Sift AI Security Prospectus
Source: Sift AI Security Prospectus.pdf
Pages: 4

--- Page 1 ---
Sift AI
S E C U R I T Y  P R O S P E C T U S
Security at Sift AI, at a
glance
A one-read overview of how Sift AI protects your data, the
certifications behind it, and the evidence we can share under
NDA. For the full technical detail, see our Security and
Architecture Overview whitepaper.
ISO 27001 certified  ·  SOC 2 Type II, external audit
underway  ·  GDPR compliant
APRIL 2026
CONFIDENTIAL
NIFTORY INC. DBA SIFT AI (“SIFT AI”)

--- Page 2 ---
Who we are, and what we protect
Sift AI is an agentic platform for customer and community teams. You connect
your channels, and a team of AI agents reads every incoming message, scores it,
drafts a reply, and routes it to the right place. Your people stay in control and step
in where needed.
Because Sift AI reads and acts on customer conversations across social, messaging, reviews, and community channels,
security is foundational rather than an add-on. Every message follows one path: it passes a consent gate you control, is
captured and analyzed inside a single encrypted, audited cloud boundary, and any reply waits for the level of human
review you set. Nothing enters Sift AI until you connect a channel and grant access, and you can revoke that access at
any time.
Y O U R  C H A N N E L S
Social · messaging
reviews · community
Consent
gate
S I F T  A I  S E C U R E  C L O U D  ·  E N C R Y P T E D  ·  A U D I T E D
Capture
Understand
AI agents
Act · route
draft reply
External AI inference
US-hosted · no training
Human review
approve · edit · override
TLS 1.2+ · ENCRYPTED AT REST · SSO + MFA · AUDIT LOGS · 24/7 MONITORING · MULTI-AZ FAILOVER
Your channels pass a consent gate, then move through capture, the AI agents, and human review inside
one encrypted, audited boundary. AI inference is the one outbound step: agents call vetted, US-hosted
providers over encrypted APIs, under terms that bar training on your data.

--- Page 3 ---
How we protect your data
Identity and access. Staff sign in through single sign-on with multi-factor authentication. Access is least-privilege and
reviewed quarterly. There are no shared logins and no long-lived keys in the runtime path.
Encryption. Every connection uses TLS 1.2 or higher, including database traffic, and data is encrypted at rest. There are
no plaintext protocols in production, and public endpoints score A or higher on independent TLS testing.
Governed AI inference. Agents call vetted, US-hosted providers (Gemini, OpenAI, Anthropic) only from our backend, over
encrypted APIs, under enterprise terms that bar training on your data. We do not sell your data, and we do not use it to
train shared models.
Human in the loop. Automation is confidence-gated. An agent acts on its own only when it is confident and you have
allowed that action; otherwise it hands the conversation to a person. You set the limits and adjust them at any time.
Resilient infrastructure. Sift AI runs on AWS with critical services duplicated across availability zones and databases
mirrored with automatic failover, backed by point-in-time backups and continuous monitoring. Our last recovery test
restored full service in 42 minutes with zero data lost.
Audit and incident response. Platform, access, and network activity is logged, retained, and monitored for anomalies. We
maintain a documented incident response plan and notify affected customers in line with contractual and regulatory
obligations, including GDPR timelines where they apply.
The facts a reviewer asks for first
QUESTION
ANSWER
Where is our data hosted?
United States, on AWS in the US East region. EU and EEA data
residency available on request for enterprise customers.
Is data encrypted?
TLS 1.2 or higher in transit, including database traffic; encrypted at
rest. No plaintext protocols in production.
Do you train on our data?
No. Never sold, never used to train shared models. Inference runs
under enterprise terms that bar training on your data.
Who can access our data?
Least-privilege, via SSO with MFA, reviewed quarterly. No shared
logins or long-lived runtime keys.
Certifications?
ISO 27001 certified. SOC 2 Type II: internal audit complete, external
audit underway. GDPR compliant; DPA available.
Recovery targets?
40-minute RTO, 15-minute RPO. Last DR test restored full service in 42
minutes with zero data loss.
Subprocessors?
A small set: AWS for hosting; Gemini, OpenAI, Anthropic for inference;
vetted identity and observability providers. Full list under NDA.

--- Page 4 ---
NIFTORY INC. DBA SIFT AI (“SIFT AI”)
CONFIDENTIAL · SECURITY@GETSIFT.AI
QUESTION
ANSWER
Programmatic access?
Documented REST API and a read-only MCP server, both enforcing the
requesting user's existing permissions. MCP connections expire after
90 days.
Data on exit?
Kept while your account is active. Deleted on request or after contract
end within the agreed window; backups age out on their cycle.
Vulnerability handling?
Vulnerability scanning plus independent third-party penetration
testing. Coordinated disclosure at security@getsift.ai.
Going deeper
This prospectus is the short version. Two further resources cover the detail your security team will want.
Security and Architecture Overview (whitepaper). The full technical document: data flow, infrastructure and resilience,
channel ingestion, the AI agent pipeline, human oversight, data governance, and a SOC 2 control mapping.
Available under NDA. Our detailed control matrix, current audit status, data processing agreement, subprocessor list with
the purpose and data scope of each, and a completed security questionnaire.
For the whitepaper, any of the items above, or to start a security review, contact security@getsift.ai. We share due-
diligence materials under NDA and respond to security questionnaires. To report a suspected vulnerability, reach the
same address; we operate a coordinated disclosure process.
