Trust Center

Our Approach to Security

RadMah AI is built by engineers who believe security is an engineering discipline, not a marketing exercise. This page documents what we do, what we have in place, and where we are still working.

Security Architecture

AES-256 Encryption + TLS 1.3

All data at rest is AES-256 encrypted in AWS S3 and RDS. All API and inter-service communication runs over TLS 1.3 with HSTS enforced. Database connections are SSL-pinned.

Multi-Tenant Isolation

Every tenant operates in a logically isolated environment — separate database schemas, S3 key prefixes, and API key scoping. Row-level security enforced at every query.

Write-Only Secret Vault

Connector credentials, OAuth tokens, and API secrets follow a strict write-only pattern. Once written, a secret can only be rotated or deleted — never read back through any API.

Zero-Trust API

All API endpoints require authentication. No implicit trust between services. API keys carry granular scoped permissions. Rate limiting, WAF, and DDoS protection on all public surfaces.

BLAKE3 Evidence Chain

Every job produces a signed evidence bundle sealed with BLAKE3 cryptographic hashes. Modifying any artefact breaks the seal. The chain is independently verifiable without access to our infrastructure.

Deterministic Reproducibility

Every job is seeded by a generation contract. The same contract plus the same seed produces bit-for-bit identical output on any machine, at any future time — proved by the BLAKE3 determinism proof.

Security Practices

Secure Development Lifecycle

Code review on every change. Static analysis. Type-safe languages (Python with full type annotations, TypeScript strict mode, Rust for deterministic core). Strict linter settings.

Dependency Management

Automated dependency scanning. SBOM generation for every release. Pinned dependency versions with lock files. Known-vulnerability monitoring via automated auditing.

Fail-Closed Design

Authentication, authorisation, and rate limiting fail closed. If a security check cannot complete, the request is denied — never silently allowed.

Immutable Audit Logging

Every API call, job submission, and administrative action is logged with actor identity, timestamp, IP address, and tenant context. Audit logs are append-only and SIEM-ready.

Assurance & Compliance Status

We are transparent about where we are. RadMah AI is a production platform with genuine security engineering. We do not claim certifications we have not completed.

GDPR Data Subject Rights

✓In Place

Data export and deletion endpoints operational. Data Processing Addendum available on request. Right-to-erasure fulfilled within 72 hours. Privacy reports included in every evidence bundle.

Vulnerability Disclosure Policy

✓Published

Published with safe harbour. 48-hour acknowledgement commitment.Read the full policy →

SBOM & Signed Releases

✓In Place

SPDX Software Bill of Materials generated for every release. Release artifacts are cryptographically signed via CI/CD pipeline.

External Penetration Test

◔In Progress

Third-party engagement scoped for Q3 2026. Internal security testing performed continuously. Architecture documentation available under NDA for Enterprise customers.

SOC 2 Type II

○Planned

Readiness programme in planning. Controls are implemented; formal audit engagement will follow penetration testing completion.

Data Handling

Encryption at Rest

All stored data encrypted using AES-256. Database volumes, backups, and object storage use server-side encryption with AWS-managed keys.

Tenant Data Isolation

Each tenant has isolated storage prefixes, separate API key scopes, and row-level database security. Cross-tenant queries are structurally impossible.

What We Store

Account data, job metadata, evidence bundles, generated datasets (encrypted), and audit logs. Synthetic data is produced from statistical distributions — never copies of real records.

Data Retention & Deletion

Configurable retention periods (30, 90, 365 days). Right-to-erasure requests fulfilled within 72 hours per GDPR Article 17. Deletion events appear in the immutable audit trail.

Deployment Options

Managed Cloud

Multi-AZ AWS deployment. Automated provisioning and updates. Data residency options (US, EU).

Hybrid SDK

Lightweight SDK on your infrastructure — data never leaves. AI engines on RadMah AI cloud. Enterprise plan.

Air-Gapped

Full on-premise deployment for classified networks. No external dependencies. FedRAMP / ITAR compatible.

Customer Security Reviews

Enterprise customers can request architecture documentation, security questionnaires (CAIQ, SIG), and technical discussions with our engineering team under NDA.

security@radmah.ai