How is sensitive data protected?

All documents are encrypted with AES-256-GCM at rest and TLS 1.3 in transit. A GDPR anonymization layer removes PII before any AI processing. Your data never leaves our SOC 2 certified infrastructure.

How long does integration take?

Less than 30 minutes. Upload documents directly, connect via OAuth for Slack, or use our REST API for bulk processing.

How does outcome tracking work?

Outcomes are detected automatically from follow-up documents, Slack messages, and web intelligence. You confirm with one click. Each reported outcome makes your future analyses more accurate.

How is Decision Intel different from ChatGPT or a general AI assistant?

ChatGPT gives one opinion from one model — ungoverned, untraceable, unaudited. Decision Intel is a governance system: it measures the noise in your reasoning the same way Kahneman did in the insurance underwriter study, simulates an AI boardroom of CEO, CFO, and board personas, runs what-if interventions against a 135-case public reference library, and compounds every confirmed outcome back into a calibrated Decision Quality Index your audit committee can defend. Not a chatbot — a human-AI governance layer.

Enterprise-grade security posture

Built for the audit committee,
not the afterthought.

AES-256-GCM at rest with keyVersion rotation, TLS 1.2+ in transit, an immutable audit log, and every flag cross-linked to a specific regulatory provision across seven frameworks. A Fortune-500 security questionnaire finishes in minutes, not weeks.

See the trust spine Privacy policy

Encryption chain

Browser to vault, end-to-end

Browser

TLS 1.2+

API edge

session auth

Anonymize

PII stripped

Pipeline

in-tenant

Vault

AES-256-GCM

Postgres

keyVersion stamp

Every row in the encrypted columns carries a keyVersion stamp so keys can be rotated without bricking historical data.

Trust spine

Five controls a GC actually tests

Every enterprise security questionnaire probes the same five things. This is how Decision Intel answers each one today, with code paths, not aspirations.

AES-256-GCM at rest, with rotation

Strategic memos and Slack bot tokens are encrypted with authenticated AES-256-GCM. Every encrypted row carries a keyVersion stamp so keys rotate without bricking historical data.

GDPR anonymizer runs first

PII is detected and redacted as the literal first node of the analysis pipeline. No analysis LLM ever sees the raw document.

Seven regulatory frameworks, provision-level

Every flag we surface carries a citation across SOX §404, GDPR Article 22, EU AI Act Annex III, Basel III, FCA Consumer Duty, SEC Reg D, and LPOA. Your GC can defend each flag against its source.

Immutable audit log

Every sensitive action (exports, decryptions, deletions, recalibrations) writes an AuditLog row with the actor, the resource, and a structured details payload. Admins see the full firehose with filters.

SOC 2 infrastructure

Hosted on Vercel (SOC 2 Type II) + Supabase (SOC 2 Type II, HIPAA). Our own SOC 2 audit is scoped for 2026 — in-flight controls already mirror Type II.

Regulatory tailwinds · already in motion

The record your AI-augmented decision-making is already supposed to produce.

Three regulatory waves are already in force or on the enforcement calendar. Each one asks for exactly the artifact the Decision Provenance Record produces — the reasoning behind a decision, the model lineage that shaped it, and the evidence that it was reviewed, not just generated. We built for this on purpose.

In force · high-risk obligations Aug 2026

EU AI Act

Article 13 (transparency), Article 14 (human oversight), Article 15 (accuracy + record-keeping), Annex III (high-risk decision-support). Every DPR section maps onto one of these — by design.

Rulemaking 2024–2026

SEC AI Disclosure

Proposed rules on AI use in investment-adviser decisions require documented oversight of the model’s role. The DPR’s model lineage + prompt fingerprint + judge variance are the documentation.

Live for regulated banks

Basel III · Pillar 2 ICAAP

Banks must document the internal capital-adequacy process including qualitative decisions. Every flagged bias in the DPR carries a Basel III provision reference on the same page.

Principles-based, pre-statutory

UK AI White Paper

Regulator guidance across FCA, ICO, and CMA converges on safety, transparency, fairness, accountability, and contestability. The DPR is the contestable artifact by default.

Live for public companies + private placements

SOX §404 + SEC Reg D

Internal-control documentation and forward-looking-statement disclosure both require evidence of process. The DPR is process evidence your auditor can point at instead of a narrative describing it.

