Skip to main content

Security & Trust

Security underpins AISafe. You need to trust that the platform protects your data, that the AI agents cannot cause harm, and that the platform itself stays secure when you use an AI-powered tool to audit your source code and test your applications.

The platform isolates agent execution in sandboxes and handles your source code and data throughout the assessment lifecycle. Email [email protected] for information not covered here.

Key principles

  • Isolation by default: all AI agent execution happens in isolated sandboxes with controlled network egress. Agents cannot reach unintended services or exfiltrate data.
  • No persistent credential storage: source access tokens expire within a short window, scope to a single repository, and do not touch disk.
  • Tenant isolation: the platform scopes your data to your organization. Cross-organization access returns 404 to prevent information leakage.
  • Strict input validation: all API requests reject unknown fields, preventing injection of server-managed values.
  • No model training on your data: AISafe does not use your source code, findings, or assessment data to train AI models. The platform uses LLM providers for inference only.
  • Audit trail: the platform records key actions (assessment creation, finding triage, member changes, integration configuration) in an append-only audit log accessible to organization admins. Organizations with audit-chain integrity enabled can verify the retained trail against a tamper-evident per-organization hash chain; retention purges are sealed with signed checkpoints.

Compliance & certifications

AISafe is building toward industry-standard compliance frameworks. The programs below are in progress. Contact us for the current status of any item before relying on it in a procurement review.

  • SOC 2 Type II: in progress. Reach out to request the latest status or a trust-center walkthrough.
  • GDPR: we support standard data processing terms and EU data residency. Contact us for a DPA.
  • HIPAA-ready: the architecture supports HIPAA-aligned workloads. Contact us to discuss a BAA and configuration for regulated data.

We update this page as each program reaches completion. Do not assume a certification is active unless we list it as completed here.

If you need a specific attestation, questionnaire response, or vendor risk assessment, email [email protected] and we will route it to the right team. We maintain an up-to-date security questionnaire package and can schedule a live review with our security team on request.

Data residency

The platform processes your data in European Union regions. Source code you upload for a code audit stays encrypted at rest until the retention period configured for your organization expires, at which point the platform deletes it. Assessment artifacts (findings, reports, traces) follow the same retention and deletion policy. You can request early deletion of specific assessments at any time from the dashboard or via the API.

Encryption applies both in transit (TLS 1.2+ for all connections) and at rest. Under the principle of least privilege, the platform restricts data access to authorized personnel and logs all access for review.

The platform encrypts operational recovery backups and holds them within the same EU region. Backup retention follows the deletion policy described above.

If your organization has specific residency requirements beyond the default EU processing region, contact [email protected] to discuss available options before you begin uploading sensitive data.

For details on how source code and assessment data move through the platform, see Data handling.

Responsible AI

AISafe uses large language models for inference only. We do not train, fine-tune, or improve models on your source code, findings, or assessment data. No model, ours or our providers', trains on your content.

The platform logs each action an AI agent takes during an assessment and makes it auditable. You can review the full step-by-step trace of each agent run, including tool calls, inputs, outputs, and decisions, from the assessment detail view or the research trace visualizer. Organization admins can export these traces for compliance review or incident investigation.

The sandbox environment constrains agent behavior: the platform controls network egress, scopes file system access, and validates tool invocations before execution. Agents cannot escalate privileges or access credentials belonging to other tenants.

If you need to verify the inference-only commitment as part of a vendor review, request a written attestation from [email protected].

For details on how the platform constrains agent execution, see Sandbox isolation.

Disclosure & vulnerability reporting

If you believe you have found a security vulnerability in AISafe, report it to [email protected]. Include enough detail to reproduce the issue: affected endpoint, steps, and any proof-of-concept. We acknowledge reports and coordinate disclosure timing.

Do not disclose suspected vulnerabilities before we investigate and remediate. We operate a coordinated disclosure process and credit researchers who report valid issues.

Include the following in your report where possible:

  • A description of the issue and its potential impact.
  • The affected product area (API, dashboard, agent execution, integrations).
  • Step-by-step reproduction instructions or a proof-of-concept.
  • Any relevant timestamps, request identifiers, or account identifiers.

We triage incoming reports within one business day and provide a timeline for remediation once we confirm the issue. We prioritize critical issues and remediate them in an expedited release cycle.

For security questions about architecture, access controls, or integration security, email [email protected] and we will route your inquiry to the right team.

Topics