Authentication & Access
Identity Provider
Authentication powered by AWS Cognito with support for email/password, Google, and Microsoft social sign-in. SAML SSO available on Enterprise plans.
Multi-Factor Authentication
MFA support via authenticator apps (TOTP). Admins can enforce MFA organization-wide through workspace settings.
Role-Based Access Control
Four built-in roles — Admin, Operator, Analyst, Viewer — with granular permissions for models, decisions, governance, and administration.
Session Management
JWT-based sessions with configurable expiration. Tokens are encrypted at rest and automatically refreshed. Sessions can be revoked by admins.
Data Security
Tenant Isolation (Row-Level Security)
Every database query is filtered by tenant ID at the PostgreSQL policy level. Data from one workspace is never accessible to another — enforced by the database engine, not application code.
Encryption at Rest
All data stored in PostgreSQL (RDS) and S3 is encrypted using AES-256. Encryption keys are managed by AWS KMS with automatic rotation.
Encryption in Transit
All traffic uses TLS 1.2+ between clients, load balancers, application servers, and databases. Internal service communication is encrypted.
PII Scanning & Redaction
Every model input is scanned for personally identifiable information. PII is classified, flagged, and can be automatically redacted before storage.
Compliance Certifications
SOC 2 Type II
AlignedControls aligned to SOC 2 Type II trust service criteria — security, availability, and confidentiality. Formal audit engagement in progress.
GDPR
CompliantData Processing Agreement (DPA) available. Data residency in US-West-2 (Oregon). Right to erasure and data portability supported.
CCPA
CompliantCalifornia Consumer Privacy Act compliance with opt-out, access, and deletion rights. Privacy policy details at /california-privacy.
EU AI Act
PreparedTransparency documentation for AI-assisted decision support. Bias audit framework, model explainability, and human oversight controls.
Audit Logging & Monitoring
| Capability | Details |
|---|---|
| Application Audit Log | Every API call, login, model run, decision transition, and admin action is logged with user, timestamp, and tenant context |
| Infrastructure Logging | AWS CloudTrail for API-level infrastructure auditing. Logs stored in immutable S3 buckets with Glacier lifecycle |
| ALB Access Logs | Load balancer access logs with request metadata, stored with 90-day retention |
| Alerting | CloudWatch alarms for error rates, latency, CPU, and health check failures with SNS notifications |
| Plugin Verification | Ed25519 cryptographic signing for all plugins. Signature verification before every execution |