Security

Security is our first principle.

AegisOS Comply is built on the assumption that every component can be compromised. Defence-in-depth, cryptographic integrity, and zero-trust authentication are baked into the architecture — not added on later.

Certifications & Standards

✓ SOC 2 Type II Ready
✓ EU AI Act Aligned
✓ RBI Guidelines Compliant
✓ SOX Section 302/404
✓ OWASP Top 10 Hardened

Security Controls

🔐

Tamper-Proof Audit Chain

Every audit log entry includes a SHA-256 hash of its content and a reference to the previous entry's hash — forming a cryptographically chained ledger. Any retroactive modification is mathematically detectable.

🔑

Ed25519 Agent Signing

Each AI agent can be issued a unique Ed25519 keypair. Every SDK request is signed with the agent's private key and verified server-side. Nonce and timestamp validation prevents replay attacks.

🛡

Zero-Trust API Authentication

Dashboard users authenticate with short-lived JWT tokens. AI agents authenticate with hashed API keys (SHA-256). No plaintext secrets are stored — ever.

🏠

Multi-Tenant Isolation

Every database query is scoped to the requesting organisation's ID. Agents, policies, audit logs, and API keys are fully isolated — no cross-tenant data access is possible.

📈

Risk-Based Wallet Blocking

The risk engine automatically blocks agents with elevated risk scores from submitting new intents, preventing large-scale financial exposure from a compromised or misbehaving agent.

🔒

Encrypted at Rest & In Transit

All data is encrypted at rest using AES-256. All communication occurs over TLS 1.3. Database credentials, API secrets, and signing keys are managed via environment secrets — never in source code.

👥

Role-Based Access Control

Five system roles (Admin, Compliance Officer, Finance Approver, Developer, Viewer) with granular permissions. Custom roles can further restrict access to specific resources and actions.

📱

MFA & Session Management

Dashboard users can enrol TOTP-based multi-factor authentication. Active sessions are listed, individually revocable, and automatically expired on inactivity.

Infrastructure Security

The AegisOS Comply platform runs in containerised environments with no public database endpoints. All services communicate over private networks. Automated vulnerability scanning runs on every deployment. Dependency updates are reviewed weekly for known CVEs.

Our CI/CD pipeline includes static analysis, dependency auditing, and automated integration tests — preventing regressions and insecure patterns from reaching production.

Responsible Disclosure

Report a Vulnerability

If you discover a security vulnerability in AegisOS Comply, please disclose it responsibly. We take all reports seriously and aim to respond within 48 hours.

Email: security@aegis-os.com — PGP key available on request.
Please do not disclose vulnerabilities publicly before we have had the opportunity to investigate and remediate.

Penetration Testing

AegisOS Comply undergoes third-party penetration testing annually. Customers on Business and Enterprise plans may request a copy of the latest executive summary under NDA. Contact security@aegis-os.com to request a report.