Enterprise-Grade Security

    Security is foundational to DecisionLedger AI, not an afterthought. Every layer of the platform is engineered to protect your data, ensure compliance, and give your team confidence that sensitive decisions stay secure.

    SOC 2HIPAAGDPREU AI ActISO 42001

    0+

    RLS-Protected Tables

    0

    PII Types Detected

    0

    SOC 2 Controls

    0

    Safe Harbor IDs

    0-Year

    Audit Retention

    Defense-in-Depth Architecture

    Three layers of security protect your data from perimeter to storage. Every component is hardened, monitored, and encrypted by default.

    1

    Perimeter

    • Web application firewall
    • Network isolation
    • TLS in transit
    • DDoS protection
    2

    Application

    • Tenant data isolation
    • Role-based access
    • PII scanning
    • Sandboxed execution
    3

    Data

    • AES-256 at rest
    • S3 Object Lock
    • Managed key encryption
    • Encrypted backups

    HIPAA Ready

    Enterprise

    HIPAA compliance features are available exclusively on the Enterprise plan.

    • Business Associate Agreement (BAA)
    • PHI Detection - all 18 Safe Harbor identifiers
    • Automated Breach Detection (hourly)
    • MFA required for all users
    • Immutable Audit Trail (7-year retention)
    • Security Risk Assessment (NIST SP 800-30)

    DecisionLedger maintains administrative, physical, and technical safeguards per the HIPAA Security Rule. We execute Business Associate Agreements before any PHI processing, enforce PHI protections in code, and conduct formal Security Risk Assessments per NIST SP 800-30.

    Our automated breach detection runs hourly, monitoring for suspicious access patterns and authentication anomalies across your environment.

    Data Protection

    Your data is isolated, classified, and protected at every layer. Row-level security ensures tenant boundaries are never crossed.

    Row-Level Security

    PostgreSQL RLS on 84+ tables - every query scoped to tenant.

    Tenant Isolation

    Full logical isolation at database, storage, and compute layers.

    PII Scanning

    Automated detection and classification on every model input.

    Data Classification

    Multi-tier sensitivity classification applied automatically across your data.

    Encrypted Backups

    AES-256 daily backups with cross-region replication and PITR.

    Access Control

    Fine-grained identity and access management. Control exactly who can see, do, and approve across every resource.

    MFA Required

    TOTP multi-factor authentication is enforced for every user account - no exceptions, no opt-out. Combined with SSO/SAML 2.0 integration for enterprise identity providers.

    Role-Based Access Control

    Multi-tier RBAC defines exactly who can view, create, approve, export, or administer across every resource. Session management with configurable timeouts and concurrent session limits.

    API Key Scoping

    API keys can be scoped to specific resources, operations, and IP ranges. Keys support rotation schedules with zero-downtime rollover and full audit trail of usage.

    Compliance Frameworks

    SOC 2 Type IIGDPRCCPAEU AI ActNYC LL144EEOCISO 42001HIPAA (Enterprise)

    SOC 2 Trust Service Assessment

    Controls assessed against all five AICPA SOC 2 Type II trust service categories.

    CriterionDescriptionStatus
    CC1–CC3
    Control Environment, Communication & Risk Assessment

    Mandatory dual code review, CI/CD gates, role-based access control, multi-tier data classification, comprehensive audit event coverage

    Pass
    CC4
    Monitoring Activities

    Tiered CloudWatch alarming, circuit breakers on all integrations, request correlation, redundant audit logging

    Pass
    CC5
    Control Activities

    Web application firewall with OWASP protections, row-level security across tenant tables, sandboxed model execution, cryptographic model signing

    Pass
    CC6
    Logical & Physical Access

    Managed identity authentication, hashed API keys, encrypted sessions, department-level data scoping, private network endpoints

    Pass
    CC7
    System Operations

    Multi-AZ ECS Fargate, deployment auto-rollback, graceful shutdown, configurable circuit breakers

    Pass
    CC8
    Change Management

    Branch protection, PR approval, automated security and dependency scanning in CI/CD, pinned dependencies

    Pass
    CC9
    Risk Mitigation

    Cryptographic plugin signing, multi-tier rate limiting, verified webhook signatures, layered tenant cleanup safeguards

    Pass
    A1
    Availability

    Auto-scaling, Multi-AZ RDS with point-in-time recovery, Redis HA with failover, documented DR runbook

    Pass
    PI1
    Processing Integrity

    Schema validation on every input, sandboxed model execution, transaction integrity, full input audit trail

    Pass
    C1
    Confidentiality

    Multi-tier data classification, RLS on all exportable tables, AES-256 at rest, all secrets in AWS Secrets Manager

    Pass
    P1
    Privacy

    Published privacy policy, multi-tier PII scanning, full tenant export for subject access requests, comprehensive audit coverage

    Pass

    Based on an internal management self-assessment. Formal SOC 2 Type II audit engagement in progress.

    Model Integrity & Trust Chain

    Patent Pending

    Every decision model is cryptographically signed, hash-verified, and enforced at runtime. Tampered or unsigned models never execute.

    Sign

    Cryptographic signing binds code, metadata, and signer identity.

    Hash

    Integrity hashes are computed for every model artifact.

    Verify

    Integrity is re-checked before every run - tampering is detected instantly.

    Enforce

    Unsigned or tampered models are rejected at runtime. No exceptions.

    Audit & Monitoring

    Continuous monitoring, proactive alerting, and immutable audit records. Know what happened, when, and why.

    Monitoring Coverage (%)

    CloudWatch Alerting - 9 alarms (SEV1-3) with SNS escalation

    Immutable S3 Storage - Object Lock compliance, admin-proof retention

    Audit Log Export - JSON/CSV for SIEM ingestion and compliance reporting

    Real-time anomaly detection identifies unusual access patterns, data exfiltration attempts, and privilege escalation.

    Confidentiality Architecture

    Purpose-built for organizations where data confidentiality is not optional - including legal teams that need privilege-aware processing.

    AWS Bedrock VPC Isolation

    All AI inference within your VPC via Bedrock. No data leaves the AWS cloud boundary.

    Row-Level Tenant Isolation

    PostgreSQL RLS on 84+ tables. Every query scoped to the requesting tenant.

    Zero-Retention Mode

    Sensitive inputs and outputs are never persisted. Only audit metadata is retained.

    Privilege Designation

    Attorney-client privilege with cryptographic attestation chains for litigation support.

    Integrity Chain

    Cryptographically linked records across every lifecycle transition. Tamper-evident audit trail.

    Data Boundary Enforcement

    Patent Pending

    Sensitive data is protected at the point of execution and never exposed beyond its boundary.

    Security questions? Let's talk.

    Our team is ready to walk through our security architecture, share compliance documentation, and answer any questions your security team may have.