Legal
Security Policy
Last updated: January 15, 2025
Architecture Security
Gertin AI is designed with a zero-egress architecture. All AI inference runs through AWS Bedrock inside the customer's own AWS account. No compliance data — including IAM policies, security logs, cloud configurations, or audit artifacts — is transmitted to or stored by Gertin AI, Inc. systems. The gateway container runs in the customer's VPC with no outbound internet access required beyond AWS service endpoints.
Encryption
All data in transit is encrypted using TLS 1.2 or higher. All data at rest in Amazon RDS and ElastiCache is encrypted using AES-256. Secrets (master keys, database credentials) are stored in AWS Secrets Manager with automatic rotation support. Container images are scanned for vulnerabilities on push via Amazon ECR image scanning.
Access Control
The gateway uses API key authentication with per-organization scoping. API keys are stored as SHA-256 hashes — plaintext keys are never stored. IAM roles follow least-privilege principles: the gateway task role is granted only the specific Bedrock model ARNs it requires, plus SES send access scoped to the verified domain identity. No wildcard IAM permissions are used in the default deployment.
Audit Logging
Every API request is recorded in an immutable audit log stored in Amazon RDS. Log entries include organization name, action type, risk score (for compliance scans), HTTP status code, latency, and source IP address. Audit logs are append-only and cannot be deleted via the API. Retention is 30 days (Starter), 90 days (Business), or 1 year (Enterprise).
Container Security
The gateway container is built on a scratch base image with no shell, no package manager, and no unnecessary binaries. The container runs as uid 65534 (nobody) with a read-only root filesystem enforced. The binary is compiled with CGO disabled and stripped of debug symbols. Container images are signed and scanned before publication.
Vulnerability Disclosure
If you discover a security vulnerability in Gertin AI software, please report it responsibly to: security@gertinai.com Please include a description of the vulnerability, reproduction steps, and the potential impact. We will acknowledge receipt within 48 hours and provide a remediation timeline within 5 business days. We do not pursue legal action against researchers who report vulnerabilities in good faith.
Compliance
The Gertin AI platform is designed to assist customers in achieving and maintaining SOC2, PCI-DSS, HIPAA, and CIS compliance. Gertin AI, Inc. undergoes annual third-party security assessments. SOC2 Type II report is available to Enterprise customers under NDA upon request.