Skip to main content
The Capital Reformation: 18 Theses on the death of operational wasteRead Now →
AAS

Security & Compliance

Enterprise-Grade Security

Your data security is our top priority. AgentAAS OS is built from the ground up with defense-in-depth architecture, meeting the strictest compliance requirements for regulated capital governance.

SOC 2 Type IIISO 27001GDPRHIPAAPCI DSS

Compliance

Certifications & Standards

Independently audited and certified against the most rigorous global security and privacy frameworks.

Certified

SOC 2 Type II

Independently audited annually against the AICPA Trust Services Criteria. Our controls for security, availability, processing integrity, confidentiality, and privacy are continuously monitored and verified by Deloitte.

Last audit: January 2026

Certified

ISO 27001

Certified information security management system (ISMS) covering all aspects of our platform, infrastructure, and organizational processes. Surveillance audits conducted semi-annually by BSI Group.

Certificate #IS 789456

Certified

GDPR

Full compliance with the EU General Data Protection Regulation. We serve as a data processor with comprehensive DPA agreements, support data subject access requests (DSAR), and maintain EU data residency options.

EU Representative appointed

Certified

HIPAA

Business Associate Agreements (BAA) available for healthcare and life sciences organizations. Administrative, physical, and technical safeguards implemented per the HIPAA Security Rule and Privacy Rule.

BAA available on request

In Progress

FedRAMP

Pursuing FedRAMP Moderate authorization to serve federal agencies and government contractors. Currently in the assessment phase with a 3PAO. Expected authorization by Q4 2026.

3PAO assessment underway

Certified

PCI DSS

Level 1 Service Provider compliance for secure handling of payment card data in capital transactions. Quarterly ASV scans and annual on-site assessments conducted by Coalfire.

Level 1 Service Provider

Architecture

Security Architecture

Four pillars of defense-in-depth protect your capital governance data at every layer of the stack.

Data Encryption

Military-grade encryption everywhere

  • AES-256 encryption for all data at rest across databases, file stores, and backups
  • TLS 1.3 enforced for all data in transit with perfect forward secrecy
  • Customer-managed encryption keys (CMEK) via AWS KMS or Azure Key Vault
  • Envelope encryption with automatic key rotation every 90 days
  • Hardware Security Modules (HSM) for cryptographic key protection
  • End-to-end encryption for sensitive document workflows

Access Control

Zero-trust identity verification

  • Role-based access control (RBAC) with granular permission policies
  • SAML 2.0 and OpenID Connect SSO integration with all major IdPs
  • Enforced multi-factor authentication (MFA) with TOTP, WebAuthn, and FIDO2
  • Zero-trust network architecture with continuous identity verification
  • Just-in-time (JIT) privileged access with automatic expiration
  • IP allowlisting and geofencing for organization-level access policies

Infrastructure

Hardened cloud-native deployment

  • AWS GovCloud and commercial regions with isolated VPCs per tenant
  • Web Application Firewall (WAF) with custom rule sets and DDoS protection
  • Container-level isolation with read-only file systems and no-root execution
  • Immutable infrastructure deployed via GitOps with signed artifacts
  • Network micro-segmentation with east-west traffic inspection
  • Automated vulnerability patching within 24 hours of critical CVE disclosure

Monitoring & Response

24/7 security operations center

  • 24/7 Security Operations Center (SOC) with dedicated threat analysts
  • SIEM platform with correlation rules tuned for capital governance threats
  • Real-time alerting with < 5-minute detection for anomalous behavior
  • Automated incident response playbooks for common attack patterns
  • Full audit trail with immutable, tamper-evident logging to S3 Glacier
  • Threat intelligence feeds integrated from CrowdStrike, Mandiant, and CISA

Data Protection

Your Data, Your Rules

Complete control over where your data lives, how it is protected, and when it is retained or deleted.

Data Residency Options

Choose the geographic region for your data storage to meet regulatory and sovereignty requirements.

United States

US-East (Virginia), US-West (Oregon), US-Gov (GovCloud)

SOC 2HIPAAFedRAMP

European Union

EU-West (Frankfurt), EU-North (Stockholm)

SOC 2GDPRISO 27001

Asia-Pacific

AP-Southeast (Singapore), AP-Northeast (Tokyo)

SOC 2ISO 27001PDPA

Backup & Disaster Recovery

Multi-region replication and automated failover ensure your capital governance data is always available.

RPO

1 hour

Recovery Point Objective: maximum data loss window in a disaster scenario. Continuous replication ensures near-real-time data synchronization across availability zones.

RTO

4 hours

Recovery Time Objective: maximum time to restore full service. Automated failover and pre-provisioned standby infrastructure enable rapid recovery.

Backup Frequency

Every 15 min

Incremental backups every 15 minutes with full daily snapshots. All backups are encrypted and stored in geographically separate regions.

