Enterprise-Grade Security
Security is foundational to DecisionLedger AI, not an afterthought. Every layer of the platform is engineered to protect your data, ensure compliance, and give your team confidence that sensitive decisions stay secure.
0+
RLS-Protected Tables
0
PII Types Detected
0
SOC 2 Controls
0
Safe Harbor IDs
0-Year
Audit Retention
Defense-in-Depth Architecture
Three layers of security protect your data from perimeter to storage. Every component is hardened, monitored, and encrypted by default.
Perimeter
- AWS WAFv2
- VPC isolation
- TLS 1.2+
- DDoS protection
Application
- Row-level security
- RBAC
- PII scanning
- Plugin sandbox
Data
- AES-256 at rest
- S3 Object Lock
- KMS encryption
- Encrypted backups
HIPAA Ready
EnterpriseHIPAA compliance features are available exclusively on the Enterprise plan.
- Business Associate Agreement (BAA)
- PHI Detection - all 18 Safe Harbor identifiers
- Automated Breach Detection (hourly)
- MFA required for all users
- Immutable Audit Trail (7-year retention)
- Security Risk Assessment (NIST SP 800-30)
DecisionLedger maintains administrative, physical, and technical safeguards per the HIPAA Security Rule. We execute Business Associate Agreements before any PHI processing, enforce PHI protections in code, and conduct formal Security Risk Assessments per NIST SP 800-30.
Our automated breach detection runs hourly, monitoring for suspicious patterns - excessive data access, PII spikes, cross-tenant probing, authentication anomalies, and off-hours activity.
Data Protection
Your data is isolated, classified, and protected at every layer. Row-level security ensures tenant boundaries are never crossed.
Row-Level Security
PostgreSQL RLS on 84+ tables - every query scoped to tenant.
Tenant Isolation
Full logical isolation at database, storage, and compute layers.
PII Scanning
Automated detection and classification on every model input.
Data Classification
6-tier sensitivity: public, internal, confidential, sensitive, highly sensitive, restricted.
Encrypted Backups
AES-256 daily backups with cross-region replication and PITR.
Access Control
Fine-grained identity and access management. Control exactly who can see, do, and approve across every resource.
MFA Required
TOTP multi-factor authentication is enforced for every user account - no exceptions, no opt-out. Combined with SSO/SAML 2.0 integration for enterprise identity providers.
Role-Based Access Control
Multi-tier RBAC defines exactly who can view, create, approve, export, or administer across every resource. Session management with configurable timeouts and concurrent session limits.
API Key Scoping
API keys can be scoped to specific resources, operations, and IP ranges. Keys support rotation schedules with zero-downtime rollover and full audit trail of usage.
Compliance Frameworks
SOC 2 Trust Service Assessment
Controls assessed against all five AICPA SOC 2 Type II trust service categories.
CODEOWNERS dual-review, CI/CD gates, 4-role RBAC, 6-tier data classification, 40+ audit event types
9 CloudWatch alarms (SEV1-3), circuit breakers on all integrations, correlation IDs, dual-write audit (S3 + CloudWatch)
WAFv2 with 5 OWASP rules, RLS on 84+ tables, plugin sandbox with subprocess isolation, Ed25519 signing
Cognito JWT + JWKS, SHA-256 API key hashing, Fernet session encryption, department-level data scoping, VPC endpoints
ECS Fargate multi-AZ, deployment circuit breaker with rollback, graceful shutdown, configurable circuit breakers
Branch protection, PR approval, CI/CD gates: ruff, pytest, pip-audit, npm audit, bandit, Trivy, 98 pinned deps
Ed25519 plugin signing, multi-tier rate limiting, SNS signature verification, tenant cleanup with 6-layer safety guards
Auto-scaling (2-6 tasks), Multi-AZ RDS with PITR, Redis HA with failover, DR runbook with 4-hour RTO / 1-hour RPO
JSON Schema validation, plugin sandbox (512MB / 55s timeout), transaction integrity, inputs_echo audit trail
6-tier data classification, RLS on all exportable tables, AES-256 at rest, all secrets in AWS Secrets Manager
MCP privacy policy, PII scanner across 6 tiers, 84-table tenant export for subject access, 40+ audit event types
Internal management self-assessment as of May 2026. Formal SOC 2 Type II audit engagement in progress.
Model Integrity & Trust Chain
Patent PendingEvery decision model is cryptographically signed, hash-verified, and enforced at runtime. Tampered or unsigned models never execute.
Sign
Ed25519 cryptographic signing binds code, metadata, and signer identity.
Hash
SHA-256 integrity hashes computed for every model artifact file.
Verify
On each load, platform re-hashes and compares - tampering detected instantly.
Enforce
Unsigned or hash-mismatched models are rejected at runtime. No exceptions.
Audit & Monitoring
Continuous monitoring, proactive alerting, and immutable audit records. Know what happened, when, and why.
Monitoring Coverage (%)
CloudWatch Alerting - 9 alarms (SEV1-3) with SNS escalation
Immutable S3 Storage - Object Lock compliance, admin-proof retention
Audit Log Export - JSON/CSV for SIEM ingestion and compliance reporting
Real-time anomaly detection identifies unusual access patterns, data exfiltration attempts, and privilege escalation.
Confidentiality Architecture
Purpose-built for organizations where data confidentiality is not optional - including legal teams that need privilege-aware processing.
AWS Bedrock VPC Isolation
All AI inference within your VPC via Bedrock. No data leaves the AWS cloud boundary.
Row-Level Tenant Isolation
PostgreSQL RLS on 84+ tables. Every query scoped to the requesting tenant.
Zero-Retention Mode
Inputs/outputs computed in memory, never persisted. Only audit metadata stored.
Privilege Designation
Attorney-client privilege with cryptographic attestation chains for litigation support.
Integrity Chain
SHA-256 hash chain for every lifecycle transition. Tamper-evident audit trail.
Data Boundary Enforcement
Patent PendingPer-artifact-class encryption and multi-strategy redaction at the execution runtime.