Minimum Access with Full Control
On-demand reading, no persistence
The agent reads data only during active investigation. After analysis, data is discarded. We don't store raw customer data.
Data read on demand, analyzed in-memory, discarded after investigation completion.
Least privilege access
Each integration uses read-only credentials with minimum scope via OAuth. The agent never has write access unless explicitly authorized.
OAuth scopes limited to read-only; write access requires explicit human approval.
No writing by default
The agent is read-only. Remediation actions require explicit user approval (human-in-the-loop) before any destructive action.
All write operations gated behind human-in-the-loop approval flow.
Isolation and Transparency
Tenant isolation
Each customer has individual KMS encryption via AWS. Data is never mixed between customers. LLM calls contain data from exactly one tenant.
Per-tenant KMS keys, isolated ECS tasks, single-tenant LLM contexts.
No cross-training
Customer data is never used to train models for other customers. Fine-tuning is exclusive per account when applicable.
Zero cross-customer data sharing; per-account fine-tuning isolation.
Immutable audit trail
Each investigation generates detailed log in S3 with Object Lock (WORM). The log is visible to the customer and cannot be altered.
S3 Object Lock (WORM), includes: sources accessed, data read, tokens processed, result.
Compliance & Certifications
| Certification | Status | Details |
|---|---|---|
| LGPD | Compliant since launch | KMS per-tenant + TTL + right-to-delete. Data subject requests fulfilled in 15 days. Breach notification in 72h. |
| GDPR | Compliant since launch | Same mechanisms cover GDPR. Standard Contractual Clauses for cross-border transfers. |
| SOC 2 Type I | Roadmap: month 6-9 | Automated compliance platform. Timeline aligned with SOC 2 readiness milestones. |
| SOC 2 Type II | Roadmap: month 12-18 | Full audit cycle with independent assessor. Builds on Type I controls. |
| ISO 27001 / HIPAA | Roadmap: Year 2+ | As enterprise demand requires. |
Security Architecture
Client (HTTPS) -> WAF -> ALB -> ECS Tasks (private subnets)
ECS Tasks -> NAT Gateway -> External APIs (Slack, GitHub, etc.)
Credentials in AWS Secrets Manager with automatic rotation
RDS/DynamoDB in private subnet with no internet exposure
All logs centralized in CloudWatch + S3 Object Lock
Data at rest: AES-256 via KMS per-tenant. Data in transit: TLS 1.3
Data Isolation (Multi-tenancy)
| Layer | Isolation Mechanism |
|---|---|
| Application | Tenant ID required in every query, log and record. LLM calls containing data from exactly one tenant. |
| Database | PostgreSQL with Row Level Security (RLS) by tenant_id. |
| Vector DB | Partitioned vector storage with hard isolation per tenant. Designed to scale to millions of tenants. |
| Infrastructure | Each investigation runs in ephemeral ECS Task with restricted IAM Role. Container destroyed upon completion. |
| PII Gateway | Microsoft Presidio detects and anonymizes emails, phones, SSNs, cards. Reversible anonymization. |
| Encryption | Data at rest: AES-256 via KMS per-tenant. Data in transit: TLS 1.3. |