Trust & Safety
Security
Last updated: 25 March 2026
Our security commitment
Security is not a feature we add. It is the reason this product exists. Every request proxied through the gateway is cryptographically attested before it executes. This page documents the controls we apply to our own infrastructure.
1. Data architecture
We do not store prompt content or model responses. The gateway inspects requests in transit to enforce configured policies (PHI detection, loop detection, spend limits) and immediately discards the content. Only metadata is retained.
- No prompts stored, ever
- No model responses stored, ever
- Metadata retained: timestamps, model names, token counts, policy outcomes, costs
- Audit records: SHA-256 hash-chained, tamper-evident
- ZK proofs: cryptographic compliance attestations without exposing content
2. Encryption
- TLS 1.3 for all traffic in transit
- AES-256 for data at rest
- Ed25519 digital signatures on every inference receipt
- SHA-256 hash chaining for audit log integrity
- Schnorr ZK proofs (live); Groth16 SNARK circuits (in development)
3. Infrastructure
- Hosted in EU (Ireland), GDPR jurisdiction
- PostgreSQL on Cloud SQL with encrypted storage
- Redis rate-limiting with Lua atomicity (no race conditions)
- Permanent blocks expire after 24h, no indefinite NAT lockouts
- Fail-closed rate limiting by default when cache is unavailable
- Per-tenant isolation: all keys scoped to organisation ID
4. Authentication & access
- OAuth 2.0 (Google, Microsoft, Auth0/SSO) with provider ID verification
- OTP via email, no passwords stored
- Cross-tenant data access impossible by design (org-scoped queries)
- API keys hashed at rest, never logged in plaintext
- SSO available on Enterprise tier
5. Compliance coverage
- EU AI Act (Arts. 9-13): enforcement-ready for August 2026 mandate
- GDPR: EU-hosted, data minimisation, right to erasure
- HIPAA: PHI detection, no-storage architecture
- ISO/IEC 42001: AI management system alignment
- NIST AI RMF: risk mapping and documentation
- NIS2 / DORA / MiFID II: available on Enterprise and Sovereign tiers
Compliance status
| Framework | Scope | Status |
|---|---|---|
| EU AI Act Arts. 9–13 | All tiers | Aligned |
| GDPR | All tiers | Aligned |
| HIPAA | Health pack | Aligned |
| ISO/IEC 42001 | All tiers | Aligned |
| NIST AI RMF | All tiers | Aligned |
| SOC 2 Type II | All tiers | In progress |
| ISO 27001 | All tiers | Planned |
| NIS2 / DORA / MiFID II | Enterprise & Sovereign | Aligned |
6. Vulnerability disclosure
We welcome responsible disclosure of security vulnerabilities. If you believe you have found a security issue, please contact us before disclosing publicly so we can investigate and remediate.
Contact: security@aqta.ai
7. Contact
For security inquiries: security@aqta.ai
Aqta Technologies Ltd., Dublin, Ireland