Trust portal
Last updated · May 16, 2026
gotcontext.ai is operated by James P. Hollingsworth, a sole proprietor doing business as gotcontext.ai, North Carolina, United States. Legal contact: james@gotcontext.ai.
One URL to send to procurement. Below: the security overview, our standard DPA, the active sub-processor list, our current SOC 2 status, our audit-log catalog, and the live status page. Most artifacts are public; SOC 2 reports (when available) and pen-test results are gated behind an NDA on close.
Security overview
How gotcontext.ai processes, stores, and protects your data: compression architecture, encryption, access control. Read the full security page.
Sub-processors
The active sub-processors (Cloudflare, Fly, Vercel, Supabase, Upstash, Clerk, Polar, Resend, Beehiiv, Sentry, PostHog, GitHub, Nevermined, Skyfire) with regions, data categories, and links to each provider’s DPA. View the full list. We commit to 30-day prior notice on additions or changes.
DPA
Standard Data Processing Agreement available on request. Email legal@gotcontext.ai for a copy or to start a redlines discussion. Mirrors GDPR Art. 28 processor obligations; sub-processor change-notice commitment is in §4. Business and Enterprise Dedicated customers receive a co-signed copy at contract close.
If your account uses agent-to-agent payment routing (Nevermined or Skyfire), the Agent Payment Routing Terms of Service addendum applies in addition to the main Terms of Service. It covers the non-custodial routing policy, liability boundary, audit logging scope, and the 30-day change-notice commitment for payment-rail changes.
SOC 2: current status
SOC 2 Type I: in progress, target Q3 2026. Not yet certified, and we have not yet engaged an independent auditor. We’re stating this honestly rather than dressing aspiration as readiness. When we engage an auditor we’ll publish the report under NDA on close. Type II follows after Type I.
Until certification closes, the substantive security posture documented on the security page and the inline sub-processor inventory at /sub-processors is the procurement-ready evidence we have today. Self-hosted Docker (Business+) removes the question entirely: your data plane never leaves your VPC.
Audit-log event catalog
Business and Enterprise Dedicated tiers ship an audit-log export (NDJSON + CSV) covering the following event categories:
- API-key lifecycle (mint, rotate, revoke, expire)
- Team membership (invite, accept, role-change, remove)
- Webhook configuration (create, update, signing-key rotate, delete)
- Project configuration (create, settings change, delete)
- Compression jobs (request metadata + result metadata; never the payload)
- Billing events (plan change, overage threshold, cancellation)
- Admin actions (only for Enterprise customers with admin seats)
Events carry actor (user_id + clerk_id), timestamp (UTC ISO-8601), request_id, and contextual identifiers. Retention: 90 days on Business; configurable on Enterprise Dedicated (including indefinite streaming to your S3 or Datadog).
Status page
Live uptime and 90-day rolling history per component at status.gotcontext.ai. Any uptime SLA, where offered, is defined in your plan or Order Form, which governs over this page. We don’t promise what the operational record doesn’t justify.
On roadmap (H2 2026)
Compliance & data plane:
- SOC 2 Type I close + Type II window opens
- SCIM 2.0 provisioning (Enterprise Dedicated tier)
- Cloud BYOK / CMEK (AWS KMS, GCP Cloud KMS) for hosted plans. Self-hosted Docker remains the answer for buyers who want the data plane in their own VPC today
- EU and APAC region availability (Fly fra + nrt regions)
- Tamper-evident hash-chain on audit logs (currently signed; chain comes with Type II prep)
Identity & access: gaps a procurement reviewer should know about today:
- Full SSO configuration API: today the SSO connection is scoped via the dashboard at Settings → Security & SSO. Programmatic IdP metadata / ACS / attribute- mapping / JIT-provisioning endpoints are not yet exposed.
- Member management API: invite, role change, remove. Today this is dashboard-only. REST endpoints (POST/PUT/DELETE on
/v1/members) are on the H2 2026 roadmap. - Per-project role scoping: the four roles (Owner, Admin, Operator, Viewer) are currently account-global. Per-project scoping is on the H2 2026 roadmap.
- Per-project / per-IP / per-scope API key constraints: today
gc_keys can be bound to a project (v1.22+) but scope (compress-only / read-only / admin) and IP allowlist are not yet supported. - Programmatic audit-log endpoint:
GET /v1/audit-eventswith actor / action / target / time filters and a documented event catalog. Today audit log export is delivered as an NDJSON + CSV file (see the audit-log catalog section above); the streaming programmatic endpoint is on the roadmap.
API surface maturity: known gaps in the public REST API contract:
Idempotency-Keyheader support on POST endpoints (/v1/compress,/v1/batch-compress,/v1/keys) for safe-retry semantics.- Cursor pagination on list endpoints (
/v1/keys,/v1/projects,/v1/batch-queue). Today these return naked arrays. X-Request-Idon every response (surfaced in error bodies). Required for support-ticket triage at scale.- Standardized error envelope (
{ error: { code, message, request_id, docs_url, field? } }). Today some endpoints return bare{ detail: string }, others return structured{ detail: { error_code, marker_class } }. - Documented versioning + deprecation policy. The current contract uses semver-style version tags inline (
v1.4.0,v1.23.1); the RFC 8594 Sunset-header policy + 12-month deprecation minimum for Enterprise is on the roadmap.
Webhooks, known gaps:
- Event catalog beyond
compression.completed. The full event taxonomy (job lifecycle, key lifecycle, member lifecycle, billing, audit) is on the roadmap. - Replay endpoint for failed deliveries. The delivery-log endpoint itself (
GET /v1/webhooks/{id}/deliveries, status / attempt / response-code per delivery) is already live; the gap is a one-click replay of a failed delivery.
Environments & integration ergonomics:
- Dedicated sandbox environment at
sandbox.api.gotcontext.aiwith non-billable keys and a documented parity statement. Today the closest approximation is the Run sample request widget at the top of the docs. - Named, versioned SDKs (Python + TypeScript today, no versioning policy). Versioning policy + Postman collection ship with the deprecation policy above.
- Programmatic billing surface beyond Polar redirect URLs: invoice listing, upcoming-invoice preview, payment-method status.
Why we list this publicly. Procurement reviewers ask about every one of these gaps in security questionnaires. Disclosing them here saves a round-trip and matches our SOC 2 disclosure stance: stated honestly rather than dressed as readiness. Order is approximately by priority; concrete ship dates land in the changelog as each gap closes.
Contact
Procurement, security questionnaires, RFP responses, custom DPA / MSA: legal@gotcontext.ai. First-response target: one business day. For commercial scoping (ACV, timeline, tier fit) the enterprise contact form is the right entry.