Security and Trust Centre
1. Our Security Philosophy
iaai.work is built for enterprise-grade governance and used by universities, law firms, energy companies, healthcare providers, and financial institutions.
Security, privacy, data protection, and reliability form the core of our platform.
Our principles:
Zero-Trust Architecture
Least-Privilege Access
Strong Data Isolation
Secure-by-Design Engineering
Compliance-Driven Controls
Continuous Monitoring & Auditing
2. Certifications & Frameworks
We align with or support:
ISO 27001 security standards
NIST CSF & NIST 800-53
GDPR & UK GDPR
CCPA/CPRA
PECR & ePrivacy
FERPA (education)
HIPAA (healthcare, optional enterprise plans)
WCAG 2.1 AA security/accessibility alignment
OWASP Top 10 secure development practices
3. Data Centre & Infrastructure Security
We use enterprise-cloud providers such as DigitalOcean, AWS, and Azure, featuring:
Tier III+ data centers
24/7 physical security
Controlled biometric access
ISO 27001, SOC 2 Type II certifications
Fire suppression and redundancy
Multi-zone deployment availability
4. Encryption Standards
Data in Transit
TLS 1.2+
HTTPS enforced
Strict HSTS policies
Secure cipher suites
Data at Rest
AES-256 encryption
Encrypted snapshots and backups
Full database encryption
5. Application Security
Role-based access control (RBAC)
SSO (Azure AD, Google Workspace, Okta available)
Multi-factor authentication
Session timeout enforcement
API authentication via API keys & OAuth
Secure password hashing (bcrypt/argon2)
6. Operational Security
Background checks for all engineers
Least-privilege access (engineers have zero access to customer content unless authorised)
Change management approval workflows
Secure code reviews
Vulnerability scanning
Penetration testing
Continuous monitoring & alerting
7. Data Isolation & Tenant Segregation
We use:
Segregated customer environments
Customer-specific keys
Optional dedicated infrastructure
No cross-contamination between tenants
Strict logging & auditing of access
8. AI Security & Privacy Controls
iaai.work uses private AI models with strict governance:
No customer data is ever used to train public models
Optional customer-private, isolated AI instances
All prompts, outputs, and embeddings encrypted
AI content retention controlled by DPA
Human review always required for high-sensitivity outputs
No training on confidential PDFs unless explicitly authorised
9. Logging & Monitoring
We continuously monitor:
Authentication events
API usage
Scanning patterns
System load and health
Resource access logs
Error patterns and anomalies
Logs are retained securely for 12–24 months depending on customer configuration.
10. Incident Response
Our incident response plan includes:
24/7 on-call engineering support
Time-bound SLAs for critical incidents
Containment, mitigation, and root-cause analysis
Customer communication within required timeframes (GDPR: 72 hours)
Forensics support for enterprise clients
11. Backup & Disaster Recovery
Automated daily backups
30–90 retention depending on region
Geo-redundant storage
Full disaster recovery plan
High-availability architecture
4-hour RTO for standard services
24-hour RPO
12. Vendor & Subprocessor Management
We maintain:
Full subprocessor list
DPA agreements with all vendors
Annual reviews & due diligence
Monitoring of compliance certifications
Subprocessors may include:
Hosting providers
AI compute providers
Email delivery services
Monitoring and logging systems
We do not use unsafe or unregulated vendors.
13. Customer Controls & Options
We offer optional enhanced controls:
Dedicated environment / single-tenant hosting
Customer-managed encryption keys
Regional hosting (EU, UK, US, APAC)
Private networking (VPC peering/VPN)
IP allow-listing
Custom retention policies
Custom log storage integrations