Skip to main content

Security & Compliance

Achiral AI is a privacy-first AI platform for businesses with enterprise-grade, self-hosted, secure infrastructure. Enterprise-grade security and compliance features for Achiral Chiro AI instances include data isolation, compliance certifications, and granular access controls.

Overview

Achiral Chiro instances include:

  • Data Isolation: Multi-tenant logical isolation with optional pod isolation for dedicated plans
  • Encryption: End-to-end encryption for data at rest and in transit
  • Compliance: SOC 2 Type II, HIPAA, GDPR, and ISO 27001 certifications (in progress)
  • Access Control: Role-based access control (RBAC) and SSO integration
  • Network Security: VPC deployment (Dedicated plan), private endpoints, and IP allowlisting
  • Audit Logging: Complete audit trails for all operations

Data Isolation

Logical Isolation (Default)

By default, all organizations use a shared vLLM inference backend with logical tenant isolation:

  • Weaviate Tenants: Dedicated Weaviate tenant per organization for vector storage
  • Quota Enforcement: Redis-based rate limiting and quota tracking per tenant
  • Request Isolation: Tenant ID passed in request headers for isolation
  • Data Separation: Training data, embeddings, and models logically isolated by tenant ID

Pod Isolation (Dedicated Plan)

Organizations on the Dedicated plan or meeting Elite triggers automatically receive pod isolation:

  • Dedicated vLLM Pod: Kubernetes pod dedicated to your organization
  • Dedicated GPU Resources: GPU allocation exclusively for your workloads
  • Isolated Namespace: Separate Kubernetes namespace with network policies
  • Dedicated Weaviate Instance: Optional dedicated Weaviate deployment
┌─────────────────────────────────────────┐
│          Achiral Infrastructure         │
├─────────────────────────────────────────┤
│  Shared vLLM    │    Dedicated Pods    │
│  ┌──────────┐   │   ┌──────────┐       │
│  │ Tenant A │   │   │ Org X    │       │
│  │ Tenant B │   │   │ Pod      │       │
│  │ Tenant C │   │   │ Isolated │       │
│  └──────────┘   │   └──────────┘       │
└─────────────────────────────────────────┘

Data Boundaries

  • Models: LoRA adapters stored separately per organization
  • Training Data: Training datasets isolated by tenant ID
  • API Keys: Scoped to individual organizations
  • Embeddings: Vector data isolated in dedicated Weaviate tenants
  • Logs: Separate log streams per organization

Encryption

Data at Rest

All data is encrypted using AES-256:

  • Models: Encrypted model weights and configurations
  • Training Data: Encrypted datasets and checkpoints
  • Logs: Encrypted audit logs and metrics
  • Backups: Encrypted snapshots and backups
  • Configuration: Encrypted environment variables and secrets

Key Management:

  • Achiral-managed keys by default
  • Customer-managed keys (BYOK) available on Dedicated plan
  • Key rotation every 90 days
  • Hardware Security Module (HSM) backed

Data in Transit

All network traffic is encrypted:

  • TLS 1.3: For all API endpoints
  • Perfect Forward Secrecy: Ephemeral key exchange
  • Strong Ciphers: Modern cipher suites only
  • Certificate Pinning: Available for mobile/desktop clients

Encryption Configuration

# Enable customer-managed encryption keys
curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/encryption \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "key_management": "customer",
    "kms_key_id": "arn:aws:kms:us-east-1:123456789012:key/...",
    "rotation_days": 90
  }'

SOC 2 Compliance

Achiral is SOC 2 Type II certified.

Trust Service Criteria

Security: Logical and physical access controls
Availability: 99.9% uptime SLA
Processing Integrity: Data accuracy and completeness
Confidentiality: Data protection and encryption
Privacy: GDPR and privacy controls

Compliance Controls

ControlDescriptionImplementation
Access ControlRBAC and MFASSO, API keys, role permissions
Data EncryptionAt rest and in transitAES-256, TLS 1.3
Change ManagementControlled deploymentsCI/CD, approvals, rollback
Incident Response24/7 monitoringAutomated alerts, on-call team
Audit LoggingComplete audit trailImmutable logs, retention
Vendor ManagementThird-party securityRegular assessments

Audit Reports

SOC 2 Type II reports available to customers:

  1. Navigate to SettingsCompliance
  2. Click Download SOC 2 Report
  3. Verify with auditor: Deloitte

Or request via email: compliance@achiral.ai

HIPAA Compliance

Achiral is HIPAA compliant and offers Business Associate Agreements (BAA).

