Standard answers for vendor evaluation
Last Updated: July 2026
These are our standard answers to the questions we receive most often during procurement and security review. If your questionnaire needs something not covered here, email support@sitegpt.ai.
Compliance and certifications
| Question | Answer |
|---|
| SOC 2 | We have completed a SOC 2 Type II examination covering security, availability, and confidentiality, with zero exceptions noted across all tested controls. Enterprise customers can request the report via our trust portal. |
| GDPR | GDPR certified by DPLMC International. See our privacy policy and DPA. |
| HIPAA | Assessed for HIPAA compliance by DPLMC International. BAA availability is documented at /hipaa. |
| ISO 27001 | We do not currently hold an ISO 27001 certification. Our SOC 2 Type II report covers overlapping controls. |
Data handling
| Question | Answer |
|---|
| Where is data processed and stored? | Our application runs on Cloudflare Workers at the edge. Application data is stored with the vendors listed at /legal/subprocessors, primarily in the United States; per-vendor locations are listed there. |
| EU data residency | We do not currently offer an EU-only hosting option. Transfers from the EU/EEA are safeguarded through our subprocessors' GDPR data processing agreements, which incorporate Standard Contractual Clauses where applicable. |
| Encryption | All data is encrypted in transit with TLS 1.2+ and at rest. |
| Is customer data used to train AI models? | No. Your content and conversations are never used to train AI models, by us or by our AI subprocessors. |
| Data retention | Personal data is retained only as long as necessary for the purposes described in our privacy policy. Account data and content are deleted on request. |
| Data deletion and export | Contact support@sitegpt.ai to request deletion or export of your account data. |
Access and authentication
| Question | Answer |
|---|
| Authentication | Passwordless sign-in via emailed magic links. There are no passwords to phish or breach. |
| Access controls | Role-based permissions for team members control access to chatbot settings, training data, and conversation history. |
AI processing
| Question | Answer |
|---|
| Which AI providers are used? | OpenAI provides language models, accessed through the Portkey gateway. Embeddings are stored in Pinecone. The full list is at /legal/subprocessors. |
| Do AI subprocessors retain data? | Our AI subprocessors do not use your data for model training. Operational retention is governed by each vendor's data processing terms, listed on our subprocessor page. |
| Grounding | Chatbots answer from the knowledge base you configure. You can review conversations and override incorrect answers. |
Legal and billing
| Question | Answer |
|---|
| Data Processing Agreement | Available at /legal/dpa. |
| Subprocessor list | Published at /legal/subprocessors. |
| Who issues invoices? | Paddle, acting as Merchant of Record. Invoices are issued by Paddle and can include your VAT or tax details. |
| Incident notification | We notify affected customers of qualifying incidents without undue delay, consistent with applicable law, including GDPR timelines. |
| EU AI Act | SiteGPT provides customer-configured AI assistants built on general-purpose models. We monitor EU AI Act guidance as it is finalized and will publish updates relevant to our service category on this page. |
Questions
If your review requires signed documents, additional detail, or a call, email support@sitegpt.ai.