Security & Compliance

Enterprise-grade security is not an add-on.It's how we built the platform.

Isolated InfrastructureHIPAA ReadyGDPR Ready

Verifiable Claims — test them yourself

We don't ask you to take our security posture on faith. Every claim below can be verified from your own terminal, right now, with zero credentials. This is the same black-box probe set our internal verifier runs on every audit.

All authenticated endpoints return 401 without a token

No exposed admin surfaces. No accidental public data routes.

curl -sI https://api.myaios.app/ops/clients     # → 401
curl -sI https://api.myaios.app/pipeline/leads  # → 401
curl -sI https://api.myaios.app/outreach/leads  # → 401
curl -sI https://api.myaios.app/metrics         # → 401

Public webhooks fail-closed on bad signatures

HMAC verification gates every webhook. Bad signatures never reach application logic.

curl -si -X POST https://api.myaios.app/messaging/webhooks/linq \
  -H 'content-type: application/json' \
  -H 'x-webhook-signature: deadbeef' \
  -d '{}' | head -1
# → HTTP/2 401  {"detail":"Invalid signature"}

Enforced transport + browser security headers

HSTS preload, COOP same-origin, COEP require-corp, CORP same-site, X-Frame DENY, nosniff, strict Permissions-Policy, nonce-based CSP (no unsafe-inline for scripts).

curl -sI https://api.myaios.app/health | grep -iE \
  'strict-transport|cross-origin|x-frame|x-content|permissions'

Independent score: securityheaders.com/?q=api.myaios.app · SSL Labs

RFC 9116 security.txt published on every production domain

Responsible-disclosure contact, PGP-ready, signed expiration.

curl -s https://ai-genesis.ai/.well-known/security.txt
curl -s https://myaios.app/.well-known/security.txt
curl -s https://api.myaios.app/.well-known/security.txt

Liveness & readiness probes are the only unauthenticated endpoints

Kubernetes-style health signals. Everything else is gated.

curl -s https://api.myaios.app/livez   # → {"status":"alive"}
curl -s https://api.myaios.app/readyz  # → {"status":"ready"}
curl -s https://api.myaios.app/health  # → {"status":"ok",...}

Responsible disclosure: security@ai-genesis.ai. We acknowledge reports within 24 hours.

Data Architecture

Every client deployment runs on fully isolated infrastructure. There is no shared tenancy — your data, models, and configurations exist in a dedicated environment that no other client can access.

  • Isolated infrastructure per client — zero shared tenancy
  • Customer data NEVER sent to OpenAI, Google, Anthropic, or any third-party model provider
  • All AI models run on AI Genesis managed infrastructure
  • Encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Regular penetration testing and independent security audits

Access Controls

We enforce strict access controls across every layer of the platform, ensuring that only authorized personnel can access client environments and data.

  • Role-based access control (RBAC) across all systems
  • Multi-factor authentication required for all staff
  • Principle of least privilege enforced by default
  • Regular access reviews and privilege audits
  • All access logged, timestamped, and auditable

Compliance Certifications

Isolated Infrastructure

Each client runs on dedicated infrastructure. No shared models, no shared data, no cross-tenant access.

HIPAA Ready

Architecture designed for HIPAA compliance. Business Associate Agreements available. Encrypted data handling and audit-ready logging.

GDPR Ready

Designed to support GDPR requirements. Data Processing Agreements available. EU data subject rights supported.

CCPA Ready

Designed to support California Consumer Privacy Act requirements. We do not sell personal information.

Infrastructure

The Digital Hires™ platform is hosted on enterprise-grade cloud providers with redundant architecture designed for high availability and resilience.

  • Cloud-hosted on enterprise-grade infrastructure providers
  • Auto-scaling with redundant, multi-zone architecture
  • 99.9% uptime SLA with real-time monitoring
  • Automated backups with point-in-time recovery
  • DDoS protection at the network and application layers
  • Web Application Firewall (WAF) protecting all endpoints

Incident Response

AI Genesis maintains a defined incident response plan tested and updated quarterly. Our security operations team monitors all infrastructure around the clock.

  • 24/7 security monitoring with automated alerting
  • Defined incident response plan with clear escalation paths
  • Client notification within 24 hours of a confirmed breach
  • Post-incident review, root cause analysis, and remediation
  • Quarterly tabletop exercises and plan updates

Vendor Security

Every subprocessor and vendor in our supply chain is vetted, contracted, and monitored to ensure they meet our security standards.

  • All subprocessors vetted and contractually bound
  • Regular vendor security assessments and reviews
  • Data processing agreements executed with all vendors
  • Vendor access limited to the minimum necessary scope

Data Privacy

Your data is your data. We maintain strict data handling policies and provide full transparency into how information is processed.

  • Client data is never used to train models for other clients
  • Full data export available upon request
  • Data deleted within 30 days of contract termination
  • Comprehensive audit logs for all data access events

Questions about our security posture?

Book a call with our team to discuss compliance requirements, request documentation, or schedule a security review.

Book a Call →
Privacy PolicyTerms of Service
Ask anything...