Trust Center

Controls, boundaries, and proof we can defend today

This page is the public diligence map for Autonomy AI®: what is implemented in the current corp app, what data each product may handle, how to report security issues, and where our current security posture stops.

Status evidence

60s checks, 3s timeout, 90-day history

Public surfaces

BuckHound web/API and Velyn site/portal

Diligence route

DPA, BAA, and security exhibit review by written agreement

Concrete Controls

Repo-backed controls in the current operating surface

These are not future roadmap claims. They are controls visible in this app's routes, shared libraries, schema, and status UI.

Validated intake before routing

Contact submissions are parsed with a typed Zod schema, capped at defined field lengths, assigned product and intent metadata, saved through Prisma first, and then sent through Resend as an alerting path.

The contact route limits submissions to 10 per hour per IP when the Redis rate-limit store is configured.

app/api/contact/route.tslib/lead-context.ts

Restricted admin access

The submissions admin API requires the shared admin gate, validates query filters, and only returns the fields needed for review. Browser admin sessions use an HttpOnly, Secure, SameSite=Strict cookie.

Admin login attempts are limited to 5 attempts per 15 minutes per IP when Redis rate limiting is configured.

lib/auth.tsapp/api/admin/login/route.tsapp/api/admin/submissions/route.ts

Public reliability monitoring

The status API probes BuckHound web, BuckHound API health, the Velyn Dental marketing site, and the Velyn Dental portal health endpoint. The dashboard exposes check cadence, support escalation, uptime windows, and incident notes.

Status responses are no-store and include support routing to /contact?product=general&intent=support&source=status-page.

app/api/status/route.tscomponents/StatusDashboard.tsx

Persisted incident and uptime records

When the status store is available, public probes write target state, uptime rollups, and incidents into Prisma models rather than relying on a one-off green check.

The schema contains StatusProbe, StatusTargetState, and StatusIncident models indexed by target, status, and time.

lib/status-history.tsprisma/schema.prisma

Operating Boundaries

What this page does and does not claim

We do not publish a SOC 2 Type II report, HIPAA attestation, or penetration-test letter today. If your review requires one, route that requirement into diligence before production use.

Customer-specific obligations, including a DPA, BAA, security exhibit, retention schedule, or breach-notice terms, apply only when executed in a separate written agreement.

The public status page is an operational transparency surface, not a standalone SLA. Contractual service commitments belong in the applicable order form or agreement.

AI, analytics, affiliate, communications, payment, and hosting providers are used only for the enabled workflow described in the privacy policy and any signed customer terms.

Disclosure Contacts

Reach the right review path

Security review or contract diligence

Send the product, intended use, required documents, target launch date, and reviewer contact. Legal can route DPA, BAA, security exhibit, and custom agreement questions.

legal@auai.cloud

Responsible disclosure

Send reproduction steps, affected product, impact, and logs or screenshots. We aim to acknowledge credible reports within 48 hours and will coordinate remediation details directly.

legal@auai.cloud

Velyn Dental product security

Use the product-specific security inbox for dental workflow questions, disclosure follow-up, or evidence requests tied to Velyn Dental.

security@velyndental.com

Data Boundaries

What data belongs to which workflow

Product data is not one blob. The public privacy policy separates corporate contact flows, Velyn Dental call workflows, BuckHound shopping workflows, and AI processing.

Read privacy policy

Corporate site and contact flows

We collect contact details, message content, routing metadata, IP address, user agent, and referral context needed to answer requests, manage support, and keep a durable inquiry record.

Velyn Dental workflows

The published privacy policy describes caller phone numbers, timestamps, recordings, transcripts, and task-routing details as product workflow data for dental call coverage.

BuckHound workflows

BuckHound data boundaries cover watchlists, product URLs, retailer and pricing signals, push preferences, and affiliate referral events needed for deal discovery and alerts.

AI processing

Approved AI providers may process prompts, transcripts, or workflow context to deliver a requested feature. The privacy policy says we do not use customer data to train our own models.

Diligence Paths

Start with the evidence that is already public

Prospects, partners, and reviewers can inspect the current policies, product surfaces, and reliability page before asking for a private packet.

Request diligence review

Privacy policyData categories, AI providers, retention posture, and user rights.Terms of serviceAcceptable use, customer-specific terms, and third-party services.Status pageCurrent service probes, check cadence, support path, and incident log.BuckHound web appLive consumer product surface for deal discovery and watchlists.Velyn Dental sitePublished dental product information and onboarding context.Velyn Dental portalCustomer portal surface monitored by the public status route.