When companies trust us with their AI oversight, we take that responsibility seriously.
Independently audited security controls for enterprise requirements.
BAA available for healthcare organizations handling PHI.
Full compliance with EU data protection regulations.
Certified information security management system.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. We use AWS KMS for key management with automatic key rotation.
Our infrastructure runs in isolated VPCs with strict network segmentation. All traffic is monitored and logged. We employ WAF protection and DDoS mitigation at the edge.
We implement the principle of least privilege for all access. Employee access to production systems requires MFA and is logged. All access is reviewed quarterly.
All code changes undergo mandatory security review. We run automated static analysis (SAST) and dynamic testing (DAST) in our CI/CD pipeline. Dependencies are continuously scanned for vulnerabilities.
We support SSO via SAML 2.0 and OIDC. API authentication uses scoped API keys with configurable permissions. All authentication events are logged for audit purposes.
We conduct annual third-party penetration tests and continuous bug bounty programs. Critical findings are remediated within 24 hours.
Customer data is logically isolated at the application layer. We never access customer data without explicit permission. Data retention follows configurable policies and supports regulatory requirements.
By default, data is processed in the US (AWS us-east-1). We offer EU data residency (eu-west-1) for customers who require it. Enterprise customers can specify additional data location requirements.
We maintain a list of all subprocessors and notify customers 30 days before adding new ones. Current subprocessors include AWS (infrastructure), Stripe (billing), and Datadog (monitoring).
We maintain a documented incident response plan with defined escalation procedures. Security incidents are communicated to affected customers within 72 hours. Post-incident reviews are conducted and shared when appropriate.
If you discover a security vulnerability, please report it to security@attest.ai. We operate a responsible disclosure program and will work with you to address any issues promptly.
Enterprise customers can request our SOC 2 Type II report, penetration test summaries, and security questionnaire responses by contacting security@attest.ai.