Built for the data
your CFO signs off on.
Vendor contracts are the highest-stakes data inside an enterprise. Pricing schedules, indemnification caps, change-of-control clauses, signed addenda. Our security posture is not a feature checklist — it's how every endpoint resolves.
Audited. Renewed. On the record.
Reports are available under NDA to active and prospective customers. The Trust Center hosts machine-readable evidence for vendors who need to verify continuously.
SOC 2 Type II
Annual report covering Security, Availability, Confidentiality, and Processing Integrity. Auditor: A-IC Audit Co.
ISO/IEC 42001
Forthcoming AI management system certification. Controls are implemented; external audit scheduled.
GDPR & UK GDPR
DPA executed at contract. Standard Contractual Clauses for cross-border. Data residency selectable per tenant.
HIPAA-aligned
BAA available for healthcare tenants. PHI handling maps to existing access-control mechanisms.
Active Trust Center → trust.d8m.io · machine-readable evidence available via the Vendor Security Alliance Questionnaire (SIG Lite, CAIQ).
Access is not a wrapper. It's the data layer.
Document- and field-level RBAC enforced at runtime, at the API edge. Roles map to projections; the same underlying record produces different responses for different callers — and the system is honest about what it filtered.
Default role matrix on one record — a contract's clause-level data. Tenants can extend roles, redefine projections, and bind to upstream identity (Okta, Azure AD, Google Workspace, SAML/OIDC).
Default matrix shown. Tenants extend with custom roles (e.g. Treasury, Audit-External) and bind projections to JIT-elevated scopes for break-glass workflows.
Honest filtering
Every response carries an _access block describing exactly what was filtered for the current role: count of fields, count of documents, the reason. The system never silently omits. If a caller asks a question whose answer materially depends on a field they can't see, the API says so.
Projections, not blanking
A filtered field doesn't return null. It returns a projection appropriate to the role — an aggregate, a summary, a bucket — so the answer remains useful. Operational facts and financial detail are decoupled.
The boring parts. Done well.
Encryption, tenant isolation, key management, model handling. Defaults are the kind your security team writes a one-page memo about and moves on.
AES-256-GCM at rest, TLS 1.3 in transit. Keys managed in AWS KMS with per-tenant CMK. Optional customer-managed keys (BYOK) for enterprise — rotate, suspend, or revoke without touching d8m.
Logical per-tenant isolation at the data, vector index, and model layers. Cross-tenant access is structurally impossible — the access decision happens before retrieval, not after. VPC-hosted and on-prem deployments offer physical isolation.
Customer data never trains models. LLM calls use zero-retention inference (data evicted after response). Embedding models run in-tenant. No data is shared with model providers beyond what's needed to answer the current request.
SSO via Okta, Azure AD, Google Workspace, generic SAML/OIDC. SCIM for provisioning. MFA enforced for admin and audit roles. Service-account credentials rotate automatically; break-glass elevation is JIT and logged.
Every API call, every access decision, every model invocation is logged. Logs streamable to your SIEM (Splunk, Datadog, S3) in near-real-time. Retention defaults to 13 months; longer available. Logs themselves are immutable.
Quarterly third-party pen tests across the API, web app, and infrastructure. Reports available under NDA. Critical findings have a 7-day SLA; high a 30-day SLA. Continuous SAST and SCA in CI.
24/7 on-call. Customer notification within 24 hours of confirmed incident with material impact. RCA published within five business days. Tabletop exercises run quarterly with engineering and security teams.
Public disclosure policy and a managed bug bounty live with HackerOne. Researchers reach us at security@d8m.io with PGP if desired (key on the Trust Center). Acknowledgement within one business day.
Three deployment shapes. Same API.
All three deploy modes run the same software and expose the same API. They differ only in where the data lives and how isolated the control plane is.
Managed by us.
Fastest to onboard. Logical tenant isolation. Hosted in our regions (US, EU). Best fit for teams that want results in a quarter.
- Hosted: us-east-1 · eu-west-2
- Logical isolation
- Onboarding: ~2 weeks
- Pricing: per-vendor / per-API-call
Managed by us, your cloud.
Single-tenant control plane inside your AWS / Azure / GCP account. We operate; you own the data path. Common for finance and healthcare tenants.
- Your AWS / Azure / GCP
- Physical isolation
- Onboarding: ~6 weeks
- BYOK · CloudTrail integration
Managed by you.
Helm chart on Kubernetes inside your data center. We ship binaries and support; nothing phones home. For regulated and air-gapped environments.
- Helm + Kubernetes
- Air-gap capable
- Onboarding: ~12 weeks
- Annual license + support
Data, in and out.
What we ingest, what we store, what we send to a model, and what we send back. The boring questions, answered.
_access block is generated at the same checkpoint. Citations are dereferenced from immutable source pointers, so a future change can't quietly invalidate a prior answer.Open the Trust Center.
Machine-readable evidence (SIG Lite, CAIQ), SOC 2 (under NDA), DPA, sub-processor list. All live, all current.
Open trust.d8m.io →Send us your questionnaire.
SIG, CAIQ, vendor-specific. Answered in machine-readable form where possible, within five business days otherwise.
Email security@d8m.io →