Security & Compliance

How UjumbeAI approaches security, multi-tenant isolation, and regulatory alignment for hospitality and service organizations.

Last Updated: February 2026

UjumbeAI is designed as a cloud-native B2B SaaS platform for hospitality and service organizations. Security, tenant isolation, and regulatory alignment are integrated into our architecture from the ground up.

1. Infrastructure & Hosting

UjumbeAI operates on trusted cloud infrastructure providers:

  • Application hosting: Vercel
  • Database, authentication, and storage: Supabase (PostgreSQL)
  • AI processing: OpenAI
  • Transactional email: Resend

Primary data storage is configured in EU data regions where available. All subprocessors operate under contractual data processing agreements.

2. Encryption

Data in Transit

All traffic is encrypted using TLS 1.2 or higher. HTTPS is enforced across the platform.

Data at Rest

Database and storage encryption are managed by Supabase infrastructure. Sensitive exports are stored in private buckets with controlled access.

3. Multi-Tenant Architecture & Isolation

UjumbeAI enforces strict tenant separation:

  • Row-Level Security (RLS) at the database layer
  • All records scoped by customer_id
  • No cross-tenant access
  • Service-role access restricted to secure backend routes only

Conversation data is never shared between customers.

4. AI Data Handling

UjumbeAI uses AI models to generate automated responses. Safeguards include:

  • Customer conversation data is not used to train public AI models
  • Secure transmission of AI requests
  • No cross-tenant memory mixing
  • Logs scoped to the originating customer

Customers remain Data Controllers for end-user data processed through the platform.

5. Access Controls & Operational Security

UjumbeAI implements operational safeguards including:

  • Role-Based Access Control (RBAC)
  • Multi-factor authentication for privileged access (where enabled)
  • Audit logging of administrative actions
  • Structured observability with correlation identifiers
  • Rate limiting and abuse detection on public endpoints

Administrative mutations are logged for traceability.

6. Monitoring & Incident Response

We monitor platform stability and security events through structured logging and operational dashboards.

If a security incident affecting customer data occurs, we will investigate without undue delay, notify affected customers as required under applicable law, and provide relevant information to support customer regulatory obligations.

Customers are responsible for notifying their own end-users where required.

7. Data Protection & Regulatory Alignment

UjumbeAI is designed to support GDPR-aligned data processing, including:

  • Clear Controller vs Processor separation
  • Data export tools for access requests
  • Controlled deletion workflows
  • Defined retention periods

Customers are responsible for determining lawful basis for processing end-user data.

8. Availability & Reliability

The platform is provided on a highly available cloud infrastructure. While we strive for continuous availability, uptime is not guaranteed and may be affected by:

  • Scheduled maintenance
  • Infrastructure provider outages
  • Third-party service disruptions

We continuously improve reliability through monitoring and controlled deployments.

9. Secure Development Practices

UjumbeAI follows modern SaaS development principles, including:

  • Version-controlled deployments
  • Environment isolation
  • Principle of least privilege
  • Controlled production access
  • Incremental change management

Security improvements are ongoing as part of product development.

10. Subprocessors

UjumbeAI relies on a limited set of subprocessors to operate the Service. A current list of subprocessors may be requested by contacting us.

11. Contact

Security inquiries and responsible disclosure reports may be directed to:

security@ujumbe.ai