How the Aries AI platform stores client data, isolates it between accounts, controls who can access it, and what technical safeguards apply to the AI assistant itself. Maintained as a standing reference for security review, procurement, and compliance purposes.
Aries AI is a WhatsApp business automation platform. The application runs on Vercel. The primary database runs on Supabase, which itself runs on Amazon Web Services. AI reply generation is performed by Google Cloud's Vertex AI service. Messages are sent and received through Meta's WhatsApp Business Platform, the only channel through which a WhatsApp Business API integration can operate.
No client data is stored on an individual laptop, personal device, or non-production system at any point in the pipeline.
On behalf of each client, the platform processes the following categories of data:
The platform does not knowingly collect special category or sensitive personal data such as health records, financial account numbers, or government identification numbers, beyond what a customer may choose to type into a chat message of their own accord.
The following third parties process data on behalf of Aries AI clients, each limited to what is necessary to provide the service described above.
| Subprocessor | Purpose | Data location |
|---|---|---|
| Meta Platforms, Inc. | Delivery and receipt of WhatsApp messages | Meta infrastructure |
| Google Cloud Platform (Vertex AI) | Generates AI reply content from message text and the client's knowledge base | us-central1, USA |
| Supabase, hosted on AWS | Primary application database | ap-south-1, Mumbai |
| Vercel | Application hosting and serverless compute | Global edge |
| Razorpay Software Pvt. Ltd. | Subscription billing | India |
| Resend | Transactional email delivery | USA |
Aries AI serves many client businesses from a single, shared application. Every database table that holds client data includes a tenant identifier, and every query is scoped to that identifier by Postgres Row Level Security, a database-level access control mechanism rather than a rule enforced only in application code. In practice, isolation between clients holds even if a specific application route contained a bug, because the database itself refuses to return another client's rows to a session that isn't authorized for them.
Operating a hosted, multi-tenant platform requires some administrative path that is not subject to the same per-client isolation described above. This is true of any hosted software service and is not unique to Aries AI. What matters is how narrowly that access is held and how visible its use is to the client.
Every time platform administrative access is used against a specific client's account, whether to view or edit that client's configuration, generate a support login on their behalf, or approve their signup, the action is recorded automatically and shown on that client's own dashboard, under Settings and then Audit Log. Entries are labeled distinctly as support activity, separate from actions taken by the client's own team. The log is written by the system at the moment the action occurs, so a client can independently verify what access has taken place rather than relying on a stated policy alone.
Sensitive and high-volume endpoints are protected by rate limits scoped to the account or IP address making the request, including account signup, verification code requests, full data exports, and bulk contact exports. This prevents a compromised account or automated script from repeatedly pulling an entire client's data or exhausting shared resources.
Clients can independently exercise the following rights directly from their own dashboard, without needing to contact support: access and correction of their stored data, export of their full account data, and permanent account deletion. Consent to the platform's Terms of Service and Privacy Policy is recorded at the point of signup with a timestamp and policy version. These features are documented in full in the companion document, Privacy Rights and Compliance Features, linked below.
In the event of a confirmed unauthorized access to or disclosure of client data, affected clients are notified without undue delay, describing the nature of the incident, the data affected, and the remedial steps taken. The specific notification timeline and process are set out in the Data Processing Agreement between Aries AI and each client.
The controls described in this document are designed with reference to the principles of the General Data Protection Regulation and India's Digital Personal Data Protection Act, 2023, including data minimization, purpose limitation, the right to erasure, and accountability through logging. This document does not constitute a legal certification of compliance with any specific framework.