Draftr
PricingHow it worksAuditSecurity
Start Audit

Security & Data

Your data stays yours.

Draftr connects to your accounting system, CRM, and email to do its job. We've built the platform around three rules: read-only by default, drafts only for anything customer-facing, and your data sits in its own isolated environment — not in a shared pool with everyone else's.

The Three Promises

Same three rules, every customer, every tier.

Tenant-isolated.

Every Draftr customer gets a separate database, knowledge graph, and vector store. Your data is never combined with another customer's data, never used to train models that other customers will use, and never accessible to other customers under any circumstances — including in aggregate or anonymised form.

If you cancel, your tenant is deleted in full within 30 days, including derived data like embeddings and indexes. Zero cross-tenant data leakage isn't a goal we're working towards. It's how the platform was built from day one.

Drafts only.

Nothing customer-facing happens without a human on your side approving it first. Draftr drafts follow-up emails, suggests next actions, surfaces overdue items — but it doesn't send, file, or commit anything to your client relationships without explicit human approval at the point of action.

This isn't an admin-controllable setting that can be turned off for “trusted” agents. It's an architectural commitment. The product genuinely doesn't have a path to send customer-facing communications autonomously.

OAuth-only.

Draftr never stores your passwords. Authentication happens through your existing identity providers — Microsoft, Google, Xero, HubSpot, Salesforce, etc. — using OAuth 2.0. We hold short-lived access tokens that we use to read data on your behalf.

You can revoke our access at any moment, from your provider's admin panel, without contacting us. The connection breaks immediately. We don't keep cached credentials and we don't have a backdoor to maintain access if you've revoked it.

How OAuth Actually Works

What you grant. What we get. What you can revoke.

When you connect a system to Draftr — your accounting platform, your CRM, your email — you're not handing us your password. You're going through a process called OAuth, where the system itself authenticates you and grants Draftr a limited, read-only token to access specific data.

Three things matter about this:

1.

Read-only by default

The OAuth scopes Draftr requests are read-only for almost all integrations. We pull data; we don't write back to your live systems. The exception is when you explicitly approve a specific action through Draftr — for example, sending a follow-up email you've reviewed and edited. Even then, the action goes through your existing email account, not through Draftr's own infrastructure.

2.

You see exactly what we asked for

The provider's own consent screen shows you the specific scopes Draftr is requesting before you approve. You can see — in your provider's language, not ours — exactly which permissions you're granting. If anything looks broader than you expect, you can stop the integration there.

3.

Revocation is instant and unilateral

You can disconnect Draftr from any of your providers at any time. The disconnect happens through your provider's admin panel — Google admin, Microsoft 365 admin, Xero settings, etc. — and it takes effect immediately. We can't prevent it, slow it down, or maintain access through a back channel. When you've revoked, we're out.

Data Location & Residency

UK and EU, by default. UK-only on Scale and Enterprise.

By default, Draftr customer data is held in the UK and EU. We use established cloud infrastructure providers — the kind any enterprise SaaS product uses — with appropriate certifications at the infrastructure layer.

For Scale and Enterprise customers, we offer UK-only data residency — meaning your tenant data, including all derived data, is processed and stored exclusively within the UK. This is included with the tier; no extra fee.

We don't currently process customer data outside the UK and EU under any circumstances.

Specific hosting provider, region, encryption standards, and backup arrangements are available on request. Email security@draftr.ai for a detailed technical brief.

What's True Today, What's Coming

The honest list.

Draftr is an early-stage company. We're building the security and compliance posture you'd expect from any business handling SME financial and operational data, but we're not pretending we already have certifications we haven't earned. Here's exactly where we are.

What's true today

  • GDPR-compliant. We process personal data lawfully under UK GDPR. Right to access, erasure, and portability are all standard.
  • Tenant-isolated architecture. Separate databases, knowledge graphs, and vector stores per customer.
  • OAuth-only authentication. No password storage. Revocation through providers.
  • Drafts-only architecture. No autonomous customer-facing actions.
  • UK and EU data location by default.

Planned, in progress, or available on request

  • SOC 2 Type 2. In progress. Audit observation period underway.
  • UK-only data residency on Scale and Enterprise tiers. Available now.
  • Sub-processor list and DPA. Available on request, will be published openly when finalised.
  • Penetration test reports. Available to Scale and Enterprise customers on request, under NDA.
  • ISO 27001. On the roadmap — not certified, not in audit yet, no committed date.

We'll move items from the right column to the left as they're earned, not as they're aspirational. If something isn't on either list and you need to know whether we have it, ask. We'd rather tell you “no, we don't have that yet” than imply we do.

For Procurement, IT, and Compliance Teams

Detailed technical brief on request.

If you're evaluating Draftr on behalf of a procurement, IT, or compliance team and need more detail than this page provides, get in touch. We'll send you a written technical brief covering hosting, encryption, backup, sub-processors, incident response, and any other specifics relevant to your evaluation. Usually within 48 hours.

Contact security@draftr.ai

For Scale and Enterprise customers, we'll also share penetration test summaries, a sample DPA, and our sub-processor list under NDA.

New here?

If you're evaluating Draftr for the first time, the Free Revenue Audit is the fastest way to see what it does on your actual data — without committing to anything.

Get the Free Revenue Audit

Already decided?

You can subscribe at any tier without a sales call. 30-day money-back guarantee on every plan.

See pricing
Draftr

A Revenue Execution System for service businesses. We make sure the work you've already done turns into cash you've actually collected.

Product

  • Pricing
  • How it works
  • Free Revenue Audit
  • Security

Company

  • About
  • Contact
  • Blog

Legal

  • Privacy
  • Terms
  • Cookies
© 2026 AI LLM Limited. All rights reserved.
draftr.ai·hello@draftr.ai