Trust portal

How gotcontext.ai processes, stores, and protects your data — compression architecture, encryption, access control. Read the full security page.

Fourteen active sub-processors (Cloudflare, Fly, Vercel, Supabase, Upstash, Clerk, Polar, Resend, Beehiiv, Sentry, PostHog, GitHub, Nevermined, Skyfire) with regions, data categories, and links to each provider’s DPA. View the full list — we commit to 30-day prior notice on additions or changes.

Standard Data Processing Agreement available on request. Email legal@gotcontext.ai for a copy or to start a redlines discussion. Mirrors GDPR Art. 28 processor obligations; sub-processor change-notice commitment is in §4. Business and Enterprise Dedicated customers receive a co-signed copy at contract close.

If your account uses agent-to-agent payment routing (Nevermined or Skyfire), the Agent Payment Routing Terms of Service addendum applies in addition to the main Terms of Service. It covers the non-custodial routing policy, liability boundary, audit logging scope, and the 30-day change-notice commitment for payment-rail changes.

SOC 2 Type I — in progress, target Q3 2026. Not yet certified. We’re stating this honestly rather than dressing aspiration as readiness — the audit kicks off this quarter and we’ll publish the report under NDA on close. Type II follows ~12 months after Type I.

Until certification closes, the substantive security posture documented on the security page and the inline sub-processor inventory at /sub-processors is the procurement-ready evidence we have today. Self-hosted Docker (Business+) removes the question entirely — your data plane never leaves your VPC.

Business and Enterprise Dedicated tiers ship an audit-log export (NDJSON + CSV) covering the following event categories:

• API-key lifecycle (mint, rotate, revoke, expire)
• Team membership (invite, accept, role-change, remove)
• Webhook configuration (create, update, signing-key rotate, delete)
• Project configuration (create, settings change, delete)
• Compression jobs (request metadata + result metadata; never the payload)
• Billing events (plan change, overage threshold, cancellation)
• Admin actions (only for Enterprise customers with admin seats)

Events carry actor (user_id + clerk_id), timestamp (UTC ISO-8601), request_id, and contextual identifiers. Retention: 90 days on Business; configurable on Enterprise Dedicated (including indefinite streaming to your S3 or Datadog).

Live uptime and 90-day rolling history per component at status.gotcontext.ai. Required reading before signing the 99.5% Business SLA or the 99.9% Enterprise SLA — we don’t promise what the operational record doesn’t justify.

Compliance & data plane:

• SOC 2 Type I close + Type II window opens
• SCIM 2.0 provisioning (Enterprise Dedicated tier)
• Cloud BYOK / CMEK (AWS KMS, GCP Cloud KMS) for hosted plans — self-hosted Docker remains the answer for buyers who want the data plane in their own VPC today
• EU and APAC region availability (Fly fra + nrt regions)
• Tamper-evident hash-chain on audit logs (currently signed; chain comes with Type II prep)

Identity & access — gaps a procurement reviewer should know about today:

• Full SSO configuration API — today the SSO connection is scoped via the dashboard at Settings → Security & SSO. Programmatic IdP metadata / ACS / attribute- mapping / JIT-provisioning endpoints are not yet exposed.
• Member management API — invite, role change, remove. Today this is dashboard-only. REST endpoints (POST/PUT/DELETE on /v1/members) are on the H2 2026 roadmap.
• Per-project role scoping — the four roles (Owner, Admin, Operator, Viewer) are currently account-global. Per-project scoping is on the H2 2026 roadmap.
• Per-project / per-IP / per-scope API key constraints — todaygc_ keys can be bound to a project (v1.22+) but scope (compress-only / read-only / admin) and IP allowlist are not yet supported.
• Programmatic audit-log endpoint — GET /v1/audit-events with actor / action / target / time filters and a documented event catalog. Today audit log export is delivered as an NDJSON + CSV file (see the audit-log catalog section above); the streaming programmatic endpoint is on the roadmap.

API surface maturity — known gaps in the public REST API contract:

• Idempotency-Key header support on POST endpoints (/v1/compress, /v1/batch-compress, /v1/keys) for safe-retry semantics.
• Cursor pagination on list endpoints (/v1/keys, /v1/projects, /v1/batch-queue). Today these return naked arrays.
• X-Request-Id on every response (surfaced in error bodies). Required for support-ticket triage at scale.
• Standardized error envelope ({ error: { code, message, request_id, docs_url, field? } }). Today some endpoints return bare { detail: string }, others return structured { detail: { error_code, marker_class } }.
• Documented versioning + deprecation policy. The current contract uses semver-style version tags inline (v1.4.0, v1.23.1); the RFC 8594 Sunset-header policy + 12-month deprecation minimum for Enterprise is on the roadmap.

Webhooks — known gaps:

• Event catalog beyond compression.completed. The full event taxonomy (job lifecycle, key lifecycle, member lifecycle, billing, audit) is on the roadmap.
• Delivery log endpoint — today there is no GET /v1/webhooks/{id}/deliveries. Required for ops debugging at scale.
• Replay endpoint for failed deliveries.

Environments & integration ergonomics:

• Dedicated sandbox environment at sandbox.api.gotcontext.ai with non-billable keys and a documented parity statement. Today the closest approximation is the Run sample request widget at the top of the docs.
• Named, versioned SDKs (Python + TypeScript today, no versioning policy). Versioning policy + Postman collection ship with the deprecation policy above.
• Programmatic billing surface beyond Polar redirect URLs — invoice listing, upcoming-invoice preview, payment-method status.

Why we list this publicly. Procurement reviewers ask about every one of these gaps in security questionnaires. Disclosing them here saves a round-trip and matches our SOC 2 disclosure stance: stated honestly rather than dressed as readiness. Order is approximately by priority; concrete ship dates land in the changelog as each gap closes.

Procurement, security questionnaires, RFP responses, custom DPA / MSA: legal@gotcontext.ai. First-response target: one business day. For commercial scoping (ACV, timeline, tier fit) the enterprise contact form is the right entry.