trust center

Security and compliance, written down.

What Amba does to protect customer data, the controls we have today, and the work in flight. We’d rather show you our actual posture than market our way past your security review.

compliance posture

Where we are. Where we’re going.

Some controls are live today. Some are work in flight. We label everything honestly so your security review starts with the facts.

SOC 2 Type IIIn progress

Audit kickoff Q2 2026. Type I scoping complete; observation window opens with the auditor of record. Report available under NDA when issued.

Request a security questionnaire →

GDPRLive

Article 28 Data Processing Agreement available. EU residency available for Enterprise tenants. Sub-processor list published below.

Request DPA →

HIPAA / BAAAvailable

Business Associate Agreement available for Enterprise customers handling Protected Health Information. Dedicated tenant region required.

Request BAA →

PCI DSSNot applicable

Amba does not store, process, or transmit cardholder data. Payment processing is delegated to Stripe (PCI DSS Level 1). Amba is out of cardholder-data scope.

ISO 27001In progress

Planned 2027 after SOC 2 Type II report. Not a current commitment.

sub-processors

Who touches your data.

We use these third parties to deliver the service. Each has an executed DPA on file; click through to read their public commitments.

ProviderPurposeRegionDPA

Cloudflare, Inc.Edge compute, CDN, asset deliveryGlobal (anycast)View DPA →

Neon, Inc.Managed Postgres (per-tenant database)US (default), EU + APAC availableView DPA →

Google LLC (Google Cloud Platform)Container hosting, secret storage, durable workflow executionUS (default), EU + APAC availableView DPA →

Stripe, Inc.Payment processingUSView DPA →

Resend, Inc.Transactional email (developer notifications, account email)USView DPA →

Anthropic, PBCAI provider gateway (customer-controlled keys; opt-in per project)USView DPA →

OpenAI, OpCo, LLCAI provider gateway (customer-controlled keys; opt-in per project)USView DPA →

Changes to this list are announced 30 days in advance via email to billing contacts on record. Customers under signed MSA receive the same notice via their account team.

data handling

How your data is stored, moved, and destroyed.

Data residency

US (default). EU + APAC available for Enterprise tenants. Sub-processors are bound to the same residency commitment in writing.

Encryption at rest

AES-256, provided by every sub-processor that stores customer data. Customer-managed keys (CMEK) available for Enterprise.

Encryption in transit

TLS 1.3 enforced on every public endpoint. Internal hops are mutually authenticated.

Tenant isolation

Physical isolation per project. Each project receives its own dedicated database — no shared schemas, no row-level filtering, no logical-only isolation.

Data deletion

30-day retention after account deletion. Certified destruction reports available on request.

Audit logs

90-day default retention. Extended retention (up to 7 years) available for Enterprise.

Backups

Point-in-time recovery on every tenant database. 7-day window on Pro, 30-day on Scale, configurable on Enterprise.

security practices

The controls behind the controls.

Vulnerability disclosure

security@amba.dev is the inbound channel. Coordinated disclosure timeline standard. No legal action against good-faith research.

Report a vulnerability →

Bug bounty

Public program planned Q3 2026. Private invitations on request before launch.

Internal access controls

MFA enforced on 100% of team members. Production access requires elevated approval with just-in-time provisioning. Quarterly access reviews.

Penetration testing

Annual third-party penetration tests. Most recent summary available under NDA to Enterprise customers.

Secure development

Code review on every change, automated security scanning in CI, dependency auditing on every build. Internal CSO posture report published monthly.

incident response

When something goes wrong.

Status page

Live uptime + incident history. Detailed metrics ship Wave 5.

status.amba.dev →

Customer notification

Customers notified within 24 hours of any security incident affecting their data. Notification covers what we know, what we don’t, and what we’re doing.

SEV-1 response

Initial human response within 30 minutes. Incident commander assigned. Post-mortem published within 7 days.

contact

Reach the right inbox.

Trust questions get answered by humans. We aim for a same-business-day first response.

Security questions, vulnerability disclosuresecurity@amba.dev Legal, DPA, BAA, contractslegal@amba.dev General trust + compliance inquiriestrust@amba.dev

start in 30 seconds

Hand the docs to your agent.
Ship by lunch.

Read the docs

agent-native ✻one MCP ✻project-isolated ✻200+ tools ✻420 endpoints ✻real provider preflight ✻streaks · push · segments ✻shipping in 30 seconds ✻no console clicking ✻mobile-first abstractions ✻agent-native ✻one MCP ✻project-isolated ✻200+ tools ✻420 endpoints ✻real provider preflight ✻streaks · push · segments ✻shipping in 30 seconds ✻no console clicking ✻mobile-first abstractions ✻agent-native ✻one MCP ✻project-isolated ✻200+ tools ✻420 endpoints ✻real provider preflight ✻streaks · push · segments ✻shipping in 30 seconds ✻no console clicking ✻mobile-first abstractions ✻