Home/Security & Trust

Trust, audited and documented — not asserted.

Autonowmy ships into BFSI, telecom, healthcare, and regulated industries. This page is what we send your security team — so they don't have to ask.

Email security@ → Sub-processor list

Certifications

Where we are. Honestly.

In progress

SOC 2 Type II

Audit window opens Q1 2026. Report target Q2 2026. Type I letter available now under NDA.

Target: Q2 2026

In progress

ISO 27001

Stage 1 audit complete. Stage 2 scheduled for Q2 2026. Statement of Applicability available under NDA.

Target: Q3 2026

Aligned

GDPR

DPA provided at procurement-time. Standard contractual clauses on file. EU data residency available.

Live

Aligned

India DPDP Act

Compliant by design for our Noida-based engineering. Data fiduciary registration on file.

Live

Targeted

HIPAA

BAA available for healthcare customers under our single-tenant deployment. Targeted attestation Q4 2026.

Target: Q4 2026

Aligned

PCI DSS

We don't store or process cardholder data ourselves. Agents that touch PCI environments deploy single-tenant in-scope.

Scope: agent-only

Roadmap

FedRAMP

Moderate baseline targeted with our US Federal launch partner. Sponsor identified. Expect 2027.

Target: 2027

Aligned

NIST AI RMF

Our autonomy-dial governance is mapped to NIST AI Risk Management Framework controls. Mapping doc on request.

Live

The posture

How we treat your data, your models, and your agents.

Data handling

No training on customer data. Your data never enters a shared model training run. Period.
Tenant isolation. Per-tenant encryption keys (AWS KMS / Azure Key Vault). Network-isolated runtime.
In-region residency. EU, US, India, Singapore, UAE. Pick yours, locked in your DPA.
Retention controls. Set per data class. Auto-purge after your retention window.

Model security

BYO model endpoints. Azure OpenAI, Bedrock, self-hosted — point at your endpoint, keep your contracts.
Prompt isolation. Per-tenant system prompts. No cross-tenant prompt leakage by design.
Output validation. Schema-validated tool calls. Action attempts outside boundary refuse to execute.
Side-channel monitoring. Active detection for prompt injection in upstream signals. In production for telecom customers.

Agent governance

Autonomy dial enforced server-side. Step-up requires explicit re-approval. No client-side overrides.
Hash-chained audit log. Every reasoning step and tool call signed and chained. Tamper-evident.
Identity-bound approvals. Tied to your IdP (Okta, AzureAD, Google). MFA enforced for dial step-ups.
Blast-radius limits. Per-action quotas. An agent literally cannot exceed its budget.

Deployment models

Three ways to run Autonowmy.

All three honor the same trust model, same audit trail, same autonomy dial. The difference is where the data sits and who runs the runtime.

SaaS · Default

Multi-tenant SaaS

Hosted by Autonowmy on AWS. Logical tenant isolation, per-tenant keys, in-region residency. Fastest time-to-value — production in two weeks.

EU, US, India, Singapore, UAE regions Per-tenant KMS keys 99.9% SLA

Single-tenant

Dedicated VPC

Your own dedicated AWS account or Azure subscription. Same software, same release cadence — physically isolated. Standard for BFSI and healthcare.

Customer-controlled VPC peering Customer-controlled KMS 99.95% SLA

Self-hosted

In your own cloud

Run Autonowmy on your own Kubernetes — AWS, Azure, GCP, on-prem. Air-gapped operations supported. For sovereign and air-gapped customers.

Helm chart deployment Air-gapped & sovereign cloud supported Support SLA per contract

Sub-processors

Who else touches your data.

Below is our complete sub-processor list as of May 2026. We notify customers 30 days before adding any new sub-processor.

Provider	Purpose	Region
Amazon Web Services	Primary infrastructure	us-east-1, eu-west-1, ap-south-1
Microsoft Azure	Single-tenant deployments (optional)	customer-elected
Anthropic	LLM inference (default)	us, eu (via AWS Bedrock)
OpenAI	LLM inference (optional)	us, eu (via Azure)
Datadog	Observability (internal)	us
Sentry	Error tracking (internal)	us
Stripe	Billing	us
Linear	Internal issue tracking	us

Sub-processor changes notified 30 days in advance to security-notify@ of record. Request the latest copy →

Controls catalog

Detailed controls.

Encryption · in transit

TLS 1.3 everywhere

All connections, internal and external. Mutual TLS for inter-service communication.

Encryption · at rest

AES-256 with per-tenant keys

Customer-managed KMS supported. Key rotation on demand.

Access controls

SSO + SCIM + MFA

Okta, AzureAD, Google Workspace. Group-based RBAC. MFA required for dial step-ups.

Audit logging

Immutable hash-chained

Every reasoning step, tool call, and approval signed. Replayable forever.

Penetration testing

Annual + on major releases

Independent firm. Latest report available under NDA on request.

Vulnerability disclosure

Coordinated disclosure

security@autonowmy.com · 24h triage SLA · safe harbor for researchers.

Incident response

1h customer notification

Materially impactful security incidents notified to customer security contact within 60 minutes.

Background checks

All employees + contractors

Standard for anyone with production access. Renewed every two years for access role-holders.

Have a security questionnaire?

We have answers to most of them already drafted. Standard CAIQ, SIG, and HECVAT responses on file. Send the questionnaire — we'll respond within three business days.

Securitysecurity@autonowmy.com

Privacy & DPAprivacy@autonowmy.com

Vulnerability disclosuresecurity@autonowmy.com

Trust portaltrust.autonowmy.com