Security and data use

Security posture

RoundOS is operated by Ignisha Educational Service FZCO, a UAE free zone company located at IFZA Business Park, Building A2, Dubai Silicon Oasis, Dubai, United Arab Emirates.

RoundOS handles sensitive fundraising context: decks, investor contacts, email-derived context, calendar context, source imports, recommendations, and drafts.

We use administrative, technical, and organizational controls designed to protect workspace data and aim to comply with security and privacy obligations that apply to the service. We do not currently claim SOC 2, ISO 27001, HIPAA, PCI DSS, or other formal certification unless separately stated in writing.

Workspace isolation and access control

Data is organized by workspace. Users must authenticate before accessing product areas, and workspace access is controlled through memberships and roles.

Workspace owners and admins are responsible for inviting the right people, removing users who no longer need access, and managing connected sources.

Connected-account permissions

RoundOS requests connected-source permissions only for product workflows such as importing relevant context, syncing calendar signals, reading uploaded/connected files, or preparing drafts.

OAuth tokens and integration credentials are treated as sensitive secrets. Users can revoke Google access from Google account settings or disconnect supported sources in the product.

Encryption and secrets

RoundOS uses HTTPS/TLS for data transmitted between users and the product.

Infrastructure providers may encrypt stored data at rest. Sensitive integration credentials and tokens are encrypted before storage where supported by the application.

Production secrets are stored in deployment environment configuration and are not meant to be committed to source control.

AI and source processing

AI workflows process only the context needed for the requested task, such as classifying source evidence, suggesting CRM updates, identifying next actions, or drafting messages.

We do not use workspace content to train general-purpose AI models, and we do not authorize AI providers to train general-purpose models on your workspace content.

Human review of customer content is limited to cases such as support, debugging, security investigation, abuse prevention, or when you ask us to help.

Operational controls

We use logging, error monitoring, access controls, dependency updates, backups, and operational review to maintain the service.

Access to production systems and customer content should be limited to personnel or contractors with a need to know for operating, supporting, securing, or improving the service.

Data deletion and exports

Users may request deletion or export of workspace data. Deletion can be limited by backups, logs, legal obligations, security requirements, billing records, or operational constraints.

Disconnecting a source stops future sync for that source but may not delete records that were already created from prior authorized syncs.

Incident response

If we learn of a security incident affecting workspace data, we will investigate, take reasonable containment steps, and notify affected customers where legally required or appropriate.

Reports of suspected vulnerabilities or unauthorized access can be sent to hello@roundos.ai.

Customer responsibilities

Use strong authentication, protect account access, keep invited users current, avoid uploading data you do not have rights to use, and review AI-generated outputs before sending or relying on them.

Do not upload highly regulated or unusually sensitive data unless we have expressly agreed in writing that RoundOS is configured for that use.