Live since 2018

GDPR Art. 22

Automated-decision rights require the data subject be told meaningful information about the logic involved. DPR citations provide that in one document without exposing platform IP.

Positioning note for CSOs evaluating us: the Decision Provenance Record is the record your AI-augmented decision-making is supposed to produce anyway under these frameworks. We ship it on every audit so your procurement conversation starts at “here is the control” instead of “we’re working on it.”

AI Verify Foundation · Singapore IMDA

Aligned with the 11 internationally-recognised AI governance principles.

Every Decision Provenance Record field maps onto AI Verify’s 11 principles (transparency, explainability, repeatability, safety, security, robustness, fairness, data governance, accountability, human agency & oversight, inclusive growth). Cross-aligned with the EU AI Act and OECD AI Principles. Self-assessment framework; no certification claim, no overclaim.

View the principle mapping

Key rotation

Rotate encryption keys without downtime

Every row in an encrypted column carries an integer keyVersion stamp. Swapping keys is a four-step protocol — no big-bang migration, no data loss, no customer-visible pause.

Provision the new key

Set DOCUMENT_ENCRYPTION_KEY_V2 (64-character hex) in production. The legacy v1 key stays in place — no downtime, no lockout.

Cut over writes

Bump DOCUMENT_ENCRYPTION_KEY_VERSION=2 and redeploy. New writes stamp keyVersion=2; every existing row still decrypts via v1.

Backfill historical rows

Run npm run rotate:encryption-key — the CLI walks every row where keyVersion != 2, decrypts with v1, re-encrypts with v2, updates the stamp. Batched, resumable, idempotent.

Drop the old key

Once every row is on v2, delete DOCUMENT_ENCRYPTION_KEY (v1) from the production env and redeploy. Rotation complete.

The rotate CLI lives at scripts/rotate-encryption-key.ts. Resumable, batched, idempotent. Dry-run mode available.

Regulatory coverage

Seven frameworks, mapped flag-by-flag

Every flag the pipeline surfaces carries a regulatory citation. Your GC doesn't take the tool on faith — they walk into the audit committee meeting with the memo, the flags, and the framework sections attached.

SOX §404

Sarbanes-Oxley

Public-company material-statement controls.

GDPR Art. 22

General Data Protection Regulation

Automated-decision rights for EU data subjects.

EU AI Act · Annex III

EU AI Act

High-risk AI decision-support obligations.

Basel III

Basel III

Capital-allocation decisions in regulated banks.

FCA Consumer Duty

Financial Conduct Authority

UK financial-services decisioning.

SEC Reg D

SEC Regulation D

Forward-looking statements + safe-harbour disclosure.

LPOA

Limited Partnership Obligations

Fund-level fiduciary dissent documentation.

Decision Provenance Record export

A signed, hashed 4-page artifact your General Counsel hands to the audit committee or regulator of record — built to the shape EU AI Act Article 14, SEC AI disclosure, and Basel III ICAAP already require. Includes input-document hash, prompt fingerprint, model lineage, academic citations across the 30+ bias taxonomy, regulatory mapping across seven frameworks, and full pipeline lineage.

See Strategy pricing

Access controls

Who gets in, and who sees what

What is available today across every plan, and what is unlocked on Enterprise.

Available

Google Workspace SSO

Single sign-on via Google Workspace, live today on every plan. No password is ever stored; sessions are signed and rotated server-side.

Enterprise

SAML 2.0 and OIDC single sign-on

Okta, Azure AD, OneLogin, Ping, JumpCloud, and generic SAML / OIDC. Your IT admin configures the connection from the admin console; typical setup is under 20 minutes from metadata paste to first login.

Enterprise

Org-wide session visibility

Admins see every active session across the organisation, can force-log-out a departing member in a single click, and can set a per-org idle timeout between 15 minutes and 8 hours.

Available

Admin audit log

Org admins review every action taken inside their workspace — who viewed which memo, who exported a Decision Provenance Record, who invited a new member — with filters, date range, and CSV export for downstream compliance tooling.

Available

Per-org data isolation

Every data access scopes on organisation. Your Decision Knowledge Graph, your audit trail, and your outcome history are strictly org-private and are never cross-read by any other tenant.

Incident response

What happens if something goes wrong

The commitment isn't that incidents never happen — it's what you'll hear from us when one does, and in what timeframe.

Within

1h

Internal detection + containment triggered. Customer-visible status posted within the hour when customer data is in scope.

