We treat your relationship data with the same care the Guru brings to understanding it — protected at every layer, private by design.
Infrastructure
Encryption
Sealed at rest and in flight
All data encrypted with AES-256 at rest and TLS 1.3 in transit. Your contacts never travel unprotected — not between your browser, our servers, or the AI engine.
AES-256 · TLS 1.3
Isolation
Every workspace is a fortress
All queries are scoped by workspaceIdat the database layer. There is no query path that can reach another workspace's data. Isolation is structural, not policy.
Infrastructure
Vercel Pro · Singapore
Automatic failover, DDoS protection, and 99.99% uptime SLA. Deployed in the Singapore region — close to where your data lives.
Database
Neon PostgreSQL
Point-in-time recovery, automated backups, and branch-level isolation. Your data survives anything — and stays yours alone.
Authentication
Google OAuth 2.0
We never see your Google password. Authentication flows through Google's secure OAuth with minimal scope requests and timing-safe comparisons.
AI & API Security
API Keys
Hashed, never stored raw
Every API key is SHA-256 hashed before storage. The raw key is shown once, then gone. Rate limiting enforced per workspace — no single tenant can abuse the system.
crypto.timingSafeEqual
AI Processing
Ephemeral by design
AI enrichment uses Claude, GPT-4o, and Gemini with zero training on your data. Processing is ephemeral — your relationship context never becomes a model's training set.
OWASP LLM Top 10
Prompt injection protection
The 6away Engine implements prompt injection detection, output sanitisation, PII redaction, and token budget enforcement across every AI endpoint. Prompts are isolated per workspace.
Network
SSRF & CORS locked down
Private IP blocking on all scraper and webhook endpoints prevents server-side request forgery. CORS is restricted to the app domain only — no unauthorised cross-origin access.
SSRF protection · CORS policy
Enterprise Governance
NIST AI RMF
Enterprise AI governance built in.
6away Engine is built on OWASP LLM Top 10 security controls and the NIST AI Risk Management Framework. Every AI task is classified, documented, and monitored. PII is automatically redacted. Prompt injection is detected and blocked. Outputs are sanitised. All accessible via a single governance API for your compliance team.
NIST AI 100-1 · OWASP LLM Top 10
Govern
Risk classification
Every AI task classified by risk level — minimal to high. A risk register documents purpose, data flows, limitations, and bias considerations for each capability.
Map
Data governance
Full PII redaction before AI processing. Third-party provider inventory with DPA status. Workspace isolation controls and data retention policies per task.
Measure
Real-time monitoring
Anomaly detection across error rates, cost spikes, and latency — flagged automatically. Runtime metrics tracked per AI task with 1-hour windows.
Manage
Human oversight
Admin governance dashboard returns the full compliance report. Human review defined per task: review-before-action for outreach, review-after-action for insights.
/admin/api/ai-governance
No selling. Ever.
Your data is yours. We never sell, share, or monetise your contact information. Error messages are sanitised. Health endpoints are stripped. The Guru sees your relationships — no one else does.