Enterprise-grade security

Standards and certificates

We regularly work with independent experts to verify our security, privacy, and compliance controls, and have achieved certification against stringent global standards.

AICPA SOC2 certification iconGDPR certification iconTrust Arc certification iconCCPA certification iconISO 27001 certificationISO 27017 certificationISO 27018 certificationData Privacy Framework (DPF) program logo

SOC 2 Type 2

SOC 2 Type 2 is an auditing standard that evaluates the effectiveness of Affinity’s controls and processes related to security, availability, processing integrity, confidentiality, and privacy. By maintaining a SOC 2 Type 2 attestation, Affinity assures its customers that their data is handled securely and in compliance with industry standards, fostering trust and providing peace of mind. Click here to download our public SOC 3 report.


Our Privacy Policy and Data Processing Agreement (DPA) describe our privacy practices with respect to GDPR and other applicable laws. Our Data Privacy Framework (DPF) registration can be viewed here.

ISO 27001

ISO 27001 is a globally recognized standard for information security management systems, ensuring that Affinity follows best practices to protect sensitive data and mitigate risks. By achieving ISO 27001 certification, Affinity demonstrates its commitment to maintaining the highest level of security, instilling trust and confidence in its customers that their data is well-protected.

ISO 27017 & ISO 27018

ISO 27017 and ISO 27018 are specific standards that focus on cloud security and privacy respectively. By adhering to ISO 27017, Affinity demonstrates its commitment to implementing robust security controls in its cloud services, ensuring the protection of customer data. Similarly, ISO 27018 certification showcases Affinity’s dedication to safeguarding customer privacy by following strict guidelines for the handling of personally identifiable information (PII) in the cloud, enhancing customer trust and confidence in the platform

Security informs all aspects of our product and infrastructure at Affinity.


We encrypt all sensitive data both at rest and in-transit using robust, industry-leading encryption algorithms

Network security

Our production services run in an isolated Virtual Private Cloud on AWS. Only network protocols essential for making our service work are open at the network's perimeter.

Access controls

Access to internal systems requires multiple authentication factors, including VPN access and device-based authentication tokens.

Independent testing

In addition to our ongoing bug bounty program, we conduct rigorous annual penetration tests with world-class independent security consulting firms.

Uptime and durability

We save daily encrypted backups for 30 days to ensure your data is safe and secure, and store them redundantly across multiple availability zones. We use third-party monitoring services to track Affinity's availability and have engineers on-call to rapidly investigate and address any outages.

Audit logs

Any access to customer data in cases when customers need our assistance is exhaustively logged and regularly audited. No data is accessed unless we cannot provide support to our customers without doing so.

Affinity AI FAQ

What are Affinity’s AI offerings?

Affinity uses artificial intelligence throughout these three capabilities and features:

  • Industry Insights: uses artificial intelligence to generate a list of companies that are similar to the company being viewed in Affinity CRM or Affinity Pathfinder. To learn more about how Industry Insights works, access the Help Article here.
  • Notetaker: is a meeting companion that uses artificial intelligence to generate a structured summary and transcript that is then synced to the appropriate contact and organization records in Affinity CRM. To learn more about how Notetaker works, access the Help Article here.
  • Deal Assist: uses artificial intelligence to review and process a firm’s meeting notes and email attachments to answer deal-related questions. We will share more information as we near Deal Assist’s launch in Summer 2024. 

* This is accurate as of Apr 8, 2024; we are working to include more features and capabilities over time. 

Who are Affinity’s large language model providers?

Affinity currently uses Anthropic’s Claude model. We consistently evaluate different models from various vendors (including updates to Anthropic’s Claude model) to determine if using a different model can provide improvements in experience or functionality for our users.

In line with our communication policy, all customers received an email when Anthropic was added as a subprocessor. In the future, if we choose to use a Large Language Model from a different vendor, customers will be informed in a similar manner. 

Our list of subprocessors is also published in this Help Center article

Do Affinity’s AI offerings respect existing permissions?

Yes, any permissions applied by admins or users within Affinity’s platform will be respected. Users will never gain access to information through an AI-powered response that they did not already have access to within Affinity.

How is customer data protected when sent to AI subprocessors?

Any subprocessors we use, including AI subprocessors, are approved after a comprehensive review by our security team. This ensures that the subprocessor meets our security standards.

We use secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks to our subprocessors.

All customer data is logically segmented and we ensure that data from different customers is never mixed together. Your data will not be exposed to other customers. 

For more information about how we protect customer data, refer to our Trust Center.  

Will customer data be used to train any models?

No. Affinity has contracts in place with our vendors to ensure that customer data is prohibited from being used to train AI models.

What are the data retention obligations of Affinity and third-party AI providers?

Affinity’s AI subprocessor, Anthropic, will retain data only in the service of providing output based on the feature its powering (such as Industry Insights; Affinity Notetaker, and Deal Assist) and data will be deleted within 30 days.

Affinity purges or removes customer instance data in accordance with best practices when customers leave the service, unless otherwise specified in your contract. More information can be found in our Master Terms.

How is bias mitigated?

As a part of our subprocessor procurement process we ensure that our partners have bias mitigation policies in place.

What compliance standards do Affinity’s AI offerings meet?

All of Affinity’s AI offerings are within the scope of the compliance standards and reports documented in our Trust Center.

Who owns the rights to content generated by Affinity’s AI offerings?

Customers retain ownership of any content generated by Affinity’s AI offerings using their data (such as a summary produced by the Affinity Notetaker).

Is customer consent required for AI processing?

Customer data is processed only when users choose to use Affinity's AI features, such as asking Deal Assist a question or inviting Notetaker to a meeting. Industry Insights does not use customer data at all.

Vulnerability disclosure and reward program

We take all precautions necessary to ensure your privacy is respected and your information is secure. Affinity is compliant with SOC 2, ISO27001 and GDPR.

Learn More

Learn more about our security measures by visiting our Trust Center

Learn More