Within

24h

First disclosure to affected customers with the scope, the data classes involved, and the remediation plan.

Within

72h

Regulator notification where applicable (GDPR Art. 33, SEC 8-K item 1.05) with the materiality assessment attached.

Within

30d

Full post-mortem delivered to affected customers. Root cause, timeline, controls added, exposure window. Signed by the founder.

Sub-processors

Every vendor that touches your data

Transparent processor list with each vendor's certification posture and hosting region. Updated in lock-step with our vendor agreements.

Vendor

Role

Certification

Region

Vercel

Application hosting + CDN

SOC 2 Type II

US + EU

Supabase

Postgres + Auth + Storage

SOC 2 Type II · HIPAA

Google AI

Primary analysis LLM

No-training contract terms

Anthropic

Fallback analysis LLM

No-training contract terms

Stripe

Billing

PCI-DSS Level 1 · SOC 1/2

US + EU

Sentry

Error monitoring

SOC 2 Type II

Found something? We want to hear about it.

Responsible disclosure is a first-class contract with our users. Report vulnerabilities to security@decision-intel.com — first response within 48 hours, every time. For DPA requests, SOC 2 reports, or a security questionnaire response, reach the same inbox and reference your organisation name.

Email security@Privacy policy

Last reviewed · 2026-04-19 · security@decision-intel.com

Enterprise-grade security posture

Built for the audit committee,
not the afterthought.

See the trust spine Privacy policy

Encryption chain

Browser to vault, end-to-end

Browser

TLS 1.2+

API edge

session auth

Anonymize

PII stripped

Pipeline

in-tenant

Vault

AES-256-GCM

Postgres

keyVersion stamp

Every row in the encrypted columns carries a keyVersion stamp so keys can be rotated without bricking historical data.

Trust spine

Five controls a GC actually tests

Every enterprise security questionnaire probes the same five things. This is how Decision Intel answers each one today, with code paths, not aspirations.

AES-256-GCM at rest, with rotation

Strategic memos and Slack bot tokens are encrypted with authenticated AES-256-GCM. Every encrypted row carries a keyVersion stamp so keys rotate without bricking historical data.

GDPR anonymizer runs first

PII is detected and redacted as the literal first node of the analysis pipeline. No analysis LLM ever sees the raw document.

Seven regulatory frameworks, provision-level

Every flag we surface carries a citation across SOX §404, GDPR Article 22, EU AI Act Annex III, Basel III, FCA Consumer Duty, SEC Reg D, and LPOA. Your GC can defend each flag against its source.

Immutable audit log

SOC 2 infrastructure

Hosted on Vercel (SOC 2 Type II) + Supabase (SOC 2 Type II, HIPAA). Our own SOC 2 audit is scoped for 2026 — in-flight controls already mirror Type II.

Regulatory tailwinds · already in motion

The record your AI-augmented decision-making is already supposed to produce.

In force · high-risk obligations Aug 2026

EU AI Act

Article 13 (transparency), Article 14 (human oversight), Article 15 (accuracy + record-keeping), Annex III (high-risk decision-support). Every DPR section maps onto one of these — by design.

Rulemaking 2024–2026

SEC AI Disclosure

Proposed rules on AI use in investment-adviser decisions require documented oversight of the model’s role. The DPR’s model lineage + prompt fingerprint + judge variance are the documentation.

Live for regulated banks

Basel III · Pillar 2 ICAAP

Banks must document the internal capital-adequacy process including qualitative decisions. Every flagged bias in the DPR carries a Basel III provision reference on the same page.

Principles-based, pre-statutory

UK AI White Paper

Regulator guidance across FCA, ICO, and CMA converges on safety, transparency, fairness, accountability, and contestability. The DPR is the contestable artifact by default.

Live for public companies + private placements

SOX §404 + SEC Reg D

Internal-control documentation and forward-looking-statement disclosure both require evidence of process. The DPR is process evidence your auditor can point at instead of a narrative describing it.

Live since 2018

GDPR Art. 22

Automated-decision rights require the data subject be told meaningful information about the logic involved. DPR citations provide that in one document without exposing platform IP.

AI Verify Foundation · Singapore IMDA

Aligned with the 11 internationally-recognised AI governance principles.

View the principle mapping

Key rotation

Rotate encryption keys without downtime

Every row in an encrypted column carries an integer keyVersion stamp. Swapping keys is a four-step protocol — no big-bang migration, no data loss, no customer-visible pause.

