Trust & Security

Last updated: July 25, 2025

At Caddie AI, Inc., our most important commitment is to the trust and security of our customers. We understand that your data is your most valuable asset. That's why we've built our security program on the principles of transparency, data ownership, and defense-in-depth. This page provides a detailed overview of the policies, technologies, and procedures we have in place to protect your information.

Core Tenets of Our Security Program

Our approach to security is guided by these fundamental commitments:

  • You Own Your Data: You retain full ownership of your User-Generated Content. We are simply custodians of your data.
  • Your Data Is Not Our Product: We will never sell, rent, or trade your data. Our business model is based on providing a valuable service, not monetizing your information.
  • Your Content Does Not Train Our Models: Your inputs and outputs are never used to train our general-purpose or third-party AI models.

Data Governance & Privacy

We believe in privacy by design, ensuring your data is handled responsibly and exclusively for the purpose of providing the Caddie service.

  • Data Ownership & Control: You retain all intellectual property rights to the content you create in Caddie. You can export and delete your data at any time from within your account.
  • Data Usage: Your data is used solely to provide and improve the Caddie service for you. This includes generating AI responses, personalizing your experience, and ensuring platform functionality. We do not access or use your content for any other purpose.
  • Data Retention: As detailed in our Privacy Policy, we retain your data while your account is active. Data is permanently deleted within 90 days following account termination.

Infrastructure & Network Security

Caddie is built on world-class infrastructure, leveraging the security and scale of Amazon Web Services (AWS) to protect our platform from the ground up.

  • Secure Cloud Environment: Our entire platform is hosted on AWS, which provides a highly secure and controlled environment, compliant with numerous global security standards like SOC 2, ISO 27001, and HIPAA.
  • Data Encryption: We employ strong encryption protocols to protect your data at all stages.
    • Encryption in Transit: All data transmitted between your device and our services is encrypted using industry-standard Transport Layer Security (TLS 1.2 or higher) to prevent eavesdropping or man-in-the-middle attacks.
    • Encryption at Rest: All customer data, including databases, files, and backups, is encrypted at rest using the Advanced Encryption Standard (AES−256), one of the strongest block ciphers available.
  • Network Isolation: We utilize AWS Virtual Private Clouds (VPCs) to create logically isolated sections of the cloud. Our production environment is strictly segregated from development and testing environments. Security groups and network access control lists (ACLs) are configured to restrict traffic to only what is absolutely necessary.
  • Logging and Monitoring: We centrally aggregate logs and implement continuous monitoring of our infrastructure to detect and alert on anomalous activity, potential threats, and security misconfigurations.

Application & Product Security

Security is an integral part of our software development lifecycle, from initial design to deployment and maintenance.

  • Secure Software Development Lifecycle (SDLC): Our engineering team follows secure coding best practices. Code is subject to peer review and automated security analysis before being deployed.
  • Vulnerability Management: We perform regular automated vulnerability scanning of our applications and dependencies to proactively identify and remediate security weaknesses.
  • Access Controls: Access to data within the Caddie application is governed by your account credentials. We enforce strong password requirements and recommend using unique passwords for your Caddie account.

AI & Sub-Processor Security

As an AI-native company, we hold our AI partners to the same high security standards we hold ourselves.

  • Vetted AI Providers: We partner with trusted, industry-leading AI model providers like OpenAI, Anthropic, and Google. These partners are selected based on their performance, reliability, and commitment to security and data privacy.
  • Zero Data Retention Agreements: Our contractual agreements with our AI partners strictly prohibit them from using your data to train their models. Data sent to them is used exclusively to process your request and generate a response. It is not retained or used for any other purpose.

Organizational Security

Security is a shared responsibility across our entire company.

  • Personnel Security: All Caddie employees undergo background checks and receive ongoing security awareness training to understand and address modern cybersecurity threats.
  • Principle of Least Privilege: Employee access to sensitive data and production systems is strictly limited based on job function (Role-Based Access Control). Access is granted on a "need-to-know" basis and is regularly reviewed and audited.

Incident Response & Availability

We have a comprehensive plan in place to respond to potential security incidents and ensure the reliability of our service.

  • Incident Response Plan: We maintain a formal incident response plan that outlines the procedures for detecting, containing, eradicating, and recovering from a security event. In the event of an incident that impacts your data, we are committed to transparent and timely communication.
  • High Availability: Our architecture is designed to be resilient and fault-tolerant, with redundancies built in to minimize downtime and ensure you can access Caddie when you need it.

Responsible Disclosure

We value the work of independent security researchers. If you believe you have discovered a security vulnerability in the Caddie platform, please help us by reporting it responsibly. Email us at support@caddiehq.com with a detailed description of your findings. We are committed to working with you to verify and address any potential issue promptly.

If you have any further questions, please contact us. Your trust is the foundation of our service.