Security
Your data stays in your AWS account with enterprise-grade protection.
Data Isolation
Each organization gets completely isolated infrastructure:
- Separate VPC
- Separate databases (RDS, ElastiCache)
- Separate encryption keys (KMS)
- Separate compute (EKS cluster)
Data Residency
| Data | Location |
|---|---|
| Documents | Your S3 |
| Conversations | Your RDS |
| Embeddings | Your OpenSearch |
| MCP credentials | Your Secrets Manager |
Control Plane stores only user emails and org settings.
Encryption
| Layer | Method |
|---|---|
| At rest | AES-256 via KMS |
| In transit | TLS |
Authentication
- SSO: Okta, Google Workspace
- MFA: TOTP (Google Authenticator, etc.)
- Sessions: JWT with configurable expiry
- API: Bearer tokens with scoped permissions
Network Security
- All data resources in private subnets
- No inbound internet access required
- NAT Gateway for outbound only
- Outbound HTTPS only to CorpAI Control Plane
Compliance
Self-hosted deployment supports:
- HIPAA - PHI stays in your account
- GDPR - EU data residency
- SOC 2 - Inherits your AWS controls
Next
Last updated on