for security & compliance teams

The answer your compliance officerhas been waiting for.

Every Specialist runs on AWS Bedrock. Every action is logged. Compliance posture monitoring runs against your environment — assessed against HIPAA, SOC 2 (audit target Q3 2026), GDPR, NIST 800-53, and ISO 27001 control families. These are evaluation tools, not audit attestations. Plus the documentation your review process actually asks for.

data flow · managed aws tenantregion-scoped · byo-aws on enterprise
user
signed in via cognito
managed aws tenant
vpc · rds proxy · kms · per-org rls
aws bedrock
region-pinned · no training
audit log
cloudtrail · every api call
encryption
kms at rest · tls 1.3 transit
tenant isolation
postgres rls · per row

no foundation-model training on your data. data stays in your aws region by architecture. per-org isolation enforced at the database by postgres row-level security. dedicated single-tenant aws accounts available on enterprise.

security features

Built for teamswith real obligations.

Controls that protect your data and give your compliance officer the evidence they need.

VPC isolation

available

All resources deployed in private subnets. RDS Proxy, S3 Gateway endpoint, and Lambda in private VPC.

KMS encryption

available

AES-256 at rest with AWS KMS across Aurora, S3, and OpenSearch. TLS 1.3 in transit.

Dedicated AWS tenant

enterprise

Single-tenant infrastructure in your AWS region. Dedicated database, runtime, and CDN — operated by us for regulated industries.

Connect your AWS account (read-only)

available

Optional: connect your AWS account with one read-only IAM role you create — we never receive AWS credentials, and you revoke all access any time by deleting the CloudFormation stack. Read-only is enforced twice (the role, then a per-call clamp), you scope it to the services your Specialists need, and every read is logged.

Multi-tenant RBAC

available

Four roles (Admin · OrgManager · TeamManager · User). PostgreSQL row-level security enforces tenant isolation on every query — at the database, not the app.

CloudTrail audit logging

available

Every API call logged via CloudTrail. Application-level audit trail with user, timestamp, and action context.

Compliance posture monitoring

available

In-product assessment tools that read your AWS account's security posture (through the same read-only connection) and check it against HIPAA, SOC 2, GDPR, NIST 800-53, and ISO 27001 control families. Results are exportable for your auditor to review — they are not audit attestations.

Cognito authentication

available

Cognito User Pool with invite-only registration, MFA, and OAuth/OIDC.

AWS Bedrock only

available

All AI inference through AWS Bedrock. By default, no data sent to third-party AI providers. Optional provider-data-share models (e.g. Claude Fable 5) require a per-agent opt-in. Region-scoped.

infrastructure compliance tests

Automated audittest suites.

Infrastructure compliance tests against major frameworks, built on AWS compliance-eligible services.

SOC 2

posture monitoring

HIPAA

posture monitoring

GDPR

posture monitoring

NIST 800-53

posture monitoring

ISO 27001

posture monitoring

compliance documentation

Documentationyour CCO can take home.

Everything your compliance review actually asks for — ready to share with your security team, privacy officer, or auditor.

on request

Security overview

PDF summary of the security architecture, data flow, and access controls — ready to share with your CCO.

on request

Architecture diagram

AWS Bedrock data flow showing tenant isolation, inference boundaries, and where customer data actually lives.

on request

Data processing agreement (DPA)

Template DPA aligned with GDPR Article 28 and covering sub-processor disclosure, data residency, and breach notification.

on request

Vendor security questionnaire

Pre-filled responses to CAIQ-lite, SIG, and custom questionnaires. Turnaround measured in days, not weeks.

in-product

Compliance posture reports

In-product assessment of your environment against HIPAA, SOC 2, GDPR, NIST 800-53, and ISO 27001 control families. Exportable for your auditor to review. Not an audit attestation.

in-product

Audit trail exports

Every Specialist action logged with user, timestamp, and context. Exportable as CSV or JSON for regulators, courts, or internal review.

A SOC 2 Type II audit is targeted for Q3 2026. Until it completes, our in-product scans cover the SOC 2 control set against your live environment.

Request compliance documentation

data handling

Where your dataactually goes.

  • All LLM calls route through AWS Bedrock — by default, no data sent to third-party AI providers (optional provider-data-share models like Claude Fable 5 require a per-agent opt-in)
  • Encrypted at rest (KMS) and in transit (TLS 1.3)
  • PostgreSQL row-level security enforces tenant isolation on every query
  • CloudTrail audit logging on all API calls
  • Dedicated single-tenant deployments available for regulated industries

the security review call

Bring yourcompliance officer.

Send them the documentation, or bring them to a security review call. We answer the questions your review process asks — on your timeline, not a six-month one.