Trust & Security

Your data stays yours

Surface uses AI to power design generation, but your designs, logos, and brand assets are never used to train AI models. Here’s how we protect your work.

AI Governance

Surface integrates multiple AI providers for texture generation. Every integration is governed by a strict no-training policy:

Customer inputs (prompts, reference images, logos) are sent via transient API calls and are never retained by AI providers
No customer data is used to train, fine-tune, or improve any AI or machine learning model
Reference images are transmitted as encoded data only, preventing external access to your proprietary artwork
All AI providers are contractually bound to enterprise API terms that prohibit data retention for training

Data Protection

Your design files, brand assets, and account data are protected with industry-standard security:

Encryption in transit (TLS) and at rest (AES-256)
Role-based access control with organization-level permissions
User-scoped storage ensuring your files are only accessible to you and those you share with
Authentication via secure token verification on every API request
Rate limiting, audit logging, and timeout protections on all endpoints

Data Deletion

We support data deletion requests in compliance with GDPR, CCPA, and similar frameworks.

Request deletion of all personal data and design files at any time
Deletion executed within 30 days, with backup purge within 90 days
Third-party AI providers retain no customer data, so no additional deletion is required

To submit a deletion request, contact us at support@surface3d.ai.

Transparency

Every AI generation is logged with the model used and credit cost
You choose which AI model to use for each generation
Credit costs are displayed before generation and itemized in transaction history
AI governance policies are reviewed quarterly and updated when providers or regulations change

Business Continuity

Surface is built on a distributed architecture designed for resilience:

Application deployed across a global CDN with instant rollback capability
Automated database backups with point-in-time recovery
Multi-provider AI architecture with automatic failover if any single provider is unavailable
Monthly backup restoration testing and quarterly disaster recovery drills

Disaster Recovery

Our disaster recovery plan defines clear recovery objectives for every system:

Application recovery within 1 hour; database recovery within 2 hours
Full infrastructure recovery within 4–8 hours in a catastrophic scenario
Documented procedures for every failure scenario including security incidents
Annual full disaster recovery drill with documented results

Third-Party Sub-processors

Surface3D shares data with the following third-party services to operate the platform. AI providers receive data only during active generation requests and do not retain it.

ProviderPurposeData Shared
Google (Firebase / Vertex AI)Auth, storage, database, AI generationAuth credentials, files, database records, AI prompts, reference images, logos
SupabasePrimary databaseUser profiles, org data, projects, credit transactions, activity logs
OpenAIAI image generation (DALL-E)AI prompts, reference images, logos — not retained after request
ReplicateAI image generation (Flux, Recraft)AI prompts, reference images, logos — not retained after request
StripePayment processingName, email, billing address, payment details
VercelApplication hostingWeb traffic, IP addresses, request metadata
ResendTransactional emailName, email address

Documentation

AI Governance Framework

No-training policy, data flow architecture, provider commitments, and deletion procedures.

PDF ↗

Data Deletion Policy

Scope of deletable data, request process, timelines, and retention exceptions.

PDF ↗

Service Level Agreement

Uptime commitments, support response times, remediation approach, and enterprise SLA options.

PDF ↗

Business Continuity Plan

Continuity strategies, communication plan, and recovery procedures for all critical systems.

PDF ↗

Disaster Recovery Plan

RTO/RPO targets, backup strategy, scenario playbooks, and post-recovery validation.

PDF ↗

Questions?

Reach out during your security review process and we’ll get you what you need.

support@surface3d.ai
GDPRCCPASOC 2EU AI Act