Security

Security and compliance by design

Enterprise-grade protection for your AI systems. Built on zero-trust principles with comprehensive audit trails.

SOC 2 Type IIGDPR CompliantHIPAA ReadyISO 27001

Data Handling

Your data is encrypted, isolated, and never used to train models.

Encryption in transit

All data transmitted to and from our platform uses TLS 1.3 with strong cipher suites. We enforce HTTPS everywhere with HSTS preloading.

Encryption at rest

All stored data is encrypted using AES-256. Encryption keys are managed via a dedicated KMS with automatic rotation.

Data isolation

Customer data is logically isolated at the database level. Enterprise and Regulated tiers support dedicated infrastructure.

No model training

We never use your prompts, completions, or documents to train any models. Your data remains yours.

Deployment Options

Choose the deployment model that fits your security requirements.

SaaS (Multi-tenant)

Fully managed cloud deployment with logical data isolation. Available in US, EU, and APAC regions. Ideal for most teams.

VPC Deployment

Run the platform in your own AWS, GCP, or Azure VPC. You control network boundaries while we handle updates and maintenance.

On-Premises

Full air-gapped deployment in your data center. Includes offline licensing and dedicated support. Available for Regulated tier.

Access Control

Fine-grained permissions with enterprise identity integration.

SSO/SAML

Integrate with Okta, Azure AD, Google Workspace, or any SAML 2.0 / OIDC provider. Enforce MFA at the identity provider level.

Role-Based Access Control

Define custom roles with granular permissions. Control access to projects, data sources, models, and admin functions.

API Key Management

Scoped API keys with expiration, IP allowlists, and usage limits. Rotate keys without downtime.

Session Management

Configurable session timeouts, concurrent session limits, and forced logout capabilities for security incidents.

Logging & Audit

Complete visibility into every action for compliance and forensics.

Comprehensive audit logs

Every API call, user action, and system event is logged with timestamp, actor, IP, and payload hash.

Immutable logs

Regulated tier includes tamper-proof audit logs with cryptographic verification. Logs cannot be modified or deleted.

SIEM integration

Stream security events to Splunk, Datadog, or any SIEM via webhook or syslog. Real-time alerting on suspicious activity.

Log export

Export logs to your own S3, GCS, or Azure Blob storage for long-term retention and compliance.

Data Retention

Configurable retention policies to meet your compliance needs.

Configurable retention

Set retention periods per data type: traces, logs, documents, embeddings. Automatic purging after expiration.

Tier-based defaults

Team: 7 days. Enterprise: 90 days. Regulated: 1+ year with immutable storage options.

Right to deletion

GDPR-compliant deletion workflows. Request deletion of all data associated with a user or project.

Backup & recovery

Daily encrypted backups with point-in-time recovery. Backups retained for 30 days (configurable for Regulated tier).

Incident Response

Proactive monitoring and rapid response to security events.

24/7 monitoring

Our security team monitors for threats around the clock. Automated alerting for anomalous activity.

Incident classification

Incidents are classified by severity (P1-P4) with defined SLAs for response and resolution.

Customer notification

Affected customers are notified within 24 hours of confirmed incidents per our incident response policy.

Post-incident review

Root cause analysis and remediation reports provided for all P1/P2 incidents.

Subprocessors

Transparency about third parties that process your data.

Infrastructure

AWS (US, EU, APAC regions) for compute and storage. Google Cloud Platform for specific ML workloads.

Observability

Datadog for internal monitoring (no customer data). PagerDuty for incident management.

Support

Zendesk for customer support ticketing. Support agents access only metadata, not content.

Updates

Subscribe to subprocessor updates via email. 30-day notice before adding new subprocessors.

FAQ

Security questions

Common questions about our security practices and certifications.

Yes. We engage third-party security firms for annual penetration tests and continuous bug bounty programs. Reports are available under NDA for Enterprise and Regulated customers.
Yes. Our SOC 2 Type II report is available under NDA. Contact security@extremeai.net to request a copy.
Yes. Business Associate Agreements are available for Regulated tier customers handling PHI. Contact sales to initiate the BAA process.
Yes. We offer data residency in US, EU (Frankfurt), and APAC (Singapore) regions. VPC and on-prem deployments provide full control over data location.
Yes. Enterprise and Regulated tiers support customer-managed keys (BYOK) via AWS KMS, Azure Key Vault, or Google Cloud KMS.
Email security@extremeai.net with details. We follow responsible disclosure practices and offer a bug bounty for qualifying reports.

Contact our security team

Have security questions or need to report a vulnerability? We're here to help.

security@extremeai.netBack to home