New release · equal AI now tracks AI citations in shopping queries.See ChatGPT Shopping Tracker
equal AI
Log inStart free trial
Legal

Security

How equal AI approaches infrastructure, access control, data protection, payment security, analytics, monitoring, incident response, and enterprise security review.

Contact legal Security overview
Live platform snapshot
UpdatedMay 2026
Applies toAll plans

Security approach

equal AI is designed as a business platform for AI visibility tracking, prompt monitoring, citation analysis, reporting, exports, APIs, and integrations. Our security approach focuses on protecting customer workspaces, limiting access, reducing sensitive data exposure, monitoring service health, and using trusted cloud and payment infrastructure.

This page describes our current security posture for vendor reviews and customer due diligence. It is not a certification claim. Specific enterprise commitments, audit rights, service levels, and security addenda must be documented in a signed agreement.

Infrastructure and hosting

equal AI uses cloud-hosted infrastructure for the website, application, databases, storage, logs, analytics, and supporting services. Production environments are separated from local development workflows and access is limited to authorized operational personnel.

The marketing site is designed for static delivery where possible. Application services use managed providers for availability, scaling, networking, storage, and operational controls. We rely on vendor security controls where appropriate and layer application-level safeguards on top.

Changes to production systems are handled through controlled deployment workflows. We avoid direct manual changes where practical and keep operational access scoped to the work required.

Access controls

Workspace access is managed by account authentication and role-based controls. Customers are responsible for inviting the right users, removing users who no longer need access, protecting credentials, and reviewing workspace membership.

Internal administrative access is restricted to personnel with a legitimate operational need. Access is granted according to least-privilege principles and removed when no longer needed. Administrative activity is logged or auditable where supported by the relevant system.

Enterprise customers may request SSO, access review support, onboarding controls, and custom security review materials where available under their plan or order form.

Data protection

Data is protected in transit using HTTPS/TLS. Data at rest is protected through cloud-provider encryption controls and managed storage protections. Sensitive operational access is restricted and secrets are not intended to be stored in source code.

Customer workspace data may include domains, prompts, competitor names, AI model responses, cited URLs, report settings, annotations, exports, API activity, support communications, and user account records. Customers should avoid entering sensitive personal data, regulated data, payment card data, credentials, or secrets unless explicitly permitted by contract.

Backups, logs, and monitoring data are retained according to operational needs, security requirements, subscription terms, and legal obligations. Access to logs and backups is limited to authorized personnel and vendors.

Payment security

Payment card processing is handled by third-party payment processors designed for PCI-DSS compliant payment handling. equal AI does not store full payment card numbers or CVC codes on its own systems.

We receive and store billing metadata needed to operate subscriptions, support customers, prevent fraud, meet accounting and tax obligations, and reconcile invoices. Examples include billing contact details, plan, invoice status, transaction identifiers, card brand, last four digits, and expiration metadata.

Customers should enter payment information only through the authorized billing flow and should not send full card numbers, CVC codes, bank credentials, or payment secrets through prompts, support messages, reports, or email.

Analytics and monitoring

We use analytics and monitoring tools to understand website performance, product usage, reliability, errors, conversion paths, and feature adoption. GA4 may be used for website or product measurement where configured.

Analytics access is limited to authorized personnel and used for measurement, troubleshooting, product improvement, fraud prevention, and business reporting. Customer-identifying workspace data is not sold through analytics tools.

Security and operational logs may include IP addresses, user identifiers, device information, request metadata, authentication events, API activity, and error traces. These logs help detect abuse, debug issues, and investigate incidents.

AI and search provider exposure

equal AI may send configured prompts, domains, competitors, and related inputs to third-party AI engines, search providers, or data providers to retrieve responses, citations, and visibility signals. Customers should configure prompts as if they may be processed by those third-party services.

Do not submit secrets, credentials, confidential unreleased plans, sensitive personal data, regulated data, or information you are not permitted to send to third-party model or search systems unless your contract expressly covers that use.

Third-party AI outputs can be inaccurate, variable, or incomplete. We analyze and report those outputs, but we do not control the underlying models, crawlers, search indexes, training data, or answer interfaces.

Vendor and subprocessor controls

We use vendors for cloud infrastructure, storage, databases, authentication, analytics, payment processing, tax and invoicing, communications, support, monitoring, logging, AI retrieval, search retrieval, and security operations.

Vendors are selected based on business need, security posture, reliability, and compliance fit. We use contractual controls and vendor settings to limit data use to authorized purposes where practical.

Enterprise customers may request subprocessor information, vendor categories, and security documentation during procurement or renewal.

Vulnerability management

We use dependency updates, code review, framework security practices, provider security features, monitoring, and issue triage to reduce vulnerabilities. Security fixes are prioritized based on severity, exploitability, exposure, and customer impact.

Customers and researchers should report suspected vulnerabilities to team@equalai.io with enough detail to reproduce and assess the issue. Do not access customer data, disrupt service, run destructive tests, or publicly disclose a vulnerability before we have had a reasonable opportunity to investigate and remediate.

Incident response

We maintain processes for detecting, triaging, investigating, containing, remediating, and communicating security incidents. The response may involve logs, infrastructure providers, application changes, vendor coordination, credential rotation, and customer guidance.

If a confirmed incident materially affects customer data or service security, we notify affected customers according to legal and contractual requirements. Notice will include information reasonably available at the time and may be updated as the investigation progresses.

Customer responsibilities

Customers are responsible for securing their own devices, browsers, identity providers, email accounts, API keys, connected systems, exports, dashboards, and downstream tools. Customers should use strong passwords, unique credentials, MFA where available, least-privilege access, and prompt removal of departing users.

Customers are responsible for ensuring that prompts, tracked domains, competitors, client workspaces, exports, and integrations are lawful and appropriate for their use case. Agencies must ensure they have client authorization and avoid exposing client confidential data unnecessarily.

Customers should review reports before external distribution and avoid treating AI outputs or recommendations as legal, financial, medical, safety, or professional advice.

Availability and continuity

equal AI depends on cloud providers, third-party AI systems, search surfaces, analytics providers, payment providers, and communications tools. Outages or policy changes at those providers may affect data collection, model availability, tracking cadence, billing, or reporting.

We use managed infrastructure, backups, monitoring, and operational procedures to support continuity, but we do not guarantee uninterrupted availability unless a signed enterprise agreement provides a specific SLA.

Enterprise review

Enterprise customers may request security questionnaires, DPA review, subprocessor information, architecture summaries, access control details, incident response information, and reasonable vendor review materials.

We avoid claiming certifications, attestations, or compliance frameworks that are not currently in place. If a customer requires a specific certification, audit report, data residency commitment, retention term, SSO feature, or contractual security control, it should be documented in the applicable order form or agreement.

Security contact

For security questions, vulnerability reports, vendor review, or suspected account compromise, contact team@equalai.io. For privacy and DPA requests, contact team@equalai.io or use the enterprise contact workflow.

Please include affected domains, workspace details, timestamps, reproduction steps, logs, screenshots, and contact information where relevant. Do not include full payment card numbers, passwords, secrets, or sensitive personal data in your report.