Security & compliance
Encryption, data deletion, auditability โ built for regulated enterprises
Encryption at rest & in transit
In transit: TLS 1.3 minimum, HSTS preloaded, perfect forward secrecy. All API endpoints, webhooks, and internal services use mTLS between clusters.
At rest: AES-256-GCM with tenant-managed key options (BYOK). Customer data is never stored unencrypted. Ephemeral processing uses memory-only buffers โ no disk write for transient payloads.
FIPS 140-2 validated modules Key rotation every 90d
Data deletion & retention
Ephemeral by default: Processed work units are deleted immediately after deterministic output delivery unless retention is explicitly configured. Audit logs (metadata only) retained for compliance โ configurable 30โ365 days.
Customer-controlled deletion: API endpoint for secure purging. On-premise deployments allow cryptographic erasure (zeroization). All storage media degaussed or shredded prior to decommissioning (NIST 800-88).
GDPR/CCPA right to deletion: Supported within 48h SLA for verified requests.
๐ Compliance claims & attestations
SOC 2 Type II
Security, availability, confidentiality. Annual audit by AICPA firm.
GDPR & CCPA
Data processing addendum (DPA) available. Data residency: US, EU, or custom.
PCI DSS Level 1
For pipelines handling payment data โ tokenization & detokenization.
HIPAA ready
BAA available for covered entities. Audit trails, access controls, encryption.
FedRAMP Moderate
On-premise & IL4 variants for government workflows.
ISO 27001:2024
ISMS certified. Independent annual surveillance audits.
๐ Auditability & provenance
Every processed work unit (invoice, contract, case, compliance record) generates an immutable audit trail:
- Input fingerprint (hash of raw data)
- Pipeline version & model signatures
- Confidence scores & validation rule triggers
- Timestamp, tenant ID, processing region
- Output hash & delivery acknowledgment
Audit logs are cryptographically signed and can be streamed to customer SIEM (Splunk, Datadog, ELK) via webhook or S3 export.
๐ข Enterprise & on-premise deployment
๐ Private cloud / VPC
Deployed inside your AWS, Azure, or GCP tenant. No data leaves your VPC. Control plane only exchanges orchestration metadata (encrypted). Supported for pipelines with >500k monthly work units.
๐ Isolated on-premise
Air-gapped or limited connectivity environments. Includes hardware security module (HSM) integration, local audit logging, and fully offline pipeline execution. Standard for defense, critical infrastructure, and regulated finance.
๐ Key management & BYOK
AWS KMS / CloudHSM
Native integration. Key rotation policies enforced.
Azure Key Vault
Bring your own key (BYOK) with customer-managed HSM.
Google Cloud KMS
External key manager support via EKM.
On-prem HSM
Utimaco, Thales, or Gemalto โ PKCS#11 interface.
๐ก๏ธ Security operations
| Control | Implementation |
|---|---|
| Incident response | 24/7 on-call security team, <4h initial response for critical incidents |
| Vulnerability management | Weekly internal scans + quarterly third-party pentests (Nessus, Burp Suite) |
| Bug bounty | Private program via Intigriti. Max bounty $25k for RCE/tenant isolation bugs |
| Access control | Zero trust model. MFA required, Just-in-time (JIT) access, SSO (SAML/OIDC) |
| Backup & DR | Cross-region encrypted backups, RPO 15min, RTO <4h for control plane |
๐ Request our security package
SOC 2 Type II report, penetration test summary, DPA, and compliance matrix.