This page describes how the AI in AEC Portal is built, where your firm's data lives, and how access is controlled. It is written in plain language for L&D leads and IT reviewers alike. A more detailed security review pack is available on request.
Authentication
Email magic-link sign-in. No passwords to reset, no shared credentials.
Google OAuth for firms that standardize on Google Workspace.
Email + password fallback for demo accounts and offline evaluators.
Microsoft Entra ID (Azure AD) SSO, available on request. Typical setup: 2–3 weeks, SAML 2.0 or OIDC, scoped to your firm's tenant.
Data and hosting
Postgres database managed by Supabase, encrypted at rest (AES-256) and in transit (TLS 1.2+).
Default hosting region for this deployment: EU (Frankfurt). US region available for organizations with US-only data residency requirements, provisioned per firm on request.
Every organization can be flagged as EU or US data region; the portal exposes this on each firm record so evaluators can confirm at a glance.
Daily automated backups with point-in-time recovery. Backups are region-pinned, so an EU firm's data never leaves EU infrastructure.
Access control
Three roles, enforced at the database layer with row-level security: Super admin (AI in AEC HQ), Firm admin (your learning and development team), Learner.
Every read and write is scoped to the caller's organization. A firm admin at Firm A physically cannot query Firm B's seats, progress, or certificates. That's enforced in the database, not just the UI.
Complete audit log of privileged actions (seat invites, revocations, role changes, secret rotations, webhook calls). Exportable on request.
Government / private-delivery mode strips all external community links from the learner experience and confines everything to the portal.
Reporting and exports
Firm admins see live per-learner progress, per-course completion, quiz results, and an activation funnel. No waiting on us to run a report.
One-click CSV export for seats, progress, and quiz results. Data belongs to your firm; you can lift it out any time.
Monthly summary email of activation, completions, and certificates for the previous month (opt-out available).
Certificates
Every completion produces a serial-numbered certificate with a unique verify code.
Anyone (recruiters, clients, regulators) can confirm authenticity at the public /verify page. No login required, and only the certificate holder's name and course are shown.
Certificates are AI in AEC LU-ready and provide the auditable AI-literacy evidence required under EU AI Act Article 4.
What we do not claim
We do not claim SOC 2 or ISO 27001 certification. We use SOC 2 Type II-attested infrastructure providers (Supabase, Cloudflare) but the portal itself has not been independently audited.
A security review pack (architecture diagram, data-flow, subprocessor list, incident-response summary) is available on request for enterprise evaluators.
We would rather tell you exactly what we do than dress the page in badges we haven't earned.
Support and escalation
Direct line to Stjepan Ivandić (founder): stjepan@aiinaec.com.
Response target: within 1 business day for firm admins; same-day for outage or data-integrity issues.
Enterprise firms receive a shared Slack or Teams channel on request.
Vulnerability reports welcomed at the same address; responsible disclosure acknowledged within 48 hours.