Security & compliance
Data isolation, encryption, audit logging, and access control are defaults, not add-ons. This page is the honest summary of our posture. Where a regime does not apply, we say so plainly.
Isolation
Every organization gets a dedicated Weaviate tenant with its own vector collections, embeddings, and search indexes. Quotas and rate limits are enforced per tenant in Redis. The tenant ID is carried in every inference request.
Elite and above automatically migrate to pod isolation: a dedicated vLLM pod in its own Kubernetes namespace with network policies, dedicated GPU allocation, and an optional dedicated Weaviate instance.
LoRA adapters, training data, API keys, embeddings, and log streams are all scoped per organization.
Encryption
AES-256 at rest for model weights, datasets, checkpoints, audit logs, backups, and secrets. TLS 1.3 in transit with perfect forward secrecy and modern ciphers. Keys are Achiral-managed by default and rotated every 90 days; customer-managed keys (BYOK) are available on Dedicated tier and back to an HSM.
Access
RBAC roles: owner, admin, developer, member, billing. Permission scopes cover inference, training, models, config, users, and billing. SSO via Okta, Auth0, Azure AD, Google Workspace, and SAML 2.0 is Grow tier and above. MFA is recommended universally and required for owners and admins.
Audit log
Every inference request, configuration change, and memory read is logged per tenant. Retention defaults: Spark 30 days, Seed 90 days, Grow 365 days (configurable). Memory access records the organization, user, assistant, query, collections searched, and result count with two-year TTL in MongoDB. Export via GET /api/compliance/access-logs/export. Grow tier and above can stream to Splunk, Datadog, or any Syslog endpoint.
GDPR compliance endpoints
POST /api/compliance/erase/user|self|organization— Article 17 erasure, 24-hour window.POST /api/compliance/export— Article 20 portability, ZIP with JSON plus optional raw embeddings, 7-day TTL.GET /api/compliance/access-logs— paginated audit log access.PUT /api/compliance/retention— per-collection retention.
Regulatory posture
- HIPAA — compliance-ready with signed BAAs on Elite tier and above. Not "certified" because HIPAA has no certification regime. Signed BAAs accept liability under the Security Rule, mapped to 45 CFR Part 164.
- SOC 2 — Type I audit in progress for 2026. Not compliant until the report is issued. Grow tier and above can request the current trust posture document and audit scope.
- GDPR — aligned. DPAs signed per customer. The endpoints above implement Articles 17 and 20.
- ISO 27001 — in scope for 2026. Not certified.
- PCI DSS, FedRAMP — not in scope.
- CCPA, LGPD, PIPEDA — handled via the GDPR control set where they overlap; no separate certification.
Any claim beyond this list is out of policy until we update it here.
Operations
Third-party penetration tests quarterly; critical findings remediated within 24 hours; reports available to Grow tier and above on request. Incident response: 24/7 monitoring, target time-to-detect under 15 minutes for critical incidents, affected customers notified within one hour of confirmed incidents. Report vulnerabilities to security@achiral.ai.
Customer responsibilities
Keep API keys secret and rotate them. Enable MFA. Monitor your own audit logs. Report suspicious activity.
Request a BAA or audit scope from compliance@achiral.ai. Map controls to tiers in pricing; for architectural commitments to data ownership, see Data privacy.