Security & Compliance

Academe is built for research materials that may be private, unpublished, or institutionally sensitive. We treat security as part of the product surface, with documentation and controls that can be reviewed during procurement or security review.

Users can enable multi-factor authentication (MFA) on their Academe account for an additional layer of security beyond passwords. MFA adds a second verification step during sign-in and reduces the risk of unauthorized access if a password is compromised.

Academe maintains SOC 2 Type II controls for security, availability, and confidentiality. Team and Enterprise customers can review the current report under NDA.

Enterprise and Team customers can request the report by emailing hello@academe-ai.com.

Academe supports HIPAA-regulated research workflows under a Business Associate Agreement (BAA). Protected Health Information (PHI) should only be stored on Academe after the BAA is in place.

Enterprise customers can request to sign a BAA by emailing hello@academe-ai.com.

All customer data is encrypted at rest using AES-256 and in transit via TLS. Sensitive material such as access tokens and user-provided API keys (BYOK) is additionally encrypted at the application layer and stored via Supabase Vault.

Organization members can be granted fine-grained access to specific resources within Academe. Roles include read-only access for collaborators who only need to view data, and billing-only roles for administrators who manage subscriptions without accessing research content.

Paid customer databases are backed up daily. Point-in-time recovery supports restoration within the available recovery window if accidental deletion or unexpected infrastructure issues occur.

Academe uses Stripe to process payments and does not store personal credit card information on its servers. Stripe is a certified PCI Service Provider Level 1.

Academe works with external reviewers to conduct regular penetration testing of our infrastructure and applications. Automated scanners (Semgrep SAST, secret detection, dependency scanning, DAST) run regularly in CI to catch potential issues early.

Academe employs multiple layers of protection against distributed denial-of-service attacks, including CDN-level mitigation via Vercel/Cloudflare, brute-force login prevention, customizable rate limits for API routes, and spend caps to prevent surprise bills from volumetric attacks.