 Your Content. You retain rights to your input content. By using the Service, you grant us a license to process your content to provide the Service.

6.3 Output Content. Subject to your compliance with these Terms, you may use the AI-generated output for your internal business purposes.

7.1 Subscription Fees. Paid features require a subscription. Fees are billed in advance and are non-refundable except as required by law.

7.2 Changes to Pricing. We may change pricing with 30 days' notice. Continued use after price changes constitutes acceptance.

7.3 Taxes. You're responsible for all applicable taxes, which we'll add to your bill where required.

8.1 Privacy Policy. Our Privacy Policy describes how we collect, use, and protect your information.

8.2 Data Security. We implement reasonable security measures but cannot guarantee absolute security.

8.3 Data Deletion. Simulation data is automatically deleted after 24 hours. You may export results before deletion.

9.1 AS-IS Service. THE SERVICE IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED.

9.2 Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY LAW, AIGORA WON'T BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES.

9.3 Total Liability Cap. Our total liability won't exceed the fees you paid us in the 12 months before the claim.

You'll indemnify and hold harmless Aigora from any claims arising from your use of the Service, violation of these Terms, or infringement of any rights.

11.1 Your Right to Terminate. You may stop using the Service and close your account at any time.

11.2 Our Right to Terminate. We may suspend or terminate your access for violation of these Terms or at our discretion with notice.

11.3 Effect of Termination. Upon termination, your right to use the Service ceases immediately. Provisions that should survive will remain in effect.

12.1 Governing Law. These Terms are governed by Delaware law, excluding conflict of laws principles.

12.2 Dispute Resolution. Disputes will be resolved through binding arbitration in Delaware, except where prohibited.

12.3 Changes to Terms. We may update these Terms. Continued use after changes constitutes acceptance.

12.4 Entire Agreement. These Terms and referenced policies constitute the entire agreement between us.

For questions about these Terms or the Service, contact us at:

For standard corporate networks, configure the following:

1. Whitelist domains: *.aigora.app and *.clerk.services
2. Add identity provider: accounts.google.com OR login.microsoftonline.com
3. Allow HTTPS (port 443): With WebSocket support enabled
4. Test access: Visit https://theus.aigora.app

• Port 443: Standard HTTPS port
• WebSocket over HTTPS: Required for real-time authentication (uses same port 443)
• Server-Sent Events (SSE): For session streaming

• Certificate Pinning: Not used - SSL inspection is compatible
• Recommended Exceptions: Consider adding SSL inspection exceptions for *.clerk.services and *.aigora.app if experiencing issues

For transparency, these services are used by our backend infrastructure. Your IT team may see these in server logs, but they do not require whitelisting as they are never accessed from user browsers:

• generativelanguage.googleapis.com - Google Gemini AI processing
• *.aiplatform.googleapis.com - Google Vertex AI for avatar generation
• *.upstash.io - Vercel KV (Redis) database
• *.postgres.vercel-storage.com - Vercel Postgres database
• *.blob.vercel-storage.com - Blob storage for avatars
• storage.googleapis.com - Default avatar images
• placehold.co - Fallback placeholder avatars
• *.vercel.app - Infrastructure (using custom domain instead)
• hooks.slack.com - Optional Slack notifications (if configured)

For comprehensive security details and data handling practices, please refer to:

• Security & Compliance section - Detailed security measures, data retention policies, and certifications
• Privacy Policy - Complete data handling and privacy practices
• GenAI Committee Guide - AI governance documentation and compliance details

Safety Implementation:

1. Input Layer: Sanitization, length limits, content filtering
2. Prompt Layer: Structured prompts with safety instructions
3. Model Layer: Google's built-in safety filters
4. Output Layer: Post-processing validation and filtering
5. Human Layer: Required moderation and oversight

Core Principles:

Sub-processors:

Governance Alignment:

Risk Register & Mitigations:

Configurable Settings: