Trust & Security
Netallion AI Assurance is built with enterprise security requirements at its foundation. We protect your data with the same rigor we help you apply to your own infrastructure.
Compliance Alignment
SOC 2 Aligned
Controls mapped to SOC 2 Type II trust service criteria. Audit evidence exportable from the platform.
HIPAA Aligned
PII/PHI detection, tamper-evident audit trails, and role-based access controls meet HIPAA security requirements.
PCI-DSS Aligned
Credit card number detection, encryption controls, and access logging aligned with PCI-DSS requirements.
GDPR Compatible
Data minimization (no raw secrets stored), comprehensive audit logs, and complete tenant isolation.
SOC 2 Type II Audit In Progress
Observation period starting June 2026. Report expected October 2026.
"Aligned" means Netallion AI Assurance implements controls mapped to the referenced framework. This is not a certification or attestation. See CONTROL_ALIGNMENT.md for full details.
Security Architecture
Encryption at Rest
All stored data encrypted with Fernet symmetric encryption. Database-level encryption for all tenant data.
Encryption in Transit
TLS 1.2+ enforced for all API and data connections. No plaintext data transmission.
Row-Level Security
PostgreSQL row-level security policies ensure complete tenant data separation at the database layer.
Zero Raw Secrets
Netallion AI Assurance never stores raw secret values. Only redacted representations, metadata, and finding details are persisted.
Tamper-Evident Audit
Hash-chain audit logging ensures complete integrity of all security records. Every action is recorded and verifiable.
Token Security
Redis-backed token blacklisting with TTL expiry. Single-use OIDC transaction store prevents replay attacks.
Data Flow Architecture
Your Infrastructure Netallion AI Assurance Platform
=========================== ===========================
Azure Monitor Workspaces Detection Engine
[Logs] ─────────────────────────────> [467 Patterns + BPE]
│
GitHub / GitLab Repos │
[PRs / MRs] ───────────────────────> [Live Verification]
│
Collaboration Tools │
[Slack, Teams, Jira] ──────────────> [Finding Classification]
│
AI Prompts │
[ChatGPT, Copilot Chat] ──────────> [Policy Evaluation]
│
v
┌─────────────────┐
│ Encrypted Store │
│ (Redacted Only) │
│ RLS per Tenant │
└────────┬────────┘
│
┌────────v────────┐
│ Dashboard & │
│ Remediation │
│ (TLS 1.2+) │
└─────────────────┘Data Handling
What we store
- Redacted secret representations (first/last 4 characters only)
- Finding metadata: type, location, severity, verification status
- Scan results and incident records
- User actions and audit trail entries
- Configuration and policy settings
What we never store
- Raw secret values (keys, tokens, passwords)
- Full log contents from Azure Monitor
- Source code from repositories
- Full text of collaboration messages
- AI prompt content (only scan results)
Retention policies
- Starter: 30-day finding retention, 30-day audit logs
- Professional: 180-day finding retention, 90-day audit logs
- Enterprise: Configurable retention, unlimited audit logs with hash chain
- All data permanently deleted upon tenant removal request
- Backups follow the same retention schedule as primary data
Have security questions?
Our security team is available to discuss architecture, compliance, and data handling in detail.