Security is not a feature we add to our products. It is the condition under which our products are worth using at all. Neuraphic builds AI systems that operate in environments where failure has real consequences — defense, infrastructure, enterprise security. If those systems cannot be trusted, they cannot be deployed. Everything described here follows from that fact.
We are a pre-launch company. Some of what follows describes infrastructure and practices that are already in place. Some describes what we are actively building toward. We distinguish between the two throughout, because we believe honesty about where you stand is more useful than a polished narrative that papers over the gaps.
Infrastructure security
Our infrastructure is built on a zero-trust architecture. No service has a public IP address. Every service sits behind secure tunnels, meaning that even if an attacker identifies a service endpoint, there is no direct network path to reach it. Administrative access is mediated through an identity-aware proxy that verifies both the identity of the person requesting access and the context of the request — device posture, location, time — before granting it.
Each service runs in its own isolated cloud project with independent access policies, independent credentials, and independent network boundaries. There are no shared networks between services. There are no lateral movement paths. Compromising one service does not grant an attacker access to any other service, because the services do not trust each other by default. Trust is explicit, scoped, and auditable.
This architecture is more expensive to build and more complex to operate than the alternatives. We accept that cost because the alternative — a flat network where a single compromised service exposes everything — is not acceptable for the systems we are building.
Data protection
All customer data is encrypted at rest using AES-256 and in transit using TLS 1.3. These are baseline expectations, not differentiators. What matters more is how we handle data segregation and retention.
Customer data is segregated. We do not operate a multi-tenant data store where one customer's data sits alongside another's. Each customer's data is isolated, and the systems that process it are scoped to that customer's context. This is more operationally complex than shared tenancy, but it eliminates an entire class of data leakage risks that multi-tenant architectures introduce.
Our API data retention policies define clear timelines for how long data is stored and when it is deleted. Customers can review these timelines and, in many cases, configure them. We do not retain data longer than necessary to provide the service, and deletion means deletion — not soft-deletion, not archival, not "we'll get to it."
For enterprise customers, we are planning support for customer-managed encryption keys, which will allow organizations to maintain control over the cryptographic keys used to protect their data, even while that data is processed by our systems. This capability is not yet available, but it is on our roadmap because we believe the organizations most serious about data protection will require it.
Access controls
Internal access to systems and data follows the principle of least privilege. Every person at Neuraphic has the minimum level of access required to do their work, and no more. Roles are defined explicitly, reviewed regularly, and adjusted when responsibilities change.
All administrative access requires multi-factor authentication. There are no exceptions. We do not allow password-only access to any system that touches customer data, production infrastructure, or security-sensitive tooling.
Every action taken on our systems is logged. These audit logs capture who did what, when, and from where. They are immutable — meaning they cannot be modified or deleted by the people whose actions they record. We review these logs regularly, and we use them as the basis for access reviews that verify whether current access levels remain appropriate.
Security operations
We conduct regular penetration testing and vulnerability assessments against our own systems. The purpose of these exercises is not to produce a report that says everything is fine. It is to find the things that are not fine, before someone else does.
We maintain documented incident response procedures with defined escalation paths. When something goes wrong — and in any system of sufficient complexity, something eventually will — the question is not whether the team knows what to do, but whether the process for determining what to do has been established, tested, and practiced before the incident occurs. Ours has.
We operate a responsible disclosure program for external security researchers. If you find a vulnerability in any Neuraphic system, we want to know about it, and we commit to treating researchers who report responsibly with respect and transparency. We will never pursue legal action against researchers acting in good faith.
For vulnerability reports, contact [email protected]. For concerns about model safety or AI behavior, contact [email protected]. We maintain separate channels because the expertise required to evaluate these two categories of reports is different, and we want each report routed to the people best equipped to act on it.
Compliance
We are transparent about where we stand on compliance certifications, because we believe an honest account is more useful than a list of logos.
SOC 2 Type II. We are pursuing SOC 2 Type II certification. This means we have begun the process of documenting our controls, implementing the organizational policies required, and preparing for the audit engagement. We are not yet certified, and we will not claim to be until the audit is complete and the report is issued.
ISO 27001. We are designing our information security management practices for ISO 27001 compliance. Our internal policies, risk assessment processes, and control frameworks are being built with this standard in mind. Formal certification will follow once our practices have matured to the point where certification reflects reality rather than aspiration.
GDPR. We are compliant with the General Data Protection Regulation. Our Privacy Policy describes the data we collect and why. Our Data Processing Agreement is available to all customers. We have appointed an EU representative as required for non-EU companies processing EU personal data. Our legal policies are written in plain language because we believe people should be able to understand the terms they are agreeing to.
CCPA and CPRA. We are compliant with the California Consumer Privacy Act and the California Privacy Rights Act. California residents can exercise their data rights as described in our privacy policy.
HIPAA. We are planning HIPAA readiness for healthcare customers. This is not yet in place, but we recognize that healthcare organizations deploying AI systems will require Business Associate Agreements and the technical safeguards that HIPAA mandates. We are building with those requirements in view.
FedRAMP. We are planning FedRAMP readiness for government customers. Federal agencies face some of the most stringent security requirements of any sector, and we intend to meet those requirements. This is a long-term initiative that we are approaching methodically.
We will update this page as our compliance posture evolves. When we achieve a certification, we will say so clearly. Until then, we will describe what we are working toward and where we are in the process.
Questions
If you have questions about our security practices, need documentation for a vendor assessment, or want to discuss our compliance posture in more detail, contact us. We take these conversations seriously, and we will respond with the same candor reflected in this page.