Security & trust

Built for the data your clients trust you with

Single sign-on, role-based access on every screen, encryption end to end, and a complete audit trail. Privacy isn't a setting here — it's a brand value.

Talk to our team Explore the product

How we protect you

Security wired through every layer

The same controls that keep your team's work safe keep your clients' data safe — because it's all one record.

Single sign-on

Bring your own identity provider. SSO and SCIM keep access in lockstep with your directory — joiners and leavers included.

Role-based access

Every screen respects who is looking. Clients, guests, and staff each see exactly what their role allows — nothing more.

Encryption everywhere

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Secrets and keys are managed, rotated, and never logged.

Complete audit trail

Who changed what, and when — captured on every record. The audit log is the same one that settles client disputes.

Your data is yours

Export or delete your workspace at any time. We never sell data, and client data is never used to train shared models.

Resilient by design

Hosted on tier-1 cloud infrastructure with encrypted backups, monitoring, and a tested recovery plan.

Compliance

Audited, documented, and ready for procurement

Whether it's your security team or your client's, the paperwork is ready — so a review speeds the deal instead of stalling it.

SOC 2 Type II

Independently audited security controls.

GDPR & DPA

Data Processing Agreement available on request.

Data residency

Choose where your workspace data lives.

How we think about it

Four principles behind every decision

Privacy by default

The least-revealing view wins. Client portals expose only what is theirs, and internal notes stay internal.

AI that drafts, never decides

Max never sends anything externally or acts on its own. Every suggestion waits for a person to approve — and AI can be turned off entirely.

Least-privilege access

Staff access is scoped to need. Granular roles mean no one sees more of a client engagement than their job requires.

Accountable by record

Approvals, signatures, and changes are time-stamped and immutable — a defensible history for every decision.

Questions

Security, answered

Where is our data hosted?

On tier-1 cloud infrastructure with encryption at rest and in transit. Enterprise customers can choose a data-residency region to meet local requirements.

Can our clients see each other’s work?

Never. Every read path is filtered by role and by engagement — a client only ever sees their own projects, and guests see only what you explicitly share.

Do you train AI on our data?

No. Client data is never used to train shared or third-party models. Max operates on your workspace to draft artifacts for your team to review, and you can disable it entirely.

How do we get our data out — or delete it?

Export your workspace at any time in open formats, and request full deletion whenever you choose. Your data is yours; we hold it on your behalf, not the other way around.

Can we get a SOC 2 report or sign a DPA?

Yes. A SOC 2 Type II report and a Data Processing Agreement are available to customers on request — just ask your account contact or our team.

Bring your security questions

We'll walk your team — or your client's — through how Align handles access, data, and audit, on a real workspace.

Talk to our team See pricing