Security and trust

    Enterprise security for governed AI data

    DataInbox runs as managed SaaS, in your own cloud, or fully self-hosted. Every event, rule, and AI action is encrypted, scoped to least privilege, and recorded in an immutable audit log.

    Deployment models

    • ·SaaS in EU (Frankfurt) or US (Virginia) regions, pick at signup.
    • ·Private Cloud in your AWS, Azure, or GCP account, managed by DataInbox.
    • ·Self-hosted on Kubernetes for full data residency and air-gapped deployments.

    Encryption

    • ·TLS 1.3 for every connection, in transit.
    • ·AES-256 at rest for events, schemas, and audit logs.
    • ·Customer-managed KMS keys (BYOK) on Private Cloud and Self-hosted.
    • ·Field-level encryption for personal and financial data, keyed per tenant.

    Identity and access

    • ·SSO via SAML 2.0 and OIDC (Okta, Azure AD, Google Workspace, Ping).
    • ·SCIM 2.0 for automated user provisioning and deprovisioning.
    • ·Role-based access control with least-privilege defaults.
    • ·Per-source and per-schema access scopes for AI agents and humans.

    Audit logging

    • ·Immutable, append-only audit log for every event, rule fire, agent proposal, human approval, and override.
    • ·Hash-chained entries with optional WORM storage export to S3 Object Lock.
    • ·Streamed to your SIEM (Splunk, Datadog, Elastic, Chronicle) in real time.
    • ·Retained 7 years by default, configurable per tenant.

    Data residency and sovereignty

    • ·Pick the region at tenant creation, data never leaves it.
    • ·No AI provider trains on customer data, ever, by contract and by routing.
    • ·Sub-processor list published and notified before any change.

    Compliance posture

    • ·EU AI Act aligned: traceability, human oversight, risk classification.
    • ·GDPR: lawful basis tracking, DSAR tooling, data minimization at ingest.
    • ·SOC 2 Type II in progress, ISO 27001 on the 2026 roadmap.
    • ·HIPAA-ready deployment available for Private Cloud and Self-hosted.

    Security FAQ

    How is DataInbox deployed?

    Three options: managed SaaS in EU or US regions, Private Cloud inside your own AWS/Azure/GCP account, or self-hosted on Kubernetes. Self-hosted and Private Cloud keep all data inside your perimeter.

    How is data encrypted?

    TLS 1.3 in transit, AES-256 at rest. Private Cloud and self-hosted deployments support customer-managed KMS keys (BYOK) and field-level encryption for personal and financial data.

    What does the audit log contain?

    Every event ingested, every rule evaluation, every AI agent proposal, every human approval or override. Entries are append-only, hash-chained, and can be exported to S3 Object Lock and streamed to Splunk, Datadog, Elastic, or Chronicle.

    Does DataInbox support SSO and SCIM?

    Yes. SAML 2.0 and OIDC SSO with Okta, Azure AD, Google Workspace, and Ping. SCIM 2.0 handles user provisioning and deprovisioning automatically.

    Is DataInbox SOC 2 and GDPR compliant?

    DataInbox is GDPR compliant by design, with EU data residency, DSAR tooling, and contractual no-training guarantees from AI providers. SOC 2 Type II is in progress, ISO 27001 is on the 2026 roadmap.

    Can my data be used to train AI models?

    No. AI provider contracts and routing both prevent any customer data from being used for model training. This applies to OpenAI, Anthropic, Google, Mistral, and all other supported providers.

    Need a security review or DPA?

    We share architecture diagrams, sub-processor lists, pen test summaries, and DPA on request.