Security at AI Margin
We handle your AI usage metadata with the same care you'd expect from a financial tool.
What We Access vs. What We Don't
Your AI Provider
AI Margin
usage stats only
Dashboard
What we collect
- ✓Token counts per request
- ✓Model identifiers (e.g., gpt-4o)
- ✓Request timestamps
- ✓Cost per request
- ✓Feature labels you define
What we never touch
- ×Prompt content
- ×AI model responses / outputs
- ×Training data
- ×End-user PII
- ×File uploads or attachments
Read-Only Access
AI Margin operates on a strict read-only access model. Our integration reads usage metadata from your API calls but never modifies, deletes, or creates resources in your AI provider accounts. We cannot change your models, fine-tunes, assistants, or billing settings.
We recommend creating dedicated, scoped API keys for AI Margin rather than sharing your primary keys. You can revoke access at any time from your provider's dashboard.
Encryption
All data is encrypted both at rest and in transit:
| Layer | Standard | Details |
|---|---|---|
| In transit | TLS 1.3 | All connections use HTTPS with TLS 1.3. HSTS enforced with 1-year max-age including subdomains. |
| At rest | AES-256 | Database storage encrypted at rest using AES-256. Backups encrypted with the same standard. |
| API keys | AES-256-GCM | Customer API keys encrypted with AES-256-GCM using per-tenant encryption keys. Never stored in plaintext. |
No Prompt Storage
AI Margin collects only the minimum data necessary to calculate your AI feature profitability: token counts, model identifiers, request timestamps, and associated costs.
The actual content of your prompts and AI responses passes through to the provider without being read, logged, or stored by AI Margin. Your intellectual property stays yours.
GDPR Compliance
AI Margin is fully compliant with the EU General Data Protection Regulation. We act as a data processor for your usage data and offer a Data Processing Agreement (DPA) upon request.
SOC 2 Type II certification is in progress. Our infrastructure providers (Vercel, Supabase, Stripe) are already SOC 2 Type II certified.
Data Retention Policy
We retain your data only as long as your account is active:
| Event | What happens |
|---|---|
| Account active | Data retained and accessible through the dashboard. |
| Subscription cancelled | Data retained for 30 days. You can request an export. |
| 30 days after cancellation | All usage data, API keys, and organization data permanently deleted. |
| Deletion request | Immediate deletion upon request. Processed within 30 days per GDPR. |
Infrastructure
AI Margin runs on enterprise-grade infrastructure:
| Component | Provider | Compliance |
|---|---|---|
| Application hosting | Vercel | SOC 2 Type II |
| Database & auth | Supabase | SOC 2 Type II |
| Payment processing | Stripe | PCI DSS Level 1 |
| Email delivery | Resend | SOC 2 Type II |
| Error monitoring | Sentry | SOC 2 Type II |
All data is hosted in Supabase's US-East region (AWS us-east-1). EU hosting available upon request for enterprise customers.
Full Data Export
You can request a full export of your data at any time by contacting hello@aimargin.ai. Your export will include all usage data, feature configurations, recommendations, and audit history in machine-readable format (JSON/CSV).
To delete your account and all associated data, email us or use the account deletion option in Settings. Deletion is irreversible and processed within 30 days.
Security Questions?
For security-related questions, vulnerability reports, or to request our SOC 2 report (when available):
We acknowledge security reports within 48 hours and provide a resolution timeline within 5 business days.