Security & privacy
Short reference for teams evaluating the Actify layer for enterprise or regulated deployments. Technical specifics are summarized deliberately at a high level; detailed reviews are available through partner onboarding.
Status: Early beta. Formal DPA and full compliance packs are in progress. For the current posture, contact api-actify@outlook.com.
What leaves your system
Only what the public API contract describes: the end user’s task text (as you pass it through) and an optional small metadata map you control. Your own model output, end-user identities, session tokens, and anything else are not part of the request unless you mistakenly put it into those allowed fields — which you should not do.
The API rejects bodies that do not match the documented shape so unexpected or experimental fields cannot be silently accepted.
What we retain
We keep the minimum needed to operate matching, attribution, and reliability: records tied to requests and their outcomes, events when tracked links are used, and data needed to resolve redirects. During beta, retention timelines are conservative from a product perspective but not yet driven by automated expiry everywhere; clearer lifecycle rules are planned.
In practice: if you need help with deletion scoped to your tenant and a time window, email api-actify@outlook.com with your API key and the range — we will handle it through partner support.
Infrastructure & region
The service is built on managed cloud and serverless patterns. Persistence uses a hosted data platform; where data physically resides can depend on how your integration is provisioned — ask during onboarding if you need a specific region story.
Machine learning and search capabilities rely on third-party providers; processing is often oriented toward North American infrastructure today. EU data residency is not guaranteed at this stage. If that is a blocker, raise it with api-actify@outlook.com; EU-first routing is on the roadmap.
Subprocessors (current)
Actify uses a standard SaaS stack. Vendors may see traffic or payloads only in line with their role (e.g. hosting, database, AI). Below are privacy notices, not an architecture diagram.
| Organisation | Privacy policy |
|---|---|
| Vercel Inc. | vercel.com/legal/privacy-policy |
| Supabase Inc. | supabase.com/privacy |
| OpenAI Inc. | openai.com/policies/privacy-policy |
| Pinecone Systems Inc. | www.pinecone.io/privacy |
Authentication & transport
- Authenticated routes expect your partner key using either
Authorization: BearerorX-API-Key. - Production traffic is HTTPS-only on the documented production host.
- Keys are partner-specific and can be rotated with notice.
- Tracked outbound links use a public redirect entry point by design; identifiers are long, opaque values rather than guessable sequences.
Deletion, DPA & disclosure
- Data deletion: api-actify@outlook.com — include your API key and a time range.
- DPA: available on request via api-actify@outlook.com.
- Security / responsible disclosure: same inbox.
What Actify does not do
- Does not require or centrally store end-user identities from your product.
- Does not set cookies or fingerprint browsers through this API surface.
- Does not sell or share request text with advertising networks beyond what subprocessors need to provide the service under their terms.
- Does not use your customers’ task text to train Actify-owned models; vendor-side training settings are chosen to minimise unnecessary retention where available, and are reviewed as offerings mature.
For the full HTTP contract (fields, status codes, examples), see API reference.