Security & Trust Center · Updated March 2025

We ask you to upload
sensitive documents.
Here's exactly how
we protect them.

AnalystEngine is built for IT leaders who operate in regulated environments. Before you upload a single file, you deserve to know precisely how your data is handled, stored, and protected at every layer.

Designed for: Financial Services Healthcare IT Government Mid-Market Enterprise
⚠️
Pre-Launch Transparency Notice — AnalystEngine is in early access. Several certifications below are actively in progress. We publish this page now before customers upload data because security commitments should be made before trust is extended, not after.
Encryption at Rest
AES-256
All stored documents
Encryption in Transit
TLS 1.3
All connections enforced
AI Model Training
Never
Your data stays yours
SOC 2 Type II
In Audit
Targeted Q4 2025
01 — Compliance
01

Certifications & Regulatory Alignment

We operate with awareness that our customers especially in financial services, healthcare, and government are themselves subject to strict regulatory obligations. Our compliance roadmap reflects theirs, not just ours. We publish our current status honestly.

Standard What It Covers Relevance Status
SOC 2 Type II Security, availability, confidentiality & processing integrity of customer data Required by most enterprise security teams before vendor approval In Audit
ISO 27001 International information security management standard Globally recognized; often required by EU and multinational clients Planned 2026
GDPR EU data protection and privacy regulation EU-based users or data subjects; DPAs available on request Compliant
CCPA California Consumer Privacy Act Required for California-based enterprise customers Compliant
GLBA Awareness Financial data safeguards rule Our financial services customers are GLBA-subject; our platform is designed not to conflict with their obligations Aligned
HIPAA Health data privacy and security rules Relevant if healthcare orgs upload patient-adjacent data Roadmap
FINRA / SEC Financial industry regulatory obligations We don't store regulated client records; we acknowledge our customers do and design accordingly Acknowledged
02 — Encryption
02

How Your Data Is Protected at Every Layer

"Private by design" means nothing without specifics. Here is the exact technical implementation from the moment a document leaves your browser to long-term storage and eventual deletion.

🔒
Encryption in Transit
All data between your browser and our servers uses TLS 1.3. Older versions (TLS 1.0, 1.1) are fully disabled. HSTS is enforced across all domains.
TLS 1.3 Enforced
🗄️
Encryption at Rest
Every uploaded document, processed output, and derived embedding is stored with AES-256 encryption including primary storage, backups, and replicated data.
AES-256
🔑
Key Management
Keys are managed via AWS KMS. Organization Intelligence customers may request customer-managed keys (CMK) your keys, your control.
AWS KMS + CMK Option
🏗️
Infrastructure
We run on AWS (US-East and US-West regions) using FedRAMP-authorized infrastructure as the foundation for our security posture.
AWS US Regions
🧩
Vector DB Isolation
Document embeddings are stored in fully isolated, per-organization namespaces. There is no shared embedding space across customers. Cross-tenant leakage is architecturally prevented.
Fully Isolated Per Org
🌐
Data Residency
All customer data is processed and stored within the United States. Data does not transit through or reside in any non-US region. Enterprise customers may request specific region pinning.
US-Only by Default
03 — AI Policy
03

What Happens When Your Documents Meet Our AI

For a product powered by AI, the AI data policy is the most consequential section of this page. We answer every question a CISO would ask plainly, without legal hedging.

🤖

AI Usage Policy — Plain Language Answers

Is my data used to train AI models?
No. Never. Your uploaded documents, queries, and outputs are never used to train, fine-tune, or improve any AI model — ours or third-party. This is a hard contractual commitment.
Which AI models power AnalystEngine?
We use foundation models from Anthropic (Claude) and OpenAI (GPT-4). We maintain Data Processing Agreements with each. Full subprocessor list available on request.
Is my data sent to third-party AI APIs?
Yes — document context is passed to our AI providers for inference only, under zero-training-use agreements. Your data is used to generate your response, then discarded by the provider.
Are my prompts or outputs logged?
Queries and outputs are logged for audit trail purposes within your organization's account only. AnalystEngine staff cannot view them without explicit written consent from your admin.
Can I delete documents after processing?
Yes, immediately and verifiably. Deletion removes the source file, all derived embeddings, and cached outputs. Confirmed via audit log. Propagation time: under 60 seconds.
What happens to my data when I cancel?
All customer data documents, embeddings, logs, and outputs is deleted within 30 days of contract termination. A signed deletion certificate is available upon request.
04 — Access Controls
04

Who Can Access What, and How

Enterprise data requires enterprise-grade access control. AnalystEngine supports the identity and access patterns that regulated organizations already use not a proprietary system you have to learn.

