Skip to main content

Security

At Autoheal, security runs through everything we build. Our AI agents operate within your organization's established governance, risk, and compliance (GRC) posture — with the same care and boundaries you'd expect from a senior engineer on your team.

Our Security Approach

Secure Development Lifecycle

We integrate security at every stage of development:

  • Security by Design: Security requirements defined during feature planning
  • Secure Coding Standards: Adherence to OWASP guidelines and language-specific best practices
  • Code Review: All code changes reviewed by multiple engineers
  • Automated Security Checks: Pre-commit hooks prevent common security issues
  • Regular Testing: Comprehensive unit, integration, and security testing
  • Continuous Monitoring: 24/7 monitoring for security events and anomalies

Data Protection

Encryption

  • At Rest: All data encrypted using industry-standard encryption (AES-256)
  • In Transit: TLS 1.2+ for all API communications
  • Database Encryption: AWS RDS encryption with automated backups
  • Secrets Management: AWS Secrets Manager with KMS encryption

Multi-Tenancy & Isolation

  • Tenant Isolation: Your data is logically isolated from other customers
  • Access Controls: Role-based access control (RBAC) within your organization
  • Network Segmentation: Infrastructure designed with defense-in-depth principles

Authentication & Authorization

User Authentication

  • OAuth 2.0 / OpenID Connect: Industry-standard authentication protocols
  • Single Sign-On (SSO): Support for enterprise SSO providers
  • Multi-Factor Authentication (MFA): Optional MFA for enhanced security
  • Session Management: Secure session handling with automatic timeout

API Security

  • API Authentication: Token-based authentication for API access
  • Rate Limiting: Protection against abuse and denial-of-service attacks
  • Input Validation: Comprehensive validation of all user inputs
  • Least Privilege: Services operate with minimal required permissions

Infrastructure Security

Cloud Security

  • AWS Infrastructure: Hosted on AWS with SOC 2 and ISO 27001 certified infrastructure
  • Network Security: VPC isolation, security groups, and network policies
  • DDoS Protection: AWS Shield for protection against distributed attacks
  • Web Application Firewall: AWS WAF for application-layer protection

Container Security

  • Image Scanning: Automated scanning for vulnerabilities in container images
  • Minimal Images: Distroless base images to reduce attack surface
  • Runtime Security: Kubernetes security policies and runtime protection
  • Regular Updates: Automated security patching and updates

Vulnerability Management

  • Dependency Scanning: Automated scanning for vulnerable dependencies
  • Security Advisories: Monitoring of security advisories and CVE databases
  • Penetration Testing: Regular third-party security assessments
  • Responsible Disclosure: Process for security researchers to report vulnerabilities
  • Rapid Response: Defined SLAs for vulnerability remediation

Monitoring & Incident Response

Security Monitoring

  • Audit Logging: Comprehensive logging of all security-relevant events
  • Anomaly Detection: Automated detection of suspicious activities
  • SIEM Integration: Security information and event management
  • CloudTrail: AWS API activity logging and monitoring

Incident Response

  • 24/7 Response Team: Dedicated security team on-call
  • Incident Classification: Tiered response based on severity
  • Communication Plan: Defined procedures for customer notification
  • Post-Incident Review: Continuous improvement from security events

Compliance & Certifications

Current Compliance

  • GDPR: General Data Protection Regulation compliance
  • CCPA: California Consumer Privacy Act compliance
  • Data Residency: Options for data storage location

Certifications

  • SOC 2 Type II
  • ISO 27001
  • HIPAA: Available for healthcare customers (upon request)

Security Best Practices for Customers

Recommendations

  1. Enable MFA: Use multi-factor authentication for all users
  2. Strong Passwords: Enforce password complexity requirements
  3. Regular Reviews: Periodically review user access and permissions
  4. API Keys: Rotate API keys regularly and store securely
  5. Activity Monitoring: Review audit logs for your organization
  6. Least Privilege: Grant users minimum required permissions

Integration Security

  • OAuth 2.0: Secure authorization for third-party integrations
  • Scoped Permissions: Integrations request only necessary permissions
  • Revocable Access: Ability to revoke integration access at any time
  • Audit Trail: All integration activities logged

Privacy & Data Handling

Data Collection

We collect only the data necessary to provide our services:

  • Account information (name, email, organization)
  • Usage data (features used, API calls)
  • Integration data (as configured by you)
  • Incident and alert data (for automation workflows)

Data Use

Your data is used solely to:

  • Provide and improve our services
  • Respond to support requests
  • Send service-related communications
  • Ensure platform security and reliability

We never:

  • Sell your data to third parties
  • Use your data to train AI models without explicit consent
  • Share your data except as required by law

Data Retention

  • Active Data: Retained while your account is active
  • Backups: Encrypted backups retained for disaster recovery
  • Deletion: Data deleted within 30 days of account closure
  • Right to Erasure: GDPR right to request data deletion

Data Portability

  • Export Capabilities: Export your data at any time
  • API Access: Programmatic access to retrieve your data
  • Standard Formats: Data provided in common formats (JSON, CSV)

Reporting Security Issues

We appreciate responsible disclosure of security vulnerabilities.

How to Report

Email: security@autoheal.ai

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information (optional for recognition)

What to Expect

  1. Acknowledgment: Within 24 hours
  2. Assessment: Triage within 48 hours
  3. Updates: Regular status updates during investigation
  4. Resolution: Fix deployed based on severity
  5. Recognition: Credit in our security hall of fame (if desired)

Responsible Disclosure Policy

We request that you:

  • Provide reasonable time for us to address the issue
  • Avoid accessing or modifying customer data
  • Do not perform denial-of-service testing
  • Make good faith effort to avoid privacy violations

We commit to:

  • Not pursue legal action against researchers acting in good faith
  • Work with you to understand and address the issue
  • Publicly acknowledge your contribution (with your permission)

Security Contact

For security questions or concerns:

Transparency

We believe in transparency about our security practices:

  • Security Updates: Published on our status page
  • Incident Notifications: Prompt notification of security incidents affecting customers
  • Security Documentation: Regular updates to our security documentation