Security & Compliance
Aiqarus was designed from the ground up for regulated industries. Enterprise-grade security is the foundation we built on, not a feature we added.
Features
Security Principles
Built for regulated industries
Zero Trust Architecture
Every request is authenticated and authorized. No implicit trust.
Least Privilege
Agents have no capabilities unless explicitly granted.
Defense in Depth
Multiple security layers prevent single points of failure.
Transparency
Security through verifiable design, not hidden implementation.
Continuous Validation
Regular penetration testing, scanning, and compliance audits.
Encryption
AES-256 at rest, TLS 1.3 in transit, additional vault encryption.
Tamper-Proof Audit Trails
SHA-256 hash-chained audit logs with Ed25519 attestation signatures
Format: aiq-trace-v1
Ed25519 attestation signature • Chain anchor hash proves provenance
Tamper Detection
Modifying any record breaks the chain. Modifications are mathematically detectable.
Goal & Run Traces
Both Goals and Runs have their own trace chains. VerifyGoalTraceChain() validates goal-level audit.
Ed25519 Attestations
Cryptographic signatures using aiq-trace-v1 format. Chain anchor hashes prove provenance.
Database Immutability
Database triggers prevent UPDATE/DELETE on audit records. Even admins can't tamper.
Data Protection
Encryption
AES-256 At Rest
All data encrypted at the database level
TLS 1.3 In Transit
All connections encrypted with forward secrecy
Credential Vault
Integration credentials with additional encryption layer
Customer Encryption Keys
Enterprise customers can manage their own keys
Multi-Tenant Isolation
Database Isolation
Row-level security policies enforce org separation
Execution Isolation
Agent runs scoped to organization
Network Isolation
Dedicated resources and private endpoints (Enterprise)
Data Residency
US, EU, or customer cloud deployment options
Access Control
Fine-grained role-based access with RBAC and SSO/SAML
| Role | Description | Key Permissions |
|---|---|---|
| Owner | Full organization access | All permissions including billing, goal:abandon |
| Admin | Organization administration | Manage members, agents, goal:create, goal:activate |
| Developer | Agent & goal development | Create agents, goals, manage versions |
| Operator | Execution management | Execute goals, approve decisions, goal:accept_partial |
| Viewer | Read-only access | View agents, goals, runs, traces |
SSO/SAML Integration
Connect to your identity provider with just-in-time provisioning and group sync.
Okta, Azure AD, Google Workspace, OneLogin, PingIdentity, and custom SAML 2.0
API Key Security
Scoped API keys with expiration, IP allowlisting, and usage tracking.
SHA-256 hashed storage, read-only options, one-click revocation
Compliance Certifications
SOC 2 Type I
Expected Q3 2026
HIPAA
BAA available for Enterprise
GDPR
DPA planned
ISO 27001
Roadmap for 2026