Retention

7 years

Default retention period for audit logs and compliance records. Configurable per organization to meet specific regulatory requirements up to 10 years.

Data Retention & Deletion

Transparent policies for data lifecycle management with full customer control.

  • Customer data retained for the duration of the subscription plus 90-day grace period
  • Complete data purge within 30 days of deletion request with cryptographic verification
  • Automated PII redaction available for data older than configurable thresholds
  • Immutable audit logs preserved independently per regulatory requirements
  • Annual data minimization reviews to eliminate unnecessary data collection
  • Granular data export in standard formats (JSON, CSV, Parquet) for portability

Testing & Audits

Continuous Security Validation

Proactive testing by world-class security firms and a thriving bug bounty community ensures resilience against evolving threats.

Annual Penetration Testing

CrowdStrike Services

Comprehensive annual penetration tests covering application, network, and infrastructure layers. Red team exercises simulate advanced persistent threats targeting capital governance workflows. Full remediation of all critical and high findings within 30 days.

Annual (+ ad hoc for major releases)

Quarterly Vulnerability Scans

Qualys & Tenable

Automated vulnerability scanning across all production assets, APIs, and dependencies. CVSS-scored findings prioritized by exploitability and business impact. Integration with CI/CD pipeline prevents deployment of known-vulnerable components.

Quarterly (continuous in CI/CD)

Bug Bounty Program

HackerOne Platform

Public responsible disclosure program with tiered bounty rewards up to $25,000 for critical findings. Over 200 active security researchers participate. Median time to first response: 4 hours. Median time to resolution: 7 days.

Continuous, year-round

By The Numbers

Security at Scale

The metrics that define our commitment to protecting your capital governance data.

0

Breaches Since Founding

Zero security breaches or data leaks across our entire operational history

256-bit

Encryption Standard

AES-256 encryption at rest with TLS 1.3 for all data in transit

99.99%

Uptime SLA

Contractual uptime guarantee backed by multi-region active-active architecture

<15min

Incident Response

Mean time to acknowledge and begin response for P1 security incidents

Trust Center

Downloadable Resources

Access our security documentation to accelerate your vendor review and procurement process.

Under NDA

SOC 2 Type II Report

Complete audit report covering security, availability, and confidentiality trust service criteria. Available under NDA.

Request Report
Public

Security Whitepaper

In-depth technical overview of our security architecture, encryption standards, access controls, and operational procedures.

Download PDF
Public

Data Processing Agreement

Standard DPA template covering GDPR, CCPA, and other privacy regulations. Pre-signed and ready for countersignature.

Download DPA
Public

Vendor Security Questionnaire

Pre-completed CAIQ (Consensus Assessment Initiative Questionnaire) and SIG Lite responses for your security review.

Download Questionnaire

FAQ

Security Questions

Answers to common security and compliance questions from enterprise procurement and InfoSec teams.

How does AgentAAS OS handle encryption key management?

All encryption keys are managed through AWS Key Management Service (KMS) with automatic rotation every 90 days. Enterprise customers can bring their own keys (BYOK) or use customer-managed keys (CMEK) for complete control. Keys are protected by FIPS 140-2 Level 3 validated hardware security modules.

What data does AgentAAS OS access in our systems?

Our connectors operate in strict read-only mode. We access only the capital governance data explicitly authorized during integration setup. No write-back, modification, or deletion of source system data ever occurs. All data access is logged and auditable.

How do you ensure tenant isolation in a multi-tenant environment?

Each tenant operates in a logically isolated environment with dedicated encryption keys, separate database schemas, and network-level segmentation. Cross-tenant data access is architecturally impossible. We undergo annual multi-tenancy security reviews as part of our SOC 2 audit.

What is your incident response process?

We maintain a documented incident response plan aligned with NIST SP 800-61. Our 24/7 SOC team acknowledges P1 incidents within 15 minutes. Affected customers are notified within 24 hours of confirmed data incidents. Post-incident reviews with root cause analysis are shared with impacted customers.

Can we perform our own security assessment of AgentAAS OS?

Yes. Enterprise customers may conduct their own security assessments, including penetration testing of their dedicated environment, with prior coordination. We also provide our latest third-party pen test executive summary and full SOC 2 report under NDA.

How does AgentAAS OS handle data deletion and portability?

Upon subscription termination, all customer data is purged within 30 days with cryptographic verification of deletion. Data export is available in standard formats (JSON, CSV, Parquet) at any time. We provide a 90-day grace period before purge to allow for migration.

Ready to Discuss Your Security Requirements?

Our security team is available to walk through your compliance requirements, answer technical questions, and provide documentation for your vendor review process.

Contact Security TeamSchedule Security Review

Response within 1 business day. NDA-protected discussions available.