+
+
+
+
Trust & security ·All systems operational

Security isthe product,not a bolt-on.

Written for the people who have to sign off on us — security engineers, procurement teams, compliance officers. No marketing hand-waving. If a control isn’t here yet, we say so.

+
+
+
+
Gateway healthy
SOC 2 Type II · in progress
ISO 27001 · planned 2027
HIPAA BAA · on request
+
+
+
+

Controls

What you’re
actually buying.

Every control applies to every workload. You cannot opt out by using a side door, because there is no side door.

Encryption in transit and at rest

TLS 1.2+ on every edge. AES-256-GCM on everything persisted.

  • Automated certificate rotation on inbound and outbound edges.
  • AES-256-GCM at rest on prompts, completions, embeddings, and logs.
  • Key encryption keys stored in a hardware-backed KMS boundary.
  • Customer-managed keys (CMK / BYOK) available on enterprise agreements.

PII detection and redaction

Regulated identifiers inspected before any provider sees them.

  • Hybrid rule + model pipeline covers name, SSN/NIN, cards, accounts, phone, email, and health identifiers.
  • Per-project policy: redact, tokenize (reversible), block, or allow with logging.
  • Providers only ever receive the transformed value — never the raw one.
  • Detection findings attached to the audit trail for compliance review.

Secrets, keys, and BYOK

Bring your own keys. We never require you to hand us credentials.

  • Sign requests with your own OpenAI / Anthropic / Google / Mistral / Cohere / xAI keys.
  • Cencori-managed keys encrypted at rest with per-org envelope encryption.
  • Rotation, revocation, and per-project scoping are first-class in the dashboard.
  • No key material is ever written to logs.

Immutable audit logs

Every gateway request emits a cryptographically timestamped record.

  • Request, response, provider, model, cost, latency, PII decisions, and actor identity per call.
  • Append-only writes with a hash chain — tampering is detectable.
  • Exportable to Splunk, Datadog, Elastic, or a custom S3 sink.
  • Retention configurable up to seven years for regulated industries.

Data residency and regional routing

Residency is enforced at the gateway, not left to provider trust.

  • Pin projects to a region and restrict reachable providers from that region.
  • Residency-violating requests are blocked, not silently routed abroad.
  • Cencori Cloud (2027) adds on-shore inference in additional regions.
  • Enterprise agreements can specify localization as a contractual term.

Access control and identity

SSO, SCIM, and role-based access for every enterprise workspace.

  • SAML 2.0 SSO with Okta, Azure AD, Google Workspace, and any generic IdP.
  • SCIM 2.0 provisioning and deprovisioning — leavers lose access automatically.
  • Role-based access to projects, API keys, spend caps, and audit logs.
  • Session policies, IP allowlists, and per-project MFA enforcement.

Runtime hardening

Prompt injection, jailbreak, and abuse patterns filtered at the edge.

  • Multi-layer prompt-injection detection on every inbound request.
  • Rate limiting, spend caps, and anomaly detection per key, project, and org.
  • Providers can be blocklisted globally when an upstream vuln is disclosed.
  • Circuit breakers isolate misbehaving providers so a vendor outage isn’t yours.

Vulnerability management

Continuous scanning, dependency review, and staged rollouts.

  • Static analysis, dependency scanning, and secret scanning on every merge.
  • Container images rebuilt daily to pull upstream security patches.
  • Third-party penetration tests annually — reports available under NDA.
  • Cencori Scan is dogfooded on our own repositories.

Certifications and compliance

SOC 2 Type II is in progress. Adjacent frameworks follow.

  • SOC 2 Type II — audit window open, Type I report available on request.
  • ISO 27001 — planned for the 2027 audit cycle.
  • GDPR — DPA available on request, sub-processor list published and versioned.
  • HIPAA — BAA available for healthcare workloads on enterprise agreements.
+
+
+
+

Incident response

A named contact.
A written playbook.
An SLA.

Every enterprise contract names a specific engineer as the incident owner. You get a phone number, an escalation ladder, and a written commitment on notification timing.

On a confirmed security incident we notify affected customers within 24 hours, provide an interim status within 72 hours, and publish a full post-mortem within 14 days.

Responsible disclosure is welcomed at security@cencori.com. We respond to every report within one business day.

+
+
+
+

Talk to security

Send us your questionnaire.

We fill out CAIQ, SIG, and vendor risk questionnaires as part of the procurement conversation. No sales gatekeeping.