🔒 Security & Compliance Infrastructure

Your InfoSec team's questions.
Answered before they ask.

CAIBots is deployed inside regulated financial institutions, healthcare systems, and insurance carriers — environments where security and compliance infrastructure is a mandatory precondition, not an afterthought. This page contains everything your InfoSec and procurement teams need.

Request InfoSec Package ↗ Architecture Documentation →
Security Status

Current security
posture.

SOC 2 Type II
Trust Service Criteria
Security, Availability, Confidentiality, Processing Integrity, and Privacy controls aligned to SOC 2 Trust Service Criteria. Report available under NDA to enterprise clients.
Available Under NDA
🏥
HIPAA
BAA Available
Business Associate Agreement available for all healthcare deployments. PHI access governed by RBAC at the Governance Layer — minimum necessary rule enforced on every data retrieval.
Standard BAA
📜
GDPR
DPA Available
Data Processing Agreement available for EU deployments. Data residency enforced by deployment model — EU client data never leaves EU infrastructure boundaries in on-premise deployments.
Standard DPA
🔍
Penetration Testing
Annual Third-Party
Annual third-party penetration test conducted by independent security firm. Results summary available to enterprise clients under NDA. Critical findings remediated within 30 days.
Results Under NDA
Data Security

How your data is
protected.

Data security is enforced at the architecture layer — not configured after deployment.

🔒 Encryption
All data encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption keys managed per-tenant. Key rotation on defined schedule. Customer-managed key option available for enterprise deployments.
  • TLS 1.3 in transit
  • AES-256 at rest
  • Per-tenant key management
  • Customer-managed keys on request
🛡️ Access Control
Role-based access control (RBAC) enforced at the Governance Layer for all data access. Minimum necessary principle applied to every data retrieval. Full access audit trail — who accessed what, when, and why.
  • RBAC enforced at architecture layer
  • Minimum necessary principle
  • Access logged with purpose and actor
  • PHI access requires explicit role authorization
🗄️ Data Residency
Three deployment options with different data residency characteristics. On-premise and DePIN deployments ensure client data never leaves the client's infrastructure boundary under any circumstances.
  • SaaS: data hosted in US AWS region
  • On-premise: data never leaves client infrastructure
  • EU deployments: data stays in EU boundaries
  • Residency enforcement documented in DPA
🧹 Data Isolation
Complete tenant isolation. No client data is used to train shared models. No cross-tenant data access possible by architecture — not by policy. Audit trails are per-tenant and not accessible to CAIBots support without explicit client authorization.
  • Complete tenant data isolation
  • Client data never used for model training
  • CAIBots cannot access audit logs without client consent
  • Isolated execution environments per deployment
Deployment Architecture

Three deployment options.
Three data sovereignty profiles.

Choose the deployment model that matches your data sovereignty requirements and InfoSec posture. All three options ship with the same five-plane PCATS architecture and governance controls.

Option 1
CAIBots Hosted SaaS
CAIBots manages infrastructure on dedicated cloud tenants. Suitable for institutions with standard cloud security policies. SOC 2 Type II controls apply. Data hosted in US AWS regions by default.
  • Fastest deployment (14-day sandbox)
  • Full SOC 2 Type II coverage
  • Data in US AWS dedicated tenant
  • BAA/DPA included
SaaS · AWS Dedicated Tenant
Option 2
On-Premise / Private Cloud
CAIBots deployed within your infrastructure — on-premise data center or private VPC. Data never leaves your environment. Preferred option for institutions with strict data residency, air-gap, or sovereignty requirements.
  • Data never leaves client infrastructure
  • Satisfies air-gap and sovereignty requirements
  • Full audit trail within your environment
  • EU deployments default to this option
On-Premise · Zero Data Egress
Option 3
DePIN Distributed
Decentralized physical infrastructure network deployment for institutions requiring geographic distribution, sovereign compute, or multi-jurisdictional data residency. Available for enterprise deployments. Scoped individually.
  • Distributed across sovereign compute nodes
  • Multi-jurisdictional data residency
  • No single point of infrastructure dependency
  • Available for enterprise deployments
DePIN · Sovereign Compute
Procurement Documentation

Everything your procurement
team will ask for.

All documentation available to qualified enterprise prospects. Email contact@caibots.com to request the InfoSec Package.

DocumentDescriptionAvailability
SOC 2 Type II ReportIndependent auditor report covering Security, Availability, Confidentiality, Processing Integrity, and Privacy trust service criteria. Current report covers trailing 12-month period.Under NDA
Business Associate Agreement (BAA)HIPAA-compliant BAA for healthcare deployments. Standard template provided; negotiable for enterprise clients.Standard — On Request
Data Processing Agreement (DPA)GDPR-compliant DPA for EU deployments and international data transfers. Includes Standard Contractual Clauses where applicable.Standard — On Request
Subprocessor ListComplete list of third-party subprocessors with data access, data categories processed, and geographic location. Updated quarterly.Available — On Request
Penetration Test SummaryAnnual third-party penetration test summary report. Includes methodology, scope, critical findings status, and remediation timeline.Under NDA
Architecture & Security White PaperTechnical documentation of the five-plane PCATS architecture, data flows, encryption model, access control architecture, and audit log schema.Available — On Request
Vendor Security Questionnaire (VSAQ)Pre-completed standard VSAQ covering SIG Lite, CAIQ, and custom enterprise questionnaire formats. Reduces InfoSec review cycle from weeks to days.Available — On Request
EU AI Act Conformity DocumentationTechnical documentation for high-risk AI system conformity assessment under EU AI Act Article 11. Covers architecture documentation, governance framework, and ongoing monitoring procedures.Available — On Request
Insurance CertificateCertificate of professional liability and cyber liability insurance coverage. Coverage limits available to enterprise prospects during procurement review.Under NDA
InfoSec Package

Send this page to your
InfoSec team.

Email contact@caibots.com with "InfoSec Package" in the subject line. We'll respond within one business day with the full documentation package for your procurement review — SOC 2 report, architecture white paper, pre-completed VSAQ, and DPA.

Request InfoSec Package ↗ Architecture Documentation →
contact@caibots.com  ·  +1 (609) 721-2815  ·  Princeton, NJ