Provision the new key

Set DOCUMENT_ENCRYPTION_KEY_V2 (64-character hex) in production. The legacy v1 key stays in place — no downtime, no lockout.

Cut over writes

Bump DOCUMENT_ENCRYPTION_KEY_VERSION=2 and redeploy. New writes stamp keyVersion=2; every existing row still decrypts via v1.

Backfill historical rows

Run npm run rotate:encryption-key — the CLI walks every row where keyVersion != 2, decrypts with v1, re-encrypts with v2, updates the stamp. Batched, resumable, idempotent.

Drop the old key

Once every row is on v2, delete DOCUMENT_ENCRYPTION_KEY (v1) from the production env and redeploy. Rotation complete.

The rotate CLI lives at scripts/rotate-encryption-key.ts. Resumable, batched, idempotent. Dry-run mode available.

Regulatory coverage

Seven frameworks, mapped flag-by-flag

SOX §404

Sarbanes-Oxley

Public-company material-statement controls.

GDPR Art. 22

General Data Protection Regulation

Automated-decision rights for EU data subjects.

EU AI Act · Annex III

EU AI Act

High-risk AI decision-support obligations.

Basel III

Basel III

Capital-allocation decisions in regulated banks.

FCA Consumer Duty

Financial Conduct Authority

UK financial-services decisioning.

SEC Reg D

SEC Regulation D

Forward-looking statements + safe-harbour disclosure.

LPOA

Limited Partnership Obligations

Fund-level fiduciary dissent documentation.

Decision Provenance Record export

See Strategy pricing

Access controls

Who gets in, and who sees what

What is available today across every plan, and what is unlocked on Enterprise.

Available

Google Workspace SSO

Single sign-on via Google Workspace, live today on every plan. No password is ever stored; sessions are signed and rotated server-side.

Enterprise

SAML 2.0 and OIDC single sign-on

Enterprise

Org-wide session visibility

Admins see every active session across the organisation, can force-log-out a departing member in a single click, and can set a per-org idle timeout between 15 minutes and 8 hours.

Available

Admin audit log

Available

Per-org data isolation

Every data access scopes on organisation. Your Decision Knowledge Graph, your audit trail, and your outcome history are strictly org-private and are never cross-read by any other tenant.

Incident response

What happens if something goes wrong

The commitment isn't that incidents never happen — it's what you'll hear from us when one does, and in what timeframe.

Within

1h

Internal detection + containment triggered. Customer-visible status posted within the hour when customer data is in scope.

Within

24h

First disclosure to affected customers with the scope, the data classes involved, and the remediation plan.

Within

72h

Regulator notification where applicable (GDPR Art. 33, SEC 8-K item 1.05) with the materiality assessment attached.

Within

30d

Full post-mortem delivered to affected customers. Root cause, timeline, controls added, exposure window. Signed by the founder.

Sub-processors

Every vendor that touches your data

Transparent processor list with each vendor's certification posture and hosting region. Updated in lock-step with our vendor agreements.

Vendor

Role

Certification

Region

Vercel

Application hosting + CDN

SOC 2 Type II

US + EU

Supabase

Postgres + Auth + Storage

SOC 2 Type II · HIPAA

Google AI

Primary analysis LLM

No-training contract terms

Anthropic

Fallback analysis LLM

No-training contract terms

Stripe

Billing

PCI-DSS Level 1 · SOC 1/2

US + EU

Sentry

Error monitoring

SOC 2 Type II

Found something? We want to hear about it.

Email security@Privacy policy

Last reviewed · 2026-04-19 · security@decision-intel.com

Built for the audit committee,not the afterthought.

Five controls a GC actually tests

The record your AI-augmented decision-making is already supposed to produce.

Rotate encryption keys without downtime

Seven frameworks, mapped flag-by-flag

Who gets in, and who sees what

What happens if something goes wrong

Every vendor that touches your data

Found something? We want to hear about it.

Built for the audit committee,not the afterthought.

Five controls a GC actually tests

The record your AI-augmented decision-making is already supposed to produce.

Rotate encryption keys without downtime

Seven frameworks, mapped flag-by-flag

Who gets in, and who sees what

What happens if something goes wrong

Every vendor that touches your data

Found something? We want to hear about it.

Built for the audit committee,
not the afterthought.

Built for the audit committee,
not the afterthought.