Enterprise-Grade Security
Security is foundational to DecisionLedger AI, not an afterthought. Every layer of the platform is engineered to protect your data, ensure compliance, and give your team confidence that sensitive decisions stay secure.
0+
RLS-Protected Tables
0
PII Types Detected
0
SOC 2 Controls
0
Safe Harbor IDs
0-Year
Audit Retention
Defense-in-Depth Architecture
Three layers of security protect your data from perimeter to storage. Every component is hardened, monitored, and encrypted by default.
Perimeter
- Web application firewall
- Network isolation
- TLS in transit
- DDoS protection
Application
- Tenant data isolation
- Role-based access
- PII scanning
- Sandboxed execution
Data
- AES-256 at rest
- S3 Object Lock
- Managed key encryption
- Encrypted backups
HIPAA Ready
EnterpriseHIPAA compliance features are available exclusively on the Enterprise plan.
- Business Associate Agreement (BAA)
- PHI Detection - all 18 Safe Harbor identifiers
- Automated Breach Detection (hourly)
- MFA required for all users
- Immutable Audit Trail (7-year retention)
- Security Risk Assessment (NIST SP 800-30)
DecisionLedger maintains administrative, physical, and technical safeguards per the HIPAA Security Rule. We execute Business Associate Agreements before any PHI processing, enforce PHI protections in code, and conduct formal Security Risk Assessments per NIST SP 800-30.
Our automated breach detection runs hourly, monitoring for suspicious access patterns and authentication anomalies across your environment.
Data Protection
Your data is isolated, classified, and protected at every layer. Row-level security ensures tenant boundaries are never crossed.
Row-Level Security
PostgreSQL RLS on 84+ tables - every query scoped to tenant.
Tenant Isolation
Full logical isolation at database, storage, and compute layers.
PII Scanning
Automated detection and classification on every model input.
Data Classification
Multi-tier sensitivity classification applied automatically across your data.
Encrypted Backups
AES-256 daily backups with cross-region replication and PITR.
Access Control
Fine-grained identity and access management. Control exactly who can see, do, and approve across every resource.
MFA Required
TOTP multi-factor authentication is enforced for every user account - no exceptions, no opt-out. Combined with SSO/SAML 2.0 integration for enterprise identity providers.
Role-Based Access Control
Multi-tier RBAC defines exactly who can view, create, approve, export, or administer across every resource. Session management with configurable timeouts and concurrent session limits.
API Key Scoping
API keys can be scoped to specific resources, operations, and IP ranges. Keys support rotation schedules with zero-downtime rollover and full audit trail of usage.
Compliance Frameworks
SOC 2 Trust Service Assessment
Controls assessed against all five AICPA SOC 2 Type II trust service categories.
Mandatory dual code review, CI/CD gates, role-based access control, multi-tier data classification, comprehensive audit event coverage
Tiered CloudWatch alarming, circuit breakers on all integrations, request correlation, redundant audit logging
Web application firewall with OWASP protections, row-level security across tenant tables, sandboxed model execution, cryptographic model signing
Managed identity authentication, hashed API keys, encrypted sessions, department-level data scoping, private network endpoints
Multi-AZ ECS Fargate, deployment auto-rollback, graceful shutdown, configurable circuit breakers
Branch protection, PR approval, automated security and dependency scanning in CI/CD, pinned dependencies
Cryptographic plugin signing, multi-tier rate limiting, verified webhook signatures, layered tenant cleanup safeguards
Auto-scaling, Multi-AZ RDS with point-in-time recovery, Redis HA with failover, documented DR runbook
Schema validation on every input, sandboxed model execution, transaction integrity, full input audit trail
Multi-tier data classification, RLS on all exportable tables, AES-256 at rest, all secrets in AWS Secrets Manager
Published privacy policy, multi-tier PII scanning, full tenant export for subject access requests, comprehensive audit coverage
Based on an internal management self-assessment. Formal SOC 2 Type II audit engagement in progress.
Model Integrity & Trust Chain
Patent PendingEvery decision model is cryptographically signed, hash-verified, and enforced at runtime. Tampered or unsigned models never execute.
Sign
Cryptographic signing binds code, metadata, and signer identity.
Hash
Integrity hashes are computed for every model artifact.
Verify
Integrity is re-checked before every run - tampering is detected instantly.
Enforce
Unsigned or tampered models are rejected at runtime. No exceptions.
Audit & Monitoring
Continuous monitoring, proactive alerting, and immutable audit records. Know what happened, when, and why.
Monitoring Coverage (%)
CloudWatch Alerting - 9 alarms (SEV1-3) with SNS escalation
Immutable S3 Storage - Object Lock compliance, admin-proof retention
Audit Log Export - JSON/CSV for SIEM ingestion and compliance reporting
Real-time anomaly detection identifies unusual access patterns, data exfiltration attempts, and privilege escalation.
Confidentiality Architecture
Purpose-built for organizations where data confidentiality is not optional - including legal teams that need privilege-aware processing.
AWS Bedrock VPC Isolation
All AI inference within your VPC via Bedrock. No data leaves the AWS cloud boundary.
Row-Level Tenant Isolation
PostgreSQL RLS on 84+ tables. Every query scoped to the requesting tenant.
Zero-Retention Mode
Sensitive inputs and outputs are never persisted. Only audit metadata is retained.
Privilege Designation
Attorney-client privilege with cryptographic attestation chains for litigation support.
Integrity Chain
Cryptographically linked records across every lifecycle transition. Tamper-evident audit trail.
Data Boundary Enforcement
Patent PendingSensitive data is protected at the point of execution and never exposed beyond its boundary.
