Appearance
Data Handling v2.6
Last updated: March 25, 2026
The Zero-Custody Principle
AI4Love does not operate an independent multi-tenant data warehouse of supporter data.
Your supporter records, donation history, and engagement data remain in your Airtable base at all times. AI4Love reads this data to generate insights, then writes those insights back to the same base.
"Zero-Custody" extends across the entire stack:
| Layer | Posture |
|---|---|
| Source systems (Blackbaud, Mailchimp) | Read-only. We never write back. |
| Airtable | We write only AI-generated insight records and enrichment fields. We connect with Editor permissions — we cannot delete your base or alter its structure. |
| LLM providers | API-tier usage only. No training on your data. No persistent storage beyond short-term safety retention. |
| Credential stores (Nango, Doppler) | Hold access tokens, not supporter data. Revocation destroys tokens immediately. |
If you disconnect AI4Love:
- Your Airtable base and all its data remain yours, intact and unchanged.
- OAuth tokens are destroyed. API keys are removed from our secrets manager.
- AI-generated insights remain in your Airtable base — they're your records, in your base.
- Nothing is retained on our side.
Your data stays in your house. We provide the tools and insights — but you own the house and everything we add to it.
What We Read vs. What We Never Touch
| Blackbaud RE NXT | Mailchimp | Environics | |
|---|---|---|---|
| We read | Constituent profiles, gift history, actions, event registrations | Contact lists, campaign sends, open/click activity | Postal-code-level demographic segments |
| We never read | Payment details, credit card numbers, bank accounts, passwords | Payment info, billing details, API account settings | Individual-level personal data |
| We never write back | No creates, modifies, or deletes in your RE NXT | No changes to contacts, lists, or campaigns | N/A — enrichment is one-way |
What we write to Airtable: AI4Love writes only to fields it owns — AI-generated insight records (headline, pattern, domain) and Environics enrichment fields (PRIZM segment, giving propensity). We do not write to source-of-record fields (donation amounts, contact details, engagement history). This restriction is enforced via application-level logic and monitored through audit logs. For organizations on Airtable Enterprise, native field-level permissions can be applied as an additional safeguard.
Encryption Standards
All communication between AI4Love, your platforms, and infrastructure providers is encrypted.
| Layer | Standard | Details |
|---|---|---|
| Data in transit | TLS 1.2+ | All API calls, webhook payloads, OAuth flows, and MCP queries. No plaintext connections accepted. |
| Data at rest — Airtable | AES-256 | All stored data encrypted at rest. SOC 2 Type II certified. |
| Data at rest — Nango | AES-256 | OAuth tokens encrypted at rest. SOC 2 Type II certified. |
| Data at rest — Doppler | AES-256 | API keys and secrets encrypted at rest. SOC 2 Type II certified. |
| Data at rest — Vercel | AES-256 | Build artifacts and environment variables encrypted at rest. SOC 2 Type II certified. |
Credential Storage and Revocation
- OAuth tokens are stored and encrypted by Nango (SOC 2 Type II), a dedicated credential vault. AI4Love application servers never persist tokens to disk.
- API keys (e.g., Mailchimp) and the Airtable Service Account Access Token are stored in Doppler (SOC 2 Type II). The Service Account Access Token receives the same SOC 2-compliant storage and rotation procedures as all other integration credentials. Keys are never committed to code or logs.
- Revocation: Staff can disconnect any platform from the Integrations dashboard. This calls Nango's
deleteConnectionendpoint, which destroys all stored tokens. For API-key integrations, removing the key disables access immediately. - Session behaviour on revocation: MCP access keys are validated on every request — there is no long-lived session. Revoking a user's access key takes effect on the next request. OAuth access tokens have a maximum TTL of 60 minutes; revocation destroys the refresh token immediately.
Airtable Permission Scoping
AI4Love connects to your Airtable base using a Service Account Access Token with Editor permissions — not Owner or Creator. Service Accounts provide a non-human identity not tied to any individual staff member, eliminating the risk of broken integrations due to personnel changes and producing a cleaner audit trail.
Editor permissions mean AI4Love:
- Can: Read records and write to permitted fields
- Cannot: Delete the base, modify its structure, add/remove collaborators, or alter permissions
Record-level access: Editor permissions do permit record creation and deletion via the API. Write operations are restricted to specific tables and fields through scoped application logic. Our codebase is subject to regular static analysis to ensure no destructive operations (DELETE) are introduced. Airtable's native Trash and Base Snapshots provide a safety net — deleted records are recoverable for up to 365 days, and base snapshots can restore prior states.
Data Residency
| Component | Default Region | Canadian Residency Option |
|---|---|---|
| Airtable (data storage) | US | Airtable Enterprise offers data location controls for Canadian hosting. |
| Vercel (compute layer) | US-East (iad1) | Vercel supports region pinning to specific geographies. |
| Nango (credential vault) | EU (Nango Cloud) | Self-hosted Nango available (see below). |
For partners with strict PIPEDA or provincial health-data requirements: both data storage and processing regions are configured and documented in your organization's Data Processing Agreement before onboarding begins. Enterprise configuration is required for strict Canadian residency — this is not automatic on standard tiers.
Nango credential residency: On the standard tier, OAuth tokens are stored in Nango's EU-hosted cloud. For organizations where credential residency is a compliance requirement, AI4Love offers a self-hosted Nango deployment managed by AI4Love within the partner's preferred region. This is a standard part of high-compliance onboarding — not a DIY option for the partner's IT team.
Data Retention
| Layer | What | Retention |
|---|---|---|
| Airtable | Supporter records, insights | Indefinite — owned by your organization |
| Application memory | Transient request data | Released when serverless function completes (< 30 seconds) |
| Vercel logs | Request metadata only (no PII) | 1 hour (Pro plan); 30–90 days with SIEM streaming |
| LLM providers | API inputs/outputs | Up to 30 days for trust & safety, then deleted |
| Nango | OAuth tokens | Until revoked |
| Doppler | API keys | Until rotated or removed |
AI4Love does not store supporter data outside Airtable. Processing is transient only.
Backup and Recovery
- Airtable provides platform-level redundancy and automatic backups.
- AI4Love does not maintain separate backups of your data, consistent with the Zero-Custody principle.
- Data recovery is handled through Airtable's platform capabilities. Your organization retains full administrative control.