The answer your compliance officerhas been waiting for.
Every Specialist runs on AWS Bedrock. Every action is logged. Compliance posture monitoring runs against your environment — assessed against HIPAA, SOC 2 (audit target Q3 2026), GDPR, NIST 800-53, and ISO 27001 control families. These are evaluation tools, not audit attestations. Plus the documentation your review process actually asks for.
no foundation-model training on your data. data stays in your aws region by architecture. per-org isolation enforced at the database by postgres row-level security. dedicated single-tenant aws accounts available on enterprise.
security features
Built for teamswith real obligations.
Controls that protect your data and give your compliance officer the evidence they need.
VPC isolation
availableAll resources deployed in private subnets. RDS Proxy, S3 Gateway endpoint, and Lambda in private VPC.
KMS encryption
availableAES-256 at rest with AWS KMS across Aurora, S3, and OpenSearch. TLS 1.3 in transit.
Dedicated AWS tenant
enterpriseSingle-tenant infrastructure in your AWS region. Dedicated database, runtime, and CDN — operated by us for regulated industries.
Connect your AWS account (read-only)
availableOptional: connect your AWS account with one read-only IAM role you create — we never receive AWS credentials, and you revoke all access any time by deleting the CloudFormation stack. Read-only is enforced twice (the role, then a per-call clamp), you scope it to the services your Specialists need, and every read is logged.
Multi-tenant RBAC
availableFour roles (Admin · OrgManager · TeamManager · User). PostgreSQL row-level security enforces tenant isolation on every query — at the database, not the app.
CloudTrail audit logging
availableEvery API call logged via CloudTrail. Application-level audit trail with user, timestamp, and action context.
Compliance posture monitoring
availableIn-product assessment tools that read your AWS account's security posture (through the same read-only connection) and check it against HIPAA, SOC 2, GDPR, NIST 800-53, and ISO 27001 control families. Results are exportable for your auditor to review — they are not audit attestations.
Cognito authentication
availableCognito User Pool with invite-only registration, MFA, and OAuth/OIDC.
AWS Bedrock only
availableAll AI inference through AWS Bedrock. By default, no data sent to third-party AI providers. Optional provider-data-share models (e.g. Claude Fable 5) require a per-agent opt-in. Region-scoped.
infrastructure compliance tests
Automated audittest suites.
Infrastructure compliance tests against major frameworks, built on AWS compliance-eligible services.
SOC 2
posture monitoring
HIPAA
posture monitoring
GDPR
posture monitoring
NIST 800-53
posture monitoring
ISO 27001
posture monitoring
compliance documentation
Documentationyour CCO can take home.
Everything your compliance review actually asks for — ready to share with your security team, privacy officer, or auditor.
Security overview
PDF summary of the security architecture, data flow, and access controls — ready to share with your CCO.
Architecture diagram
AWS Bedrock data flow showing tenant isolation, inference boundaries, and where customer data actually lives.
Data processing agreement (DPA)
Template DPA aligned with GDPR Article 28 and covering sub-processor disclosure, data residency, and breach notification.
Vendor security questionnaire
Pre-filled responses to CAIQ-lite, SIG, and custom questionnaires. Turnaround measured in days, not weeks.
Compliance posture reports
In-product assessment of your environment against HIPAA, SOC 2, GDPR, NIST 800-53, and ISO 27001 control families. Exportable for your auditor to review. Not an audit attestation.
Audit trail exports
Every Specialist action logged with user, timestamp, and context. Exportable as CSV or JSON for regulators, courts, or internal review.
A SOC 2 Type II audit is targeted for Q3 2026. Until it completes, our in-product scans cover the SOC 2 control set against your live environment.
Request compliance documentationdata handling
Where your dataactually goes.
- All LLM calls route through AWS Bedrock — by default, no data sent to third-party AI providers (optional provider-data-share models like Claude Fable 5 require a per-agent opt-in)
- Encrypted at rest (KMS) and in transit (TLS 1.3)
- PostgreSQL row-level security enforces tenant isolation on every query
- CloudTrail audit logging on all API calls
- Dedicated single-tenant deployments available for regulated industries
the security review call
Bring yourcompliance officer.
Send them the documentation, or bring them to a security review call. We answer the questions your review process asks — on your timeline, not a six-month one.