🔐
Single Sign-On (SSO)
SAML 2.0 and OIDC supported. Integrates with Okta, Azure Active Directory, Google Workspace, and any compliant identity provider. SSO can be enforced org-wide on the Organization Intelligence plan.
SAML 2.0 / OIDC
📋
Role-Based Access Control
Admins control who can upload documents, view outputs, manage integrations, and export data. Document-level confidentiality flags restrict sensitive uploads even from general team members.
Granular Permissions
📊
Audit Logs
All uploads, deletions, queries, exports, and admin actions are logged with timestamp, user identity, and IP. Logs are retained 12 months, exportable as JSON or CSV, and tamper-evident.
12-Month Retention
📱
Multi-Factor Authentication
MFA is mandatory for all accounts and cannot be disabled. TOTP (authenticator apps) and FIDO2/WebAuthn hardware keys are supported. SMS-based MFA is not offered due to SIM-swap risk.
Enforced — FIDO2 Supported
05 — Data Lifecycle
05

From Upload to Deletion

Your documents follow a defined, auditable lifecycle. Nothing persists longer than needed, and every stage is logged and verifiable.

Step 01
Upload & Encrypt
Document received over TLS 1.3, immediately encrypted with AES-256, stored in your isolated AWS S3 bucket. Upload logged with user identity, timestamp, file hash, and size.
Instant
Step 02
Processing & Embedding
Document processed by our AI pipeline. Embeddings generated and stored in your isolated namespace. LLM provider receives context for inference only no retention by provider.
Isolated
Step 03
Active Use
Documents available for queries. All queries and outputs logged to your org's audit trail. AnalystEngine staff cannot read queries or outputs without explicit written authorization.
Staff Restricted
Step 04
On-Demand Deletion
Admin deletes document. Source file, all embeddings, and derived outputs purged within 60 seconds. Deletion confirmed in audit log. Data is not recoverable after deletion.
Irreversible
Step 05
Contract Termination
All remaining data scheduled for deletion within 30 days. Signed deletion certificate issued on request. Backups purged within the same window.
30-Day Purge
06 — Incident Response
06

What Happens If Something Goes Wrong

Security incidents are not hypothetical. We have documented procedures for detection, containment, notification, and recovery with committed timelines, not best-effort promises.

🚨
Breach Notification
In the event of a confirmed breach, we notify your designated security contact within 72 hours of confirmed discovery — consistent with GDPR and considered best practice globally.
72-Hour SLA
🧪
Penetration Testing
Annual third-party penetration testing by certified external security firms. Executive summaries of findings and remediation status are available to enterprise customers under NDA.
Annual External Pentest
🛡️
Cyber Liability Insurance
AnalystEngine carries active cyber liability insurance. Policy details and coverage amounts are available to enterprise customers upon request as part of vendor security review processes.
Coverage Active
🔍
Vulnerability Disclosure
We operate a responsible disclosure program. We acknowledge within 48 hours and provide a resolution timeline within 7 days.
48-Hour Acknowledgment
📡
Continuous Monitoring
Infrastructure monitored 24/7 using AWS GuardDuty, CloudTrail, and a SIEM solution. Anomaly detection alerts reviewed in real time. Uptime and incident history published on our status page.
24/7 Monitoring
📄
Shared Responsibility
We publish a Shared Responsibility Model document defining what AnalystEngine secures vs. what your organization controls — modeled on the AWS shared responsibility framework.
Doc Available
07 — Subprocessors
07

Third Parties That Touch Your Data

Full transparency about every vendor that may process your data. No hidden dependencies. Changes to this list are communicated to customers 30 days in advance.

Vendor Purpose Data Shared Location Agreement
Amazon Web Services Cloud infrastructure, storage, compute All customer data (encrypted) US-East / US-West DPA Signed
Anthropic AI inference (Claude) Document context, inference only United States Zero-Retention
OpenAI AI inference (GPT-4) Document context, inference only United States Zero-Retention
Pinecone / Weaviate Vector database (embeddings) Document embeddings, per-org isolated United States DPA Signed
Stripe Payment processing Billing data only — no document access United States PCI DSS
08 — Contact
08

Security Reviews, DPAs & Inquiries

Enterprise security reviews are a normal part of vendor onboarding. We welcome them. Reach the right team through the channel below.

Security Incidents & Vulnerabilities
PGP key available on request. 48-hour response SLA for all reports.
Privacy, GDPR & DPA Requests
Data Processing Agreements provided within 5 business days.
Enterprise Security Reviews
Questionnaires, SOC 2 reports (when available), pentest summaries.
security-review-documents.sh — available upon request
Security Overview PDF — architecture summary & controls
Data Processing Agreement (DPA) — GDPR / CCPA compliant
Subprocessor List — full vendor inventory
Shared Responsibility Model — AnalystEngine vs. customer obligations
SOC 2 Type II Report — available Q4 2025 (audit in progress)
Penetration Test Summary — available under NDA
Deletion Certificate Template — issued upon contract termination