Resilient Cloud Architecture
Production workloads run on hardened cloud-native infrastructure with multi-zone deployment, encrypted storage, and tightly scoped administrative access.
An overview of how ProfytAI protects customer compliance artifacts, regulatory obligations, and audit evidence. This page summarizes the security controls, processes, and assurance practices we maintain across our platform. Detailed materials are available to qualified reviewers under NDA.
Last reviewed: May 2026
Documented controls across CC1-CC9.SOC 2 Type I scope: Security (one of five AICPA categories).
Internal DAST engagement.
Defense-in-Depth Architecture
ProfytAI's production environment uses cloud-native infrastructure
with network segmentation, environment segregation, encrypted storage,
managed key lifecycle, and recoverable backup. Each layer limits
blast radius under failure or compromise.
Production workloads run on hardened cloud-native infrastructure with multi-zone deployment, encrypted storage, and tightly scoped administrative access.
Public ingress is isolated from protected application and data tiers. Sensitive endpoints sit behind authentication, authorization, and continuous traffic inspection.
Production and non-production environments are logically separated to contain cross-environment risk and support controlled evidence handling.
Backups are encrypted with managed key controls, retained against documented policy, replicated cross-region, with documented recovery procedures aligned to business continuity requirements.
Hosting and Data Residency
Multi-zone resilient production deployment with cross-region disaster recovery. Specific region and provider details are documented under NDA during vendor due diligence. Customer data does not leave the contracted jurisdiction without explicit authorization.
Resilience
Multi-zone redundant deployment with encrypted backup coverage and documented recovery procedures aligned to business continuity requirements.
Environment Segregation
Logically separated production and non-production environments with controlled administrative access and reviewed change paths.
Network Controls
Restricted public ingress, segmented internal services, network flow logging, and centralized log collection.
Backup Protection
AES-256 encrypted backups with documented retention, point-in-time recovery, and documented restoration procedures.
| Component | Security Posture |
|---|---|
| Hosting and Data Residency | Multi-zone resilient production deployment with cross-region disaster recovery. Specific region and provider details are documented under NDA during vendor due diligence. Customer data does not leave the contracted jurisdiction without explicit authorization. |
| Resilience | Multi-zone redundant deployment with encrypted backup coverage and documented recovery procedures aligned to business continuity requirements. |
| Environment Segregation | Logically separated production and non-production environments with controlled administrative access and reviewed change paths. |
| Network Controls | Restricted public ingress, segmented internal services, network flow logging, and centralized log collection. |
| Backup Protection | AES-256 encrypted backups with documented retention, point-in-time recovery, and documented restoration procedures. |
Encryption and Key Management
ProfytAI applies industry-standard cryptographic primitives across data at rest, data in transit, key lifecycle management, and transport-layer hardening.
Customer data, backups, and platform storage are encrypted at rest using AES-256 with managed key lifecycle controls.
Client and service communications use TLS 1.2 or higher, with TLS 1.3 supported. HTTP requests are 301-redirected to HTTPS at the edge, and HSTS is preload-eligible and submitted to the Chrome preload list.
SSLv2, SSLv3, TLS 1.0, and TLS 1.1 are not offered. The public web tier holds an A+ grade from Qualys SSL Labs across all CloudFront edge nodes (assessed May 2026).
Compliance and Assurance
ProfytAI's control environment is organized against the
AICPA Trust Services Criteria for Security.
Twenty-two documented controls are mapped to the
Common Criteria CC1 through CC9 and organized for
future cross-walk to ISO/IEC 27001:2022 Annex A.
Documented controls are organized against the AICPA Trust Services Criteria for Security (TSP Section 100, Common Criteria CC1 through CC9), covering governance, access, change management, system operations, monitoring, and risk mitigation.
Customer data safeguards are documented around ownership, confidentiality, least-privilege use, encrypted handling, and controlled evidence release.
Monitoring, incident handling, continuity planning, and vulnerability workflows support secure operation of the customer-facing platform.
Identity, Access and Secure SDLC
Workforce access follows the principle of least privilege under enforced multi-factor authentication, group-based authorization, and centralized audit logging. Product delivery runs through peer review, automated pre-merge quality gates,
and continuous secrets scanning.
Every change to the production branch requires peer review and approval before merge, with branch protection enforced at the source-control layer.
Build, static type checking, lint, and the regression test suite run automatically before any change can reach production. Failed gates block the merge.
Branch protection on production, release, and hotfix branches blocks force pushes and requires pull-request approval. Conventional-commit format and release notes preserve a structured change history for change traceability and incident reconstruction during audit.
Secrets are scanned pre-commit and continuously in source. Production deploys are operated by named, authorized engineering personnel only.
AI Governance
ProfytAI separates regulatory extraction from interpretation. The extraction stage runs without any LLM involvement so its output is byte-identical on re-execution. The interpretation stage only sees public regulatory text and is always anchored to the source paragraph. Material compliance decisions stay with
the customer's compliance team.
Regulatory obligations are extracted verbatim from source documents using deterministic code. Exact wording is preserved with machine-readable document-path identifiers, and re-execution produces byte-identical output that regulators can verify independently.
Interpretation and structuring run against already-extracted public regulatory text only. Every downstream artifact carries a permanent source anchor back to the verbatim source paragraph, and model output is flagged for human review.
Material compliance decisions are reviewed and approved by the customer's compliance team. ProfytAI does not auto-publish, auto-attest, or auto-submit to any regulator.
Customer restricted data is never sent to the LLM. Only already-extracted public regulatory text and structured prompts reach the model. This is an architectural property, not a policy.
The LLM provider is contractually prohibited from training on data sent via the API. Model versions are pinned to specific releases and upgrades follow documented regression testing.
Continuous Monitoring and Threat Detection
ProfytAI operates continuous security monitoring across the platform. Threat telemetry, business continuity awareness, and vulnerability management procedures support secure operation of the customer-facing platform.
Cloud-native anomaly-detection signals trigger alerts that feed into our incident response process.
Operational continuity planning, multi-zone resilience, and cross-region backup support service resilience and recovery coordination.
Security findings are triaged, prioritized, and tracked to remediation through a documented risk-based workflow.
Assurance Evidence and Disclosure
Security overview, SOC 2 readiness materials, internal assessment summaries, and data-protection documents are released to qualified reviewers under appropriate confidentiality controls. Security concerns are handled through coordinated vulnerability disclosure per RFC 9116.
Assurance Evidence
Summary of governance, encryption, access management, monitoring, and operational resilience controls.
Readiness evidence mapped to the AICPA Trust Services Criteria for Security, including documented control coverage.
Internal automated DAST findings from the public web surface, provided to qualified reviewers under NDA without exposing non-public test material.
Customer-data handling, encryption, retention, ownership, confidentiality, and processing commitments.
Coordinated Vulnerability Disclosure
Coordinated through RFC 9116 and the ProfytAI security channel. Out-of-scope activity includes denial-of-service testing, phishing, credential attacks, and any attempt to access customer or third-party data.
Customers and partners route security concerns through their established ProfytAI support or security-review channel. Automated scanners follow the published security contact discovery file.
Reports include enough detail to reproduce and triage the concern without exposing confidential data in public forums or non-secure channels.
ProfytAI will not pursue legal action against security researchers acting in good faith under this policy. Stay within scope, avoid privacy violations and service disruption, and give us a reasonable window to remediate before public disclosure.
We acknowledge eligible reports within 5 business days and provide status updates at least every 14 days until the issue is resolved.