Security Questionnaire

Security Questionnaire

Standard answers to the security, privacy, and compliance questions we receive most often.

Standard answers for vendor evaluation

Last Updated: July 2026

These are our standard answers to the questions we receive most often during procurement and security review. If your questionnaire needs something not covered here, email support@sitegpt.ai.

Compliance and certifications

Question Answer
SOC 2 We have completed a SOC 2 Type II examination covering security, availability, and confidentiality, with zero exceptions noted across all tested controls. Enterprise customers can request the report via our trust portal.
GDPR GDPR certified by DPLMC International. See our privacy policy and DPA.
HIPAA Assessed for HIPAA compliance by DPLMC International. BAA availability is documented at /hipaa.
ISO 27001 We do not currently hold an ISO 27001 certification. Our SOC 2 Type II report covers overlapping controls.

Data handling

Question Answer
Where is data processed and stored? Our application runs on Cloudflare Workers at the edge. Application data is stored with the vendors listed at /legal/subprocessors, primarily in the United States; per-vendor locations are listed there.
EU data residency We do not currently offer an EU-only hosting option. Transfers from the EU/EEA are safeguarded through our subprocessors' GDPR data processing agreements, which incorporate Standard Contractual Clauses where applicable.
Encryption All data is encrypted in transit with TLS 1.2+ and at rest.
Is customer data used to train AI models? No. Your content and conversations are never used to train AI models, by us or by our AI subprocessors.
Data retention Personal data is retained only as long as necessary for the purposes described in our privacy policy. Account data and content are deleted on request.
Data deletion and export Contact support@sitegpt.ai to request deletion or export of your account data.

Access and authentication

Question Answer
Authentication Passwordless sign-in via emailed magic links. There are no passwords to phish or breach.
Access controls Role-based permissions for team members control access to chatbot settings, training data, and conversation history.

AI processing

Question Answer
Which AI providers are used? OpenAI provides language models, accessed through the Portkey gateway. Embeddings are stored in Pinecone. The full list is at /legal/subprocessors.
Do AI subprocessors retain data? Our AI subprocessors do not use your data for model training. Operational retention is governed by each vendor's data processing terms, listed on our subprocessor page.
Grounding Chatbots answer from the knowledge base you configure. You can review conversations and override incorrect answers.
Question Answer
Data Processing Agreement Available at /legal/dpa.
Subprocessor list Published at /legal/subprocessors.
Who issues invoices? Paddle, acting as Merchant of Record. Invoices are issued by Paddle and can include your VAT or tax details.
Incident notification We notify affected customers of qualifying incidents without undue delay, consistent with applicable law, including GDPR timelines.
EU AI Act SiteGPT provides customer-configured AI assistants built on general-purpose models. We monitor EU AI Act guidance as it is finalized and will publish updates relevant to our service category on this page.

Questions

If your review requires signed documents, additional detail, or a call, email support@sitegpt.ai.