Trust & Compliance

Security & Compliance

Enterprise-grade security for organizations that cannot compromise.

Encryption

Data at rest: AES-256 encryption
Data in transit: TLS 1.3

Key management options:

Platform-managed keys (default): AES-256, fully managed by ERAIOS with HSM-backed key storage.
Customer-managed keys (Enterprise+): Bring Your Own Key (BYOK) support via AWS KMS, Azure Key Vault, or Google Cloud KMS. Customer retains full key control — ERAIOS cannot decrypt without customer key authorization.

Identity & Access

SSO/SAML 2.0 support
Certified IdP compatibility: Microsoft Azure AD, Okta, Ping Identity, ForgeRock, ADFS
Role-based access control (RBAC)
Multi-factor authentication (MFA) enforcement

Compliance Programs

SOC 2 Type II — In progress

ISO 27001 — Roadmap

GDPR — Compliant

PDPA — Aligned

SAMA Framework — Aligned

CBUAE — Aligned

HIPAA-ready Architecture

PCI-DSS Guidance

Basel III Aligned

EU AI Act Art. 13 & 14

SOC 2 Type II compliance audit in progress, facilitated by Vanta (audit platform) with an accredited CPA firm. Target completion: Q2 2026. Current security posture documentation available under NDA for enterprise procurement evaluations. Contact hello@eraios.ai to request the security package.

Data Processing Agreements (DPAs) are available for enterprise customers upon request.

Infrastructure & Deployment

Cloud deployment: AWS, Azure, GCP (multi-region)
- AWS regions: us-east-1, eu-west-1, me-south-1
- Azure regions: eastus, westeurope
- GCP regions: us-central1
On-premise deployment available for strict data residency requirements
Dedicated tenant environments — zero shared infrastructure between customers
Data never leaves the customer's contracted region without explicit consent
Minimum 2 availability zones per region; cross-region replication available for Enterprise+ customers

Network Architecture

ERAIOS operates as an outbound-initiated SaaS platform — your infrastructure does not need inbound firewall rules. All connections are initiated from the ERAIOS platform to your systems via HTTPS (port 443) using authenticated API calls.

Data flow: Your Enterprise Systems (SAP / Oracle / Salesforce / etc.) → ERAIOS Integration Layer (REST API / Webhooks / Native Connectors) → ERAIOS AI Orchestration Engine (dedicated tenant, your region) → Secure Output (back to your systems or user interface).

Your data never leaves your contracted cloud region. No cross-tenant data sharing. No shared queues or compute between customer environments. Network topology documentation and firewall rule specifications are available to IT teams in the enterprise onboarding package.

AI Governance & Controls

Full audit trail on every AI action — immutable, timestamped, exportable
Human-in-the-loop approval workflows for all sensitive decisions
AI decision explainability — every automated action logged with reasoning
Rollback available within 24 hours for any automated action
Bias monitoring and drift detection on all deployed AI Employees
Error rates disclosed per AI Employee type in onboarding documentation

ERAIOS operates on a multi-model AI orchestration framework using enterprise-contracted API agreements with leading LLM providers (including GPT-4 class models and Claude-class models) — all governed by signed Data Processing Agreements. No client data is transmitted to or used to train shared foundation models without explicit written consent. Model specifics and DPA terms are available under NDA for qualified enterprise evaluations. Contact hello@eraios.ai.

Third-party AI model risk: ERAIOS maintains signed Data Processing Agreements with all AI API providers used in production. Provider selection criteria include: EU-US Data Privacy Framework compliance, GDPR Article 28 DPA availability, SOC 2 Type II certification, and zero training-on-customer-data commitments. A fourth-party risk assessment is available for enterprise security reviews.

Business Continuity & Disaster Recovery

Recovery Time Objective (RTO): less than 4 hours for full platform restoration following a major incident.
Recovery Point Objective (RPO): less than 1 hour — maximum data loss window in a disaster scenario.
In-flight transaction protection: AI Employee tasks that are active during an outage are either completed on restoration or flagged for human review — no silent failures.
Backup and replication: All customer data is replicated across a minimum of 2 availability zones within the customer's contracted region. Cross-region replication available for Enterprise+ customers.

BCP documentation and DR runbooks available to enterprise customers during procurement evaluation.

Incident Response

Critical security issues acknowledged within 1 hour of report
Data breach notification within 72 hours per GDPR Article 33
Root cause analysis delivered within 5 business days of incident resolution
Security incidents communicated directly to customer security contacts

Penetration Testing & Audits

Annual third-party penetration testing conducted by an accredited security firm (vendor name available under NDA). Most recent test: Q4 2025. Executive summary available to enterprise customers under NDA.
Vulnerability disclosure: security@eraios.ai — acknowledged within 24 hours.
CVSS-scored severity triage with patch SLA: Critical 24hr · High 7 days · Medium 30 days.
Results available to enterprise customers under NDA

Security Contact

To report a security vulnerability or request security documentation:
Email: security@eraios.ai
For enterprise security assessments and DPA requests: hello@eraios.ai
PGP key available on request.
Response SLA: critical vulnerabilities acknowledged within 24 hours.