HIPAA Safeguards

Administrative Safeguards:

  • Security management process
  • Workforce security training
  • Information access management
  • Security awareness and training

Physical Safeguards:

  • Facility access controls
  • Workstation security
  • Device and media controls

Technical Safeguards:

  • Access control (unique user IDs, automatic logoff)
  • Audit controls (logging and monitoring)
  • Integrity controls (data validation)
  • Transmission security (encryption)

Enabling HIPAA Mode

curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/compliance \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "hipaa_enabled": true,
    "phi_encryption": "customer_managed",
    "audit_retention_days": 2555,
    "access_logging": "verbose"
  }'

BAA Execution

  1. Contact sales@achiral.ai to request BAA
  2. Review and sign the agreement
  3. Enable HIPAA mode on your Chiro instance
  4. Configure PHI-specific encryption settings

HIPAA Best Practices

  • Minimum Necessary: Access only required PHI
  • De-identification: Remove PHI when possible
  • Audit Logs: Regular review of access logs
  • Training: Ensure team is HIPAA trained
  • Incident Response: Report breaches within 60 days

VPC Deployment

Private Cloud Deployment

Deploy Chiro instances in your Virtual Private Cloud (Dedicated plan only):

Supported Providers:

  • Amazon Web Services (AWS)
  • Google Cloud Platform (GCP)
  • Microsoft Azure

AWS VPC Setup

# Create VPC deployment
curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/deploy-vpc \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "aws",
    "region": "us-east-1",
    "vpc_id": "vpc-0123456789abcdef0",
    "subnet_ids": ["subnet-abc123", "subnet-def456"],
    "security_group_ids": ["sg-xyz789"],
    "instance_type": "d256",
    "encryption": {
      "kms_key_id": "arn:aws:kms:..."
    }
  }'

VPC Architecture

┌────────────────────────────────────────┐
│           Your AWS VPC                 │
│                                        │
│  ┌──────────────────────────────────┐ │
│  │   Private Subnet (10.0.1.0/24)   │ │
│  │                                  │ │
│  │   ┌──────────────────────────┐  │ │
│  │   │   Achiral Chiro Instance  │  │ │
│  │   │  Private IP: 10.0.1.10   │  │ │
│  │   │  No Public IP            │  │ │
│  │   └──────────────────────────┘  │ │
│  │                                  │ │
│  │   Security Group: Your Control   │ │
│  └──────────────────────────────────┘ │
│                                        │
│  VPC Endpoint → Your Apps              │
└────────────────────────────────────────┘

VPC Benefits

  • No Public Internet: Traffic stays within your VPC
  • Your Network Rules: Complete control over security groups
  • Compliance: Meets strictest regulatory requirements
  • Lower Latency: Direct connection to your applications

Access Control

Role-Based Access Control (RBAC)

Predefined Roles:

RolePermissionsUse Case
OwnerFull accessOrganization admin
AdminManage instances, usersTeam lead
DeveloperDeploy, train, inferenceDevelopment team
ViewerRead-only accessAuditors, stakeholders
BillingView and manage billingFinance team

Custom Roles

# Create custom role
client.roles.create(
    name="ML Engineer",
    permissions=[
        "inference:read",
        "inference:write",
        "training:read",
        "training:write",
        "models:read",
        "models:write",
    ]
)

# Assign role to user
client.users.assign_role(
    email="engineer@example.com",
    role="ML Engineer",
    nano_id="nano-abc123"
)

Permission Scopes

  • inference:read - View inference requests/responses
  • inference:write - Make inference requests
  • training:read - View training jobs
  • training:write - Create training jobs
  • models:read - List and view models
  • models:write - Upload and delete models
  • config:read - View configuration
  • config:write - Modify configuration
  • billing:read - View billing information
  • billing:write - Manage billing settings
  • users:read - View users
  • users:write - Manage users and roles

Single Sign-On (SSO)

Integrate with your identity provider:

Supported Providers:

  • Okta
  • Auth0
  • Azure AD
  • Google Workspace
  • Custom SAML 2.0

Setup:

