Skip to content
AIAn Alian Software company
ENHI

Security

Production AI under real-world security constraints.

What we do to keep your data, your code, and your AI infrastructure safe. This page is the honest version — what's actually in place, what's in progress, and where the boundaries are.

Request a security review →

Our principles

  • Least privilege by default

    Engineers get access scoped to the engagement, not the org. Production secrets stay in your accounts. We never need superuser access to ship.

  • Your keys, your accounts

    Anthropic, OpenAI, infra, observability — all run on your accounts with your keys. We never proxy or mint credentials on your behalf.

  • Audit-traceable AI

    Every prompt, retrieval, tool call, and output logged with reasoning. Auditors get a reproducible trail. We design to that standard from day one.

  • No training on your data

    We use Anthropic and OpenAI's API tiers that exclude customer data from training. We don't fine-tune on your data without an explicit agreement.

Technical controls

  • Encryption in transit

    TLS 1.2+ everywhere. HSTS on public endpoints. Mutual TLS available for on-prem and edge gateway deployments.

  • Encryption at rest

    AES-256 on databases, object storage, and backups. Customer-managed keys (CMK / KMS) supported for enterprise engagements.

  • Network controls

    VPC isolation, private networking between services, IP allowlists for admin paths, WAF on customer-facing surfaces. No public DB endpoints.

  • Identity + access

    SSO via SAML / OIDC. Hardware-key MFA required for engineers with access to client systems. Per-engagement repo and credential scoping.

  • Secrets management

    Doppler / 1Password / Vault on our side. We use your secrets manager when working in your infra. No secrets in source, ever.

  • Logging + monitoring

    Application logs to Langfuse + your SIEM. Anomaly alerts route to on-call. We keep 90 days at full fidelity, then anonymized aggregates.

  • Vulnerability management

    Dependabot + Renovate on every repo. SCA + SAST in CI. Quarterly internal pen test on shared infrastructure.

  • Backup + recovery

    Daily encrypted backups with point-in-time recovery (Postgres). Restore drills quarterly. RTO ≤ 4 hours / RPO ≤ 1 hour for retained systems.

Compliance posture

FrameworkStatusNotes
GDPRAligned · DPA on fileWe sign your DPA or use ours. SCCs included for EU↔non-EU transfers.
India DPDP ActAligned · DPA on fileStandard Indian DPDP-aligned DPA template available.
HIPAABAA availableFor healthcare engagements. Routed through Anthropic / OpenAI enterprise tiers with BAA.
SOC 2 Type IIIn progressWe build to SOC 2 controls. Type II audit underway with target completion later this year.
ISO 27001Build-to standardWe build deployments to ISO 27001 readiness. Audit is between you and your auditor.
PCI DSSOut of scopeWe don't process card data. Engagements with PCI requirements use compliant payment providers.

Need a specific framework that's not listed? Email security@aliansoftware.net — we'll tell you honestly whether we can meet it.

Deployment options

We deploy where your data residency requirements need us to:

  • Multi-region cloud — AWS / GCP / Azure in your region of choice. Vercel for client-side, your accounts for the rest.
  • Hybrid / edge gateway — Real-time data and agent orchestration on-prem (NUC-class hardware), reasoning in the cloud over scoped channels. Used by manufacturing clients.
  • Fully on-prem — Open-source models via vLLM on your hardware when even the reasoning loop can't leave your network. Slower iteration, but doable.

Incident response

Five steps, in order, every time. We don't improvise during an incident.

  1. 1Detection — alerting on our infra and on yours (with permission)
  2. 2Triage — on-call engineer paged within 15 minutes during business hours, 1 hour off-hours
  3. 3Containment — scoped credentials revoked, blast radius mapped
  4. 4Notification — affected clients notified within 24 hours of confirmed material incident
  5. 5Postmortem — written within 5 business days, shared with affected clients in full

Want a deeper security review?

We have a packet for your security team — current SOC 2 progress, DPA template, SCCs, incident response runbook, sub-processor list. Email and we'll send it within a business day.

Request the security packetRead the Privacy Policy

Most security reviews close in under a week.