Security & Trust
How we handle data, secrets, and AI workloads in regulated environments.
Data handling
Customer data never leaves the customer tenant unless a specific integration requires it, and then only under a signed data processing agreement. Inference traffic to Claude is routed through the customer's cloud account where possible. We apply zero-data-retention patterns on the inference plane and keep prompt/response logs inside the tenant.
Secrets and keys
API keys, service accounts, and database credentials live in the customer's KMS or secret manager. No long-lived credentials are stored on engineer laptops. Access is short-lived, scoped, and auditable.
AI-specific controls
Every Claude call in production passes through an audit proxy that redacts PII before the prompt leaves the tenant, records tool inputs and outputs, and enforces rate, cost, and allowlist policies. Tool-use surfaces are whitelisted per integration; Claude cannot reach systems not declared in the contract.
Compliance posture
We work inside client compliance regimes — including Kazakhstan's information-security requirements for financial and government systems. We are building internal processes aligned with ISO 27001 and SOC 2; current posture and any roadmap items are shared under NDA.
Incident response
We maintain an on-call rotation for production workloads we operate. Security findings are triaged within one business day; severity-1 issues follow an accelerated path with customer notification windows aligned to the applicable regulation.