  1. Navigate to SettingsSSO
  2. Select your identity provider
  3. Configure SAML/OAuth settings
  4. Test SSO connection
  5. Enable for organization
# Configure SSO via API
curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/sso \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "okta",
    "metadata_url": "https://your-org.okta.com/app/.../sso/saml/metadata",
    "enforce_sso": true,
    "auto_provision": true
  }'

Audit Logging

Log Types

Access Logs:

  • User authentication (login, logout, MFA)
  • API key creation and usage
  • Permission changes
  • SSO events

Operations Logs:

  • Instance creation, modification, deletion
  • Model uploads and deployments
  • Training job lifecycle
  • Configuration changes

Data Logs:

  • Inference requests (optional, configurable)
  • Training data access
  • Model downloads
  • File operations

Log Format

{
  "timestamp": "2025-11-11T19:02:15Z",
  "event_type": "inference.request",
  "user_id": "user-123",
  "nano_id": "nano-abc123",
  "api_key_id": "key-xyz789",
  "source_ip": "203.0.113.50",
  "action": "chat.completions.create",
  "model": "mistral-7b-instruct",
  "status": "success",
  "tokens": 175,
  "duration_ms": 1234
}

Log Export

# Export logs for compliance
curl https://api.achiral.ai/v1/nano/{nano_id}/logs/export \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "start_date": "2025-01-01",
    "end_date": "2025-01-31",
    "log_types": ["access", "operations"],
    "format": "json"
  }' > logs.json

Log Retention

PlanRetention PeriodExport Available
Spark30 daysYes
Seed90 daysYes
Growth1 year (configurable)Yes

SIEM Integration

Stream logs to your Security Information and Event Management system:

# Configure SIEM integration
client.logging.configure_siem(
    nano_id="nano-abc123",
    provider="splunk",
    endpoint="https://splunk.example.com/services/collector",
    token="YOUR_HEC_TOKEN",
    log_types=["access", "operations", "data"]
)

Enterprise Data Compliance

Achiral provides a comprehensive compliance API for organizations operating under GDPR, CCPA, HIPAA, or internal data governance requirements. All endpoints are available at /api/compliance/ and require admin or owner authentication.

Right to be Forgotten (GDPR Article 17)

Data erasure requests are processed automatically within 24 hours:

  • User erasure: Removes all user data from MongoDB (messages, profile, preferences) and Weaviate (conversation memory, user preferences, decision logs)
  • Organization erasure: Deletes the entire Weaviate tenant and all associated MongoDB records
  • Self-service: Users can request erasure of their own data without admin intervention
  • Automated processing: Background job runs every 30 minutes to pick up pending and retryable requests
  • Retry logic: Failed requests are retried up to 3 times before being flagged for manual review
  • Deadline tracking: Overdue requests (beyond 24 hours) trigger warning alerts

Endpoints:

  • POST /api/compliance/erase/user — Admin triggers user erasure
  • POST /api/compliance/erase/self — Self-service erasure
  • POST /api/compliance/erase/organization — Owner triggers full org erasure (requires confirmation)
  • GET /api/compliance/erase/:requestId — Check erasure status
  • GET /api/compliance/erase/requests — List all erasure requests (admin)

Data Portability (GDPR Article 20)

Full data export in machine-readable format:

  • Standard export: Human-readable JSON of user profile, conversations, messages, orders, organization data, plus Weaviate properties (conversation memory, user preferences, decision logs, domain knowledge, documents)
  • Technical export: Includes raw vector embeddings for direct re-import into compatible systems
  • ZIP packaging: All data bundled into a single ZIP file with manifest.json describing contents
  • 7-day TTL: Completed exports are available for download for 7 days, then automatically cleaned up
  • Background processing: Export jobs run every 15 minutes; expired exports are cleaned up daily

Endpoints:

  • POST /api/compliance/export — Request a data export (admin)
  • GET /api/compliance/export/:exportId — Check export status
  • GET /api/compliance/export/:exportId/download — Download completed export
  • GET /api/compliance/exports — List all export requests (admin)

Users can also trigger exports from POST /api/user/export, which returns an immediate JSON download and queues full compliance exports (including Weaviate data) for each organization.

Memory Access Audit Trail

Every AI memory retrieval is logged automatically via a fire-and-forget mechanism that adds less than 5ms overhead:

  • RAG retrievals: Logged when Chiro retrieves context from Weaviate during conversation
  • Knowledge searches: Logged when users search domain knowledge
  • Captured metadata: Organization, user, assistant, query text, collections searched, result count, result IDs, access type, IP address, user agent, response time
  • 2-year retention: Access logs are retained for 2 years via MongoDB TTL index
  • CSV export: Download access logs in CSV format for compliance audits
  • Aggregated stats: View access patterns by type, date, and collection

Endpoints:

  • GET /api/compliance/access-logs — Paginated access logs with filters (admin)
  • GET /api/compliance/access-logs/export — CSV export of access logs (admin)
  • GET /api/compliance/access-logs/stats — Aggregated statistics (admin)

Configurable Retention Policies

Per-collection data retention policies enforced automatically:

  • Per-collection TTL: Set retention periods independently for conversation memory, user preferences, decision logs, domain knowledge, tenant conversations, training data, and chat messages
  • Defaults: Conversation memory (365 days), decision logs (730 days), tenant conversations (180 days), chat messages (730 days). User preferences, domain knowledge, and training data default to indefinite.
  • Dry-run preview: See exactly what would be deleted before enforcement
  • Manual trigger: Owners can manually enforce retention policies with confirmation
  • Automatic enforcement: Daily job runs at 3 AM UTC for organizations with retention enabled
  • Weaviate + MongoDB: Retention applies to both Weaviate vector data and MongoDB chat messages

Endpoints:

  • GET /api/compliance/retention — View current retention configuration (admin)
  • PUT /api/compliance/retention — Update retention policies (owner)
  • POST /api/compliance/retention/preview — Dry-run preview (admin)
  • POST /api/compliance/retention/enforce — Manual enforcement (owner, requires confirmation)

Penetration Testing

Achiral undergoes regular penetration testing:

  • Frequency: Quarterly by third-party security firms
  • Scope: Infrastructure, API, web application
  • Remediation: Critical issues fixed within 24 hours
  • Reports: Available to Growth plan customers

Customer Penetration Testing

Customers can request permission for penetration testing:

  1. Submit request to security@achiral.ai
  2. Provide testing scope and timeline
  3. Receive written approval
  4. Conduct testing on your Chiro instances only
  5. Share findings with the Achiral security team

Incident Response

Security Incidents

Achiral AI maintains a 24/7 security operations center:

  • Detection: Automated monitoring and alerting
  • Response Time: < 15 minutes for critical incidents
  • Notification: Affected customers notified within 1 hour
  • Resolution: Root cause analysis and remediation

Reporting Security Issues

To report a security vulnerability:

Customer Responsibilities

  • Secure your API keys and credentials
  • Enable MFA for all users
  • Regularly rotate API keys
  • Monitor your own access logs
  • Report suspicious activity immediately

Compliance Certifications

Current Certifications

SOC 2 Type II - Security, availability, confidentiality
HIPAA - Healthcare data protection
ISO 27001 - Information security management
GDPR - European data protection
CCPA - California consumer privacy

In Progress

FedRAMP - U.S. government cloud security (Q2 2026)
PCI DSS - Payment card industry (Q3 2026)

Regional Compliance

  • GDPR (EU): Data residency in EU regions available
  • CCPA (California): Consumer rights and data deletion
  • LGPD (Brazil): São Paulo region available
  • PIPEDA (Canada): Toronto region available

Data Residency

Deploy Chiro instances in specific geographic regions:

Available Regions:

  • 🇺🇸 United States (us-east-1, us-west-2)
  • 🇪🇺 Europe (eu-west-1, eu-central-1)
  • 🇬🇧 United Kingdom (uk-south-1)
  • 🇨🇦 Canada (ca-central-1)
  • 🇦🇺 Australia (ap-southeast-2)
  • 🇯🇵 Japan (ap-northeast-1)
  • 🇸🇬 Singapore (ap-southeast-1)
# Deploy in specific region
client.nano.create(
    name="eu-nano",
    region="eu-central-1",  # Frankfurt, Germany
    data_residency="strict",  # Data never leaves region
    gpu_tier="d128"
)

Next Steps

Learn more