Security & Compliance

Your data never leaves your control

ObservableAI is being built around tenant-aware access, audit logging, private deployment options, and controls that fit healthcare, financial services, and government-style review.

Request Security Review

Data Encryption

Encryption at rest and in transit, with a path to customer-managed keys for private deployments.

AES-256 encryption at rest

TLS 1.3 for all data in transit

Customer-managed encryption keys (BYOK)

Encrypted backups with geo-redundancy

Infrastructure Security

Designed for cloud, VPC, and private deployment patterns with tenant isolation.

VPC and private deployment options

Tenant-aware isolation boundaries

Hardened infrastructure baseline

Operational runbooks and audit logging

Access Control

Granular role-based access control with enterprise SSO-ready architecture.

SAML 2.0 and OIDC SSO

Role-based access control (RBAC)

Audit logging for all access

IP allowlisting

Privacy Controls

Built-in privacy controls for regulated telemetry and evidence retention.

Zero-retention logging mode

Automatic PII/PHI detection and redaction

Data residency controls (US, EU, custom)

Right to erasure (GDPR Article 17)

Compliance evidence mappings

The platform is structured to preserve evidence that can support common frameworks and customer-specific control reviews.

SOC 2

Evidence

HIPAA

Controls

GDPR

Data Rights

ISO 27001

Mapping

EU AI Act

Governance

CCPA

Privacy

Zero-trust data architecture

Every layer of our architecture is designed to ensure your data remains under your control. No exceptions.

Customer telemetry can be encrypted at rest and in transit

Data residency and retention controls for regulated deployments

Zero-retention processing path for highly sensitive fields

Customer-managed key path for private enterprise environments

Access events logged for audit and incident review

Network segmentation options for VPC and private deployments

Data Flow Architecture

Client SDK

Lightweight instrumentation in your application

TLS 1.3 Transport

Encrypted transport between collectors and ingest

Ingestion Gateway

Rate limiting, validation, PII detection

Processing Engine

Analysis, redaction, enrichment, policy evaluation

Encrypted Storage

Encrypted retention with private deployment options

Query Layer

RBAC-enforced access, audit logging

Zero-retention logging mode

For the most sensitive deployments, enable our strict privacy mode to ensure prompt data and generated outputs are processed ephemerally and can be excluded from durable storage.

RETENTION_POLICY = NONE

Responsible disclosure

We take security vulnerabilities seriously. If you discover a potential security issue, we encourage responsible disclosure.

Please report security vulnerabilities to security@observableai.ai. We commit to acknowledging receipt within 24 hours and providing a detailed response within 72 hours.

Do not publicly disclose the vulnerability before we have had a chance to address it

Provide sufficient detail for us to reproduce and fix the issue

Avoid accessing or modifying other users' data

Ready for a security review?

Our security team is available to walk through our architecture, control mappings, and deployment options.

Schedule Security Review