Security & Compliance

Data Ingestion

We process structured and unstructured data including:

• Document repositories (PDFs, Word docs, markdown)
• Knowledge bases and wikis
• Structured data (databases, APIs)
• Conversational data (chat logs, emails)

All data ingestion is performed through secure, authenticated APIs with audit logging.

Data Flow

Data flows through our systems with clear boundaries:

• Ingestion → Encrypted storage → Processing → Output (with citations)
• Customer data is isolated per tenant
• No cross-tenant data access
• All data movements are logged and auditable

Storage

• Primary Storage: Encrypted cloud storage (AWS S3, Azure Blob) with customer-specified regions
• Vector Databases: Tenant-isolated vector stores with encryption at rest
• Metadata: Encrypted relational databases with regular backups

Retention Periods

• Active Data: Retained for the duration of the engagement
• Backup Data: Retained for 30 days after contract termination
• Audit Logs: Retained for 7 years (or per customer requirement)
• Processing Data: Deleted immediately after processing completion

Deletion & Exit

Upon contract termination or customer request:

• All customer data is deleted within 30 days
• Certified deletion process with confirmation
• Data export available in standard formats (JSON, CSV)
• No data retention beyond contractual obligations

Encryption at Rest

• Algorithm: AES-256 encryption
• Key Management: Cloud KMS (AWS KMS, Azure Key Vault) with automatic key rotation
• Database Encryption: All databases encrypted with customer-managed keys where possible
• File Storage: Server-side encryption (SSE) with customer-controlled keys

Encryption in Transit

• TLS Version: TLS 1.3+ for all connections
• Certificate Management: Automated certificate rotation via Let's Encrypt or enterprise CA
• API Security: All APIs require TLS with certificate pinning for mobile clients
• Internal Traffic: Encrypted within VPC/VNet boundaries

Key Management

• Keys stored in Hardware Security Modules (HSM) or cloud KMS
• Automatic key rotation every 90 days
• Key access requires multi-factor authentication
• Key usage is logged and audited

Single Sign-On (SSO)

• SAML 2.0: Full support for SAML-based SSO
• OIDC: OpenID Connect support for modern identity providers
• Providers Supported: Okta, Azure AD, Google Workspace, Auth0, and others
• SCIM: User provisioning and deprovisioning support

Role-Based Access Control (RBAC)

• Granular role definitions (Admin, User, Viewer, Auditor)
• Custom roles supported for enterprise customers
• Permission inheritance and delegation
• Source-level entitlements for RAG copilots

Attribute-Based Access Control (ABAC)

• Policy-based access control using user attributes
• Dynamic permission evaluation
• Integration with enterprise identity systems

Least Privilege Principles

• Default deny access model
• Just-in-time access provisioning
• Regular access reviews and recertification
• Privileged access management for administrative functions

Audit Logging

• Logged Events: All authentication, authorization, data access, configuration changes
• Log Retention: 7 years (configurable per customer)
• Log Format: Structured JSON logs with tamper-proof storage
• Access: Real-time log streaming and search capabilities

SaaS (Multi-Tenant)

• Fully managed cloud deployment
• Tenant isolation at application and database levels
• Data encryption per tenant
• Region selection available (US, EU, Asia-Pacific)

VPC Deployment

• Dedicated infrastructure in customer's VPC
• Private networking with VPN or Direct Connect
• Customer-managed encryption keys
• Full network isolation

On-Premise Patterns

• Containerized deployment (Docker, Kubernetes)
• Air-gapped environments supported
• Customer-managed infrastructure
• Regular security updates and patches

Code Review Process

• All code changes require peer review
• Security-focused code review checklist
• Automated security scanning in CI/CD pipeline
• No direct commits to main branch

Dependency Scanning

• Tools: Snyk, Dependabot, OWASP Dependency-Check
• Frequency: Continuous scanning on every build
• Action: Automated blocking of vulnerable dependencies
• Reporting: Regular vulnerability reports to security team

Secrets Management

• No secrets in code repositories
• Secrets stored in secure vaults (HashiCorp Vault, AWS Secrets Manager)
• Automatic secret rotation
• Secrets accessed via secure APIs only

Security Testing

• SAST: Static Application Security Testing (SonarQube, Checkmarx)
• DAST: Dynamic Application Security Testing (OWASP ZAP, Burp Suite)
• Penetration Testing: Annual third-party penetration tests
• Bug Bounty: Responsible disclosure program

Security Contact

Email: security@ishtar-ai.com

Response Time: Initial response within 4 hours for critical issues

Response Timelines

• Critical: Initial response within 4 hours, resolution within 24 hours
• High: Initial response within 8 hours, resolution within 72 hours
• Medium: Initial response within 24 hours, resolution within 7 days
• Low: Initial response within 48 hours, resolution within 30 days

Customer Notification

• Immediate notification for any security incident affecting customer data
• Regular status updates throughout incident resolution
• Post-incident report within 30 days

Post-Incident Reporting

• Detailed incident report with root cause analysis
• Remediation steps taken
• Preventive measures implemented
• Lessons learned and process improvements

Current Subprocessors

Data Processing Agreements

All subprocessors are bound by Data Processing Addendums (DPAs) that meet GDPR and other regulatory requirements. We maintain a current list of subprocessors and notify customers of any changes with 30 days advance notice.

Notification Process

• 30 days advance notice for new subprocessors
• Email notification to designated security contacts
• Opportunity to object (with reasonable grounds)

SOC 2-Aligned Controls

Ishtar AI implements security controls aligned with SOC 2 Type II requirements, including:

• Access controls and authentication
• System monitoring and logging
• Change management processes
• Vendor management
• Incident response procedures

Note: We maintain SOC 2-aligned controls and can support customers with their SOC 2 requirements. Formal SOC 2 Type II certification is in progress.

GDPR Compliance

• Data Processing Addendum (DPA) available upon request
• Right to access, rectification, erasure, and portability
• Data breach notification procedures
• Privacy by design principles
• Records of processing activities

Industry-Specific Considerations

• Privacy & data protection: Support for GDPR/CCPA-aligned practices and enterprise data governance requirements
• Healthcare: HIPAA-oriented data handling patterns (BAA-supported engagements where applicable)
• Media & advertising: Disclosure workflows, provenance tracking, and auditability for synthetic media and content review
• Enterprise governance: SOC 2-aligned controls, logging, retention